Wisconsin Notice of Unauthorized Acquisition of Personal Information (Data Breach)
WI Stat § 134.98
SUMMARY:
EFFECTIVE. March 31, 2006
WHO DOES THIS LAW APPLY TO. Any business or government agency that is located or conducts business in the State and licenses or maintains Personal Information in the normal course of business and becomes aware of an unauthorized acquisition of such Personal Information.
WHAT IS A BREACH. The unauthorized acquisition of Personal Information which causes a material risk of identity theft or fraud to an individual.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not publicly available and not encrypted, redacted, or secured by any other method rendering the element unreadable:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
-
Deoxyribonucleic acid (“DNA”) profile, biometric data (including fingerprint, voice print, retina, or iris image), or any other unique physical representation.
-
Unique biometric data that includes fingerprint, voice print, retina or iris image, or any other unique physical representation.
Personal Information does not include public information that is lawfully available from Federal, State or local government records, or widely distributed media.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the individuals affected. The notice shall state that the individual’s Personal Information has been acquired by an unauthorized person. Upon written request by an individual that has received notice of a security breach, the entity that provided notice shall identify the type of Personal Information that was acquired.
If more than 1,000 individuals are involved in a breach, the business or government agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. §1618a(p)), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
No notification is required if the business or government agency determines that a security breach does not create a material risk of identity theft or fraud to the affected individual(s).
-
Gramm-Leach-Bliley Act exception. An Entity that is subject to, and in compliance with, the privacy and security requirements of Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et.al., or a person that has a contractual obligation to such a person or government entity, if the person or government entity has in effect a policy concerning breaches of information security shall be deemed to be in compliance.
-
HIPAA-Covered Entity exception. A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form, if the Entity complies with the requirements of 45 C.F.R. 164(a) shall be deemed to be in compliance.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person or business knows an incident of unauthorized acquisition has occurred. The disclosure shall be made within a reasonable time not to exceed 45 days. Notification must be delayed if law enforcement determines it will impede a criminal investigation and is requested by law enforcement. In that instance, the notification process required shall begin following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice shall be required by mail or by a method the business or government entity has previously used to communicate with the affected individual. If a current mailing address cannot be located with reasonable diligence, and no prior communication with the affected individual has occurred, the business or government agency shall provide notice by a method reasonably calculated to provide actual notice to the affected individual(s).
NOTICE TO THIRD-PARTIES. If a person, other than an individual, that stores Personal Information pertaining to a resident of Wisconsin, but does not own or license the Personal Information, knows that the Personal Information has been acquired by a person whom the person storing the Personal Information has not authorized to acquire the Personal Information, and the person storing the Personal Information has not entered into a contract with the person that owns or licenses the Personal Information, the person storing the Personal Information shall notify the person that owns or licenses the Personal Information of the acquisition as soon as practicable.
CONSEQUENCES FOR FAILING TO NOTIFY. Not stated.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Wisc. Stat. § 134.97. Disposal of records containing personal information. A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following: (a) Shreds the record before the disposal of the record; (b) Erases the personal information contained in the record before the disposal of the record; (c) Modifies the record to make the personal information unreadable before the disposal of the record; and (d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record's disposal and the record's destruction.
LEGISLATIVE UPDATES.
S.B. 164 – Signed into law on 3/16/2006, Effective 3/31/2006.
For more information, see here: https://docs.legis.wisconsin.gov/statutes/statutes/134/98
AND
https://datcp.wi.gov/pages/programs_services/databreaches.aspx
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.