Sommers Legislative Report
by Representative Albert Sommers, HD#20
September 26, 2014
On September 18th I attended the Task Force on Digital Information Privacy, which is charged with the issues surrounding digital security and privacy. The state of Wyoming currently has few laws in place dealing with digital security, because the field has expanded so quickly. At this our last meeting of the year, we reviewed and passed draft legislation, and these bills will be forwarded to the Joint Corporations Committee for consideration as committee bills. The Task Force does not have the authority to forward bills to next winter’s General Session, but a standing committee or an individual legislator can bring these bills to the session.
The Task Force recommended six bills for the Corporations Committee to consider. The first bill dealt with employee online privacy. Apparently in some states, employees and prospective employees have been required by some employers to provide access to their private online accounts as a condition of employment, which is a clear violation of an individual’s privacy. This bill ensures that employers cannot access private accounts, unless there is an investigation occurring and certain sideboards are followed. I supported a motion providing this access only through a court order, but the motion failed. The bill also limits how employers can access employer-provided devices that the employee controls. We attempted to find a balance between the needs of employers and the privacy rights of the employee.
The next bill dealt with access to decedents’ electronic communications. When someone dies, who can access the deceased individual’s online accounts, and eventually retrieve information on those accounts and shut those accounts down? This bill gives authority to a court-ordered personal representative to access the deceased’s online communications, if a will or trust does not speak to this issue.
Our third bill dealt with defining "personal identifying information" (PII). There are two Wyoming statutes where this is pertinent, and currently the definition is not consistent between the two. The first is when an individual uses someone else’s "personal identifying information" illegally, such as identity theft. The second is when an individual or business inadvertently releases or loses to theft other individuals’ "personal identifying information," and this is referred to as a data security breach. A common example is when new credit cards must be issued after a series of numbers have been stolen from the credit card company. We want to make the definition very inclusive as it pertains to people who would use this information illegally, but we have to be careful as it relates to "mom and pop" operations that may inadvertently release PII. Wyoming’s definition needed updating to include new data which could be used to steal someone’s identity, like biometric data (finger prints and retina scans). This bill had a second part, which included an update in Wyoming’s data security breach laws, and we carved this off into a separate bill.
Wyoming’s data security breach laws needed updating, but I thought we went too far. This bill is modeled after a new California law, which in my opinion is untested. I am concerned about the unintended consequences of these proposed changes on small businesses in Wyoming. We want to hold people responsible, but we must be careful not to overreact. The section I worry about requires an individual or commercial entity that is the source of a breach of security to provide appropriate identity theft prevention and mitigation services to any Wyoming resident whose information was or may have been breached. This is vague and too broad in scope. This bill passed our Task Force, without my vote, but hopefully other committees will scrutinize this language prior the session.
We also passed a bill requiring state protection of citizen privacy. This bill requires the Department of Enterprise Technology Services (ETS), which oversees state agency computer services, to ensure that state agencies adhere to privacy standards.
Finally, my favorite piece of legislation would put forward to the citizens of Wyoming a constitutional amendment dealing with privacy. Based upon a Montana constitutional amendment which states; "The right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest." When I presented this in an earlier article, an individual expressed concern about the term "compelling state interest," suggesting that there was no compelling state interest which should usurp our privacy. What I found out was "compelling state interest" is a legal term that helps define "strict scrutiny", which is the most stringent standard of judicial review used by United States courts. Adding this term to the constitutional amendment, according to the constitutional law scholar who testified at our meeting, actually elevates the right of privacy to other constitutionally protected rights.
The web page http://legisweb.state.wy.us/interimCommittee/2014/SDIAGD0918.pdf provides the agenda and draft legislation we worked on, but does not show the significant changes we made to some of these bills. However, it will give you a taste of what we worked on. Feel free to contact me at email@example.com