ARTICLE 5 - CREDIT FREEZE REPORTS

(i) "Breach of the security of the data system" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state. Good faith acquisition of personal identifying information by an employee or agent of a person or business for the purposes of the person or business is not a breach of the security of the data system, provided that the personal identifying information is not used or subject to further unauthorized disclosure;

(ii) "Consumer" means any person who is utilizing or seeking credit for personal, family or household purposes;

(iii) "Consumer reporting agency" means any person whose business is the assembling and evaluating of information as to the credit standing and credit worthiness of a consumer, for the purposes of furnishing credit reports, for monetary fees and dues to third parties;

(iv) "Credit report" means any written or oral report, recommendation or representation of a consumer reporting agency as to the credit worthiness, credit standing or credit capacity of any consumer and includes any information which is sought or given for the purpose of serving as the basis for determining eligibility for credit to be used primarily for personal, family or household purposes;

(v) "Creditor" means the lender of money or vendor of goods, services or property, including a lessor under a lease intended as a security, rights or privileges, for which payment is arranged through a credit transaction, or any successor to the right, title or interest of any such lender or vendor, and an affiliate, associate or subsidiary of any of them or any director, officer or employee of any of them or any other person in any way associated with any of them;

(vi) "Financial institution" means any person licensed or chartered under the laws of any state or the United States as a bank holding company, bank, savings and loan association, credit union, trust company or subsidiary thereof doing business in this state;

(vii) "Personal identifying information" means the first name or first initial and last name of a person in combination with one (1) or more of the data elements specified in W.S. 6-3-901(b)(iii) through (xiv), when the data elements are not redacted.

(A) Repealed by Laws 2015, ch. 63, § 2.

(B) Repealed by Laws 2015, ch. 63, § 2.

(D) Repealed by Laws 2015, ch. 63, § 2.

(E) Repealed by Laws 2015, ch. 63, § 2.

(viii) "Redact" means alteration or truncation of data such that no more than five (5) digits of the data elements provided in subparagraphs (vii)(A) through (D) of this subsection are accessible as part of the personal information;

(ix) "Security freeze" means a notice placed in a consumer's credit report, at the request of the consumer, that prohibits the credit rating agency from releasing the consumer's credit report or any information from it relating to an extension of credit or the opening of a new account, without the express authorization of the consumer;

(x) "Substitute notice" means:

(A) An electronic mail notice when the person or business has an electronic mail address for the subject persons;

(B) Conspicuous posting of the notice on the website page of the person or business if the person or business maintains one; and

(xi) "This act" means W.S. 40-12-501 through 40-12-511.

(b) "Personal identifying information" as defined in paragraph (a)(vii) of this section does not include information, regardless of its source, contained in any federal, state or local government records or in widely distributed media that are lawfully made available to the general public.

(a) An individual or commercial entity that conducts business in Wyoming and that owns or licenses computerized data that includes personal identifying information about a resident of Wyoming shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal identifying information has been or will be misused. If the investigation determines that the misuse of personal identifying information about a Wyoming resident has occurred or is reasonably likely to occur, the individual or the commercial entity shall give notice as soon as possible to the affected Wyoming resident. Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(b) The notification required by this section may be delayed if a law enforcement agency determines in writing that the notification may seriously impede a criminal investigation.

(c) Any financial institution as defined in 15 U.S.C. 6809 or federal credit union as defined by 12 U.S.C. 1752 that maintains notification procedures subject to the requirements of 15 U.S.C. 6801(b)(3) and 12 C.F.R. Part 364 Appendix B or Part 748 Appendix B, is deemed to be in compliance with this section if the financial institution notifies affected Wyoming customers in compliance with the requirements of 15 U.S.C. 6801 through 6809 and 12 C.F.R. Part 364 Appendix B or Part 748 Appendix B.

(d) For purposes of this section, notice to consumers may be provided by one (1) of the following methods:

(ii) Electronic mail notice;

(iii) Substitute notice, if the person demonstrates:

(A) That the cost of providing notice would exceed ten thousand dollars ($10,000.00) for Wyoming-based persons or businesses, and two hundred fifty thousand dollars ($250,000.00) for all other businesses operating but not based in Wyoming;

(B) That the affected class of subject persons to be notified exceeds ten thousand (10,000) for Wyoming-based persons or businesses and five hundred thousand (500,000) for all other businesses operating but not based in Wyoming; or

(iv) Substitute notice shall consist of all of the following:

(A) Conspicuous posting of the notice on the Internet, the World Wide Web or a similar proprietary or common carrier electronic system site of the person collecting the data, if the person maintains a public Internet, the World Wide Web or a similar proprietary or common carrier electronic system site; and

(B) Notification to major statewide media. The notice to media shall include a toll-free phone number where an individual can learn whether or not that individual's personal data is included in the security breach.

(e) Notice required under subsection (a) of this section shall be clear and conspicuous and shall include, at a minimum:

(i) A toll-free number:

(A) That the individual may use to contact the person collecting the data, or his agent; and

(B) From which the individual may learn the toll-free contact telephone numbers and addresses for the major credit reporting agencies.

(ii) The types of personal identifying information that were or are reasonably believed to have been the subject of the breach;

(iii) A general description of the breach incident;

(iv) The approximate date of the breach of security, if that information is reasonably possible to determine at the time notice is provided;

(v) In general terms, the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches;

(vi) Advice that directs the person to remain vigilant by reviewing account statements and monitoring credit reports;

(vii) Whether notification was delayed as a result of a law enforcement investigation, if that information is reasonably possible to determine at the time the notice is provided.

(f) The attorney general may bring an action in law or equity to address any violation of this section and for other relief that may be appropriate to ensure proper compliance with this section, to recover damages, or both. The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.

(g) Any person who maintains computerized data that includes personal identifying information on behalf of another business entity shall disclose to the business entity for which the information is maintained any breach of the security of the system as soon as practicable following the determination that personal identifying information was, or is reasonably believed to have been, acquired by an unauthorized person. The person who maintains the data on behalf of another business entity and the business entity on whose behalf the data is maintained may agree which person or entity will provide any required notice as provided in subsection (a) of this section, provided only a single notice for each breach of the security of the system shall be required. If agreement regarding notification cannot be reached, the person who has the direct business relationship with the resident of this state shall provide notice subject to the provisions of subsection (a) of this section.

(h) A covered entity or business associate that is subject to and complies with the Health Insurance Portability and Accountability Act, and the regulations promulgated under that act, 45 C.F.R. Parts 160 and 164, is deemed to be in compliance with this section if the covered entity or business associate notifies affected Wyoming customers or entities in compliance with the requirements of the Health Insurance Portability and Accountability Act and 45 C.F.R. Parts 160 and 164.

(a) Except as provided in W.S. 40-12-505, a consumer may place a security freeze on the consumer's credit report by:

(i) Making a request to a consumer reporting agency in writing by certified mail; and

(ii) Providing proper identification.

(b) If a security freeze is in place, a consumer reporting agency may not release a consumer's credit report or information derived from the credit report to a third party that intends to use the information to determine a consumer's eligibility for credit or the opening of a new account without prior authorization from the consumer.

(c) Notwithstanding subsection (b) of this section, a consumer reporting agency may communicate to a third party requesting a consumer's credit report that a security freeze is in effect on the consumer's credit report. If a third party requesting a consumer's credit report in connection with the consumer's application for credit is notified of the existence of a security freeze under this subsection, the third party may treat the consumer's application as incomplete.

(d) Upon receiving a request from a consumer under subsection (a) of this section, the consumer reporting agency shall:

(i) Place a security freeze on the consumer's credit report within five (5) business days after receiving the consumer's request;

(ii) Send a written confirmation of the security freeze to the consumer within ten (10) business days after placing the security freeze; and

(iii) Provide the consumer with a unique personal identification number or password to be used by the consumer when providing authorizations for removal or temporary lift of the security freeze.

(e) A consumer reporting agency shall require proper identification of the consumer requesting to place, remove, or temporarily lift a security freeze.

(f) A consumer reporting agency shall develop a contact method to receive and process a consumer's request to place, remove or temporarily lift a security freeze. The contact method shall include:

(i) A postal address;

(ii) An electronic contact method chosen by the consumer reporting agency, which may include the use of fax, Internet or other electronic means; and

(iii) The use of telephone in a manner that is consistent with any federal requirements placed on the consumer reporting agency.

(g) A security freeze placed under this section may be removed or temporarily lifted only in accordance with W.S. 40-12-504.

(a) A consumer reporting agency may remove a security freeze from a consumer's credit report only if:

(i) The consumer makes a material misrepresentation of fact in connection with the placement of the security freeze and the consumer reporting agency notifies the consumer in writing before removing the security freeze; or

(ii) The consumer reporting agency receives the consumer's request through a contact method established and required in accordance with W.S. 40-12-503(f) and the consumer reporting agency receives the consumer's proper identification and other information sufficient to identify the consumer including the consumer's personal identification number or password.

(b) A consumer reporting agency shall temporarily lift a security freeze upon receipt of:

(i) The consumer's request through the contact method established by the consumer reporting agency;

(ii) The consumer's proper identification and other information sufficient to identify the consumer including the consumer's personal identification number or password;

(iii) A specific designation of the period of time for which the security freeze is to be lifted; and

(iv) The consumer reporting agency receives the payment of any fee required under W.S. 40-12-506.

(i) Three (3) business days after the business day on which the consumer's request to temporarily lift the security freeze is received by the consumer reporting agency through the contact method developed by the consumer reporting agency as required under W.S. 40-15-503(f); or

(ii) On or after September 1, 2008, within fifteen (15) minutes after the consumer's request is received by the consumer reporting agency through the electronic contact method developed by the consumer reporting agency as required under W.S. 40-12-503(f) or the use of telephone, during normal business hours and includes the consumer's proper identification and correct personal identification number or password.

(d) A consumer reporting agency shall permanently remove a security freeze from a consumer's credit report within three (3) business days after the business day on which the consumer's request is received by the consumer reporting agency through the contact method developed by the agency to receive such requests as required under W.S. 40-12-503(f).

(e) A consumer reporting agency need not temporarily lift a security freeze within the time provided in subsection (c) of this section if:

(i) The consumer fails to meet the requirements of subsection (b) of this section; or

(ii) The consumer reporting agency's ability to temporarily lift the security freeze within fifteen (15) minutes is prevented by:

(A) An act of God, including fire, earthquakes, hurricanes, storms or similar natural disaster or phenomena;

(B) Unauthorized or illegal acts by a third party, including terrorism, sabotage, riot, vandalism, labor strikes or disputes disrupting operations or similar occurrence;

(C) Operational interruption, including electrical failure, unanticipated delay in equipment or replacement part delivery, computer hardware or software failures inhibiting response time or similar disruption;

(D) Governmental action, including emergency orders or regulations, judicial or law enforcement action or similar directives;

(E) Regularly scheduled maintenance, during other than normal business hours, of, or updates to, the consumer reporting agency's systems;

(F) Commercially reasonable maintenance of, or repair to, the consumer reporting agency's systems that is unexpected or unscheduled; or

(G) Receipt of a removal request outside of normal business hours.

(a) Notwithstanding W.S. 40-12-503, a consumer reporting agency may furnish a consumer's credit report to a third party if:

(i) The purpose of the credit report is to:

(A) Use the credit report for purposes permitted under 15 U.S.C. § 1681b(c);

(B) Review the consumer's account with the third party, including for account maintenance or monitoring, credit line increases or other upgrades or enhancements;

(D) Collect on a financial obligation owed by the consumer to another person; or

(E) The third party requesting the credit report is a subsidiary, affiliate, agent, assignee or prospective assignee of the person holding the consumer's account or to whom the consumer owes a financial obligation.

(b) The consumer's request for a security freeze does not prohibit the consumer reporting agency from disclosing the consumer's credit report for other than credit related purposes consistent with the definition of credit report in W.S. 40-12-501(a).

(c) The following types of credit report disclosures by consumer reporting agencies to third parties are not prohibited by a security freeze:

(i) The third party does not use the credit report for the purpose of serving as a factor in establishing a consumer's eligibility for credit;

(ii) The release is pursuant to a court order, warrant or subpoena requiring release of the credit report by the consumer reporting agency;

(iii) The third party is a child support agency, or its agent or assignee, acting under Part D, Title IV of the Social Security Act or a similar state law;

(iv) The third party is the federal department of health and human services or a similar state agency, or its agent or assignee, investigating Medicare or Medicaid fraud;

(v) The purpose of the credit report is to investigate or collect delinquent taxes, assessments or unpaid court orders and the third party is:

(A) The federal internal revenue service;

(B) A state taxing authority;

(D) A county, municipality, or other entity with taxing authority;

(E) A federal, state or local law enforcement agency; or

(F) The agent or assignee of any entity listed in this paragraph.

(vi) The third party is administering a credit file monitoring subscription to which the consumer has subscribed; or

(vii) The third party requests the credit report for the sole purpose of providing the consumer with a copy of the consumer's credit report or credit score upon the consumer's request.

(d) The security freeze provisions of W.S. 40-12-503 do not apply to:

(i) A consumer reporting agency, the sole purpose of which is to resell credit information by assembling and merging information contained in the database of another consumer reporting agency and that does not maintain a permanent database of credit information from which a consumer's credit report is produced;

(ii) A deposit account information service company that issues reports concerning account closures based on fraud, substantial overdrafts, automated teller machine abuse or similar information concerning a consumer to a requesting financial institution for the purpose of evaluating a consumer's request to create a deposit account;

(iii) A check services or fraud prevention services company that issues:

(A) Reports on incidents of fraud; or

(B) Authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers or similar methods of payment.

(iv) A consumer reporting agency, with respect to its database of files that consist entirely of public records and is used solely for one (1) or more of the following:

(A) Criminal record information;

(B) Tenant screening;

(D) Fraud prevention or detection.

(v) A database or file which consists solely of information adverse to the interests of the consumer including, but not limited to, criminal record information which is used for fraud prevention or detection, tenant screening, employment screening or any purpose permitted by the Fair Credit Reporting Act, 15 U.S.C. 1681b;

(vi) A person to the extent the person offers fraud prevention services which provide reports on incidents of fraud or reports used primarily in the detection or prevention of fraud; or

(vii) Setting or adjusting of a rate, adjusting a claim or underwriting for insurance purposes.

(e) Nothing in this article prohibits a person from obtaining, aggregating or using information lawfully obtained from public records in a manner that does not otherwise violate this article.

(a) Except as provided in subsection (b) of this section, a consumer reporting agency may charge a reasonable fee not to exceed ten dollars ($10.00) to a consumer for each placing, temporary lifting or removing of a security freeze.

(b) A consumer reporting agency may not charge a fee for placing, temporarily lifting or removing a security freeze if:

(i) The consumer is a victim of identity theft as defined by W.S. 6-3-901; and

(ii) The consumer provides the consumer reporting agency with a valid copy of a police report or police case number documenting the identity fraud.

(a) If a credit report is subject to a security freeze, a consumer reporting agency shall notify the consumer who is the subject of the credit report within thirty (30) days if the consumer reporting agency changes their information concerning the consumer's:

(iii) Social security number; or

(b) Notwithstanding subsection (a) of this section, a consumer reporting agency may make technical modifications to information in a credit report that is subject to a security freeze without providing notification to the consumer. Technical modifications under this subsection include:

(i) The addition or subtraction of abbreviations to names and addresses; and

(ii) Transpositions or corrections of incorrect numbering or spelling.

(c) When providing notice of a change of address under subsection (a) of this section, the consumer reporting agency shall provide notice to the consumer at both the new address and the former address.

(a) If a consumer reporting agency intentionally or negligently violates a valid security freeze by releasing credit information that has been placed under a security freeze, the affected consumer is entitled to:

(i) Notification within five (5) business days following the agency's discovery, or notification from another source, of the release of the information. The notification under this paragraph shall include specificity as to the information released and the third party recipient of the information;

(ii) Notification that the consumer may file a complaint with the federal trade commission and the state attorney general.

(b) If a consumer reporting agency intentionally or negligently violates a valid security freeze by releasing credit information that has been placed under a security freeze and fails to take steps to correct the release and fails to give the notification required under subsection (a) of this section, the affected consumer is entitled to, in a civil action against the consumer reporting agency, recover:

(i) Injunctive relief to prevent or restrain further violation of the security freeze;

(ii) A civil penalty in an amount not to exceed one thousand dollars ($1,000.00) plus any damages available under other civil laws; and

(iii) Reasonable expenses, court costs, investigative costs and attorney's fees.

(c) Each violation of the security freeze shall be counted as a separate incident for purposes of imposing penalties under this section.

(a) A person who reasonably believes that he or she is the victim of identity theft as defined by W.S. 6-3-901 may petition a court, or the court, on its own motion or upon application of the prosecuting attorney, may move for an expedited judicial determination of his or her factual innocence, where the perpetrator of the identity theft was arrested for, cited for or convicted of a crime under the victim's identity, or where a criminal complaint has been filed against the perpetrator in the victim's name, or where the victim's identity has been mistakenly associated with a record of criminal conviction. Any judicial determination of factual innocence made pursuant to this section may be heard and determined upon declarations, affidavits, police reports or other material, relevant and reliable information submitted by the parties or ordered to be part of the record by the court. Where the court determines that the petition or motion is meritorious and that there is no reasonable cause to believe that the victim committed the offense for which the perpetrator of the identity theft was arrested, cited, convicted or subject to a criminal complaint in the victim's name, or that the victim's identity has been mistakenly associated with a record of criminal conviction, the court shall find the victim factually innocent of that offense. If the victim is found factually innocent, the court shall issue an order certifying this determination.

(b) After a court has issued a determination of factual innocence pursuant to subsection (a) of this section, the court may order the name and associated personal identifying information contained in court records, files and indexes accessible by the public deleted, sealed or labeled to show that the data is impersonated and does not reflect the defendant's identity.

(c) Upon making a determination of factual innocence, the court shall provide the consumer written documentation of the order.

(d) A court that has issued a determination of factual innocence pursuant to this section may at any time vacate that determination if the petition, or any information submitted in support of the petition, is found to contain any material misrepresentation or fraud.

(e) The supreme court shall develop a form for use in issuing an order pursuant to this section.

(f) The attorney general shall establish and maintain a data base of individuals who have been victims of identity theft and that have received determinations of factual innocence. The attorney general shall provide a victim of identity theft or his authorized representative access to the database in order to establish that the individual has been a victim of identity theft. Access to the database shall be limited to criminal justice agencies, victims of identity theft and individuals and agencies authorized by the victims.

(g) The attorney general shall establish and maintain a toll free number to provide access to information under subsection (f) of this section.

(h) In order for a victim of identity theft to be included in the database established pursuant to subsection (f) of this section, he shall submit to the attorney general a court order obtained pursuant to this section, a full set of fingerprints and any other information prescribed by the attorney general.