§ 9-21-101. Data policies.

(a) Every agency shall adopt, enforce and maintain a policy regarding the collection, access, security and use of data. The policy shall, at a minimum, comply with applicable federal and state law, adhere to standards set by the state chief information officer and include the following:

(i) An inventory and description of all data required of, collected or stored by an agency;

(ii) Authorization and authentication mechanisms for accessing the data;

(iii) Administrative, physical and logical security safeguards, including employee training and data encryption;

(iv) Privacy and security compliance standards;

(v) Processes for identification of and response to data security incidents, including breach notification and mitigation procedures;

(vi) In accordance with existing law, processes for the destruction and communication of data.

(b) As used in this section, “agency” means any office, department, board, commission, council, institution, separate operating agency or any other operating unit of the executive branch of state government. “Agency” shall not include the state legislature, judiciary, University of Wyoming or any community college in the state.

(c) The governor, after consultation with the chief information officer, may set a date for specific agencies to comply with subsection (a) of this section and may revise that date as necessary.