Wisconsin Breach Notification Law Highlights
- Enacted in 2006, Wisconsin’s data breach notification law requires entities that maintain or license personal information in Wisconsin to make reasonable efforts to notify affected individuals of the unauthorized acquisition of their unencrypted and unredacted personal information if there is a material risk of identity theft or fraud to the affected individual.
- Notice must be made within a reasonable time, not to exceed 45 dats after discovery of the breach.
- If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
- Breached third parties must notify relevant data owners or licensees as soon as practicable
- Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
- HIPAA-covered entities and those that are compliant with Title V of the GLBA are deemed to comply with this law.
Section 134.98 of the Wisconsin Statutes requires most businesses to notify individuals if an unauthorized person has acquired their personal information. The business must be operating in Wisconsin and maintaining personal information about individuals who reside in Wisconsin. This law also applies to Wisconsin state government agencies, cities, towns, villages, and counties.
What personal information is covered?
The law defines personal information to mean an individual’s last name and first name or first initial in combination with and linked to any of the following elements, if the element is not publicly available information, and is not encrypted, redacted or altered in a manner that renders the element unreadable:
- Social security number
- Driver’s license number or state identification number.
- Financial account number including a credit or debit card account number or any security code, access code or password that would permit access to the individual’s financial account.
- DNA profile.
- Any unique biometric data including fingerprint, voiceprint, retina or iris image, or any other unique physical representation
Who is required to give notice?
Among those required to give notice are:
- Businesses that conduct business in the state and maintain personal information in the ordinary course of business.
- Businesses that license personal information in the state. Businesses that maintain a depository account for Wisconsin residents.
- Businesses that lend money to Wisconsin residents.
- The state and any office, department, independent agency, authority, institution, association, society or other body in state government created or authorized by Wisconsin law including the courts and the legislature.
- A city, village, town or county.
Certain financial institutions that are subject to and in compliance with the privacy and security requirements of federal law, as well as businesses that have contractual arrangements with such institutions and have a policy in effect regarding security breaches, are exempt from Wisconsin’s law. Similarly, certain health plans and health care providers are not covered by Wisconsin’s law.
When is notice NOT required?
Generally, the law requires the business or governmental entity to notify an individual whenever personal information held by the business or governmental entity is acquired by an unauthorized person. However, no notice is required if the unauthorized acquisition does not create a material risk of identity theft or fraud, or if the information was acquired in good faith by an employee or agent and is used for a lawful purpose of the entity.
What notice is required?
In general, any entity that is required to give notice of the unauthorized acquisition of personal information must provide notice of that fact to persons whose information was acquired. The notice must be given within a reasonable time, not to exceed 45 days after the entity learns of the unauthorized acquisition. The notice must be given by mail or by a method that the entity has previously used to communicate with the subject of the information. For example, if a business has communicated with a customer by email, notice may be given by email. Upon written request of the person whose information was acquired, the entity must also identify the nature of the personal information acquired.
If an entity cannot determine the mailing address of the person whose information was acquired, and if the entity has not previously communicated with that person, the entity must give notice in a manner that is reasonably calculated to provide notice. Such methods might include notice in the newspaper or on television or radio.
In cases where the personal information of more than 1,000 individuals as acquired at one time, the entity from which the information was required must also give notice to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. This would include the major credit reporting agencies.
A law enforcement agency may request that an entity not provide notice in order to protect an investigation or homeland security. In such cases, the entity may not provide notice until permitted by the law enforcement agency.
For more information or to file a complaint, contact:
Wisconsin Department of Agriculture, Trade and Consumer Protection Bureau of Consumer Protection
2811 Agriculture Drive, PO Box 8911
Madison, WI 53708-8911
Email: DATCPHotline@wi.gov
Website: datcp.wi.gov
(800) 422-7128 TTY: (608) 224-5058
IDTheftDataBreach607 (rev 12/19)
Wisconsin Breach Notification Law Details
ATTORNEY PUBLICATIONS
S.B. 164 (signed into law March 16, 2006, Act 138)
Effective March 31, 2006
Application. Any Entity that maintains or licenses PI in WI or that knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI. Entity includes: the state of WI and any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts; a city, village, town, or county; a person, other than an individual, that does any of the following:
- Conducts business in WI and maintains PI in the ordinary course of business;
- Licenses PI in WI;
- Maintains for a resident of WI a depository account; or
- Lends money to a resident of WI.
Security Breach Definition. When an Entity whose principal place of business is located in WI or an Entity that maintains or licenses PI in WI knows that PI in the Entity’s possession has been acquired by a person whom the Entity has not authorized to acquire the PI, or, in the case of an Entity whose principal place of business is not located in WI, when it knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI.
Notification Obligation. Any Entity to which the statute applies shall make reasonable efforts to notify each subject of the PI.
- An Entity is not required to provide notice of the acquisition of PI if the acquisition of PI does not create a material risk of identity theft or fraud to the subject of the PI or if the PI was acquired in good faith by an employee or agent of the Entity, if the PI is used for a lawful purpose of the Entity.
Notification to Consumer Reporting Agencies. If, as the result of a single incident, an Entity is required to notify 1,000 or more individuals that PI pertaining to the individuals has been acquired, the Entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, of the timing, distribution, and content of the notices sent to the individuals.
Third-Party Data Notification. If a person, other than an individual, that stores PI pertaining to a resident of WI, but does not own or license the PI, knows that the PI has been acquired by a person whom the person storing the PI has not authorized to acquire the PI, and the person storing the PI has not entered into a contract with the person that owns or licenses the PI, the person storing the PI shall notify the person that owns or licenses the PI of the acquisition as soon as practicable.
Timing of Notification. An Entity shall provide the notice within a reasonable time, not to exceed 45 days after the Entity learns of the acquisition of PI. A determination as to reasonableness shall include consideration of the number of notices that an Entity must provide and the methods of communication available to the Entity.
Personal Information Definition. An individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
- Social Security Number;
- Driver license number or state identification number;
- Account number or credit card number or debit card number or any security code, access code, or password that would permit access to the individual’s financial account;
- DNA profile; or
- Unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
An element is publicly available if the Entity reasonably believes that it was lawfully made widely available through any media or lawfully made available to the general public from federal, state, or local government records or disclosures to the general public that are required to be made by federal, state, or local law.
Notice Required. The notice shall indicate that the Entity knows of the unauthorized acquisition of PI pertaining to the resident of WI who is the subject of the PI. Notice may be provided by one of the following methods:
- Mail; or
- A method the Entity has previously employed to communicate with the subject of the PI.
Substitute Notice Available. If an Entity cannot with reasonable diligence determine the mailing address of the subject of the PI, and if the Entity has not previously communicated with the subject of the PI, the Entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the PI.
Exception: Compliance with Other Laws.
- Gramm-Leach-Bliley Act. An Entity that is subject to, and in compliance with, the privacy and security requirements of Title V of the Gramm-Leach-Bliley Act, or a person that has a contractual obligation to such an Entity, if the Entity or person has in effect a policy concerning breaches of information security shall be deemed to be in compliance.
- HIPAA-Covered Entities. A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form, if the Entity complies with the requirements of 45 C.F.R. pt. 164 shall be deemed to be in compliance.
Other Key Provisions:
- Delay for Law Enforcement. A law enforcement agency may, in order to protect an investigation or homeland security, ask an Entity not to provide a required notice for any period of time. If an Entity receives such a request, the Entity may not provide notice of or publicize an unauthorized acquisition of PI, except as authorized by the law enforcement agency that made the request.