| Wis. Stat. § 134.98 |
|---|
| Type of Data Covered | Deadline for Notification | Government Notice |
|---|---|---|
| Electronic or paper. |
Within a reasonable time, but no more than 45 days. |
No. Subject licensees must notify Insurance Commissioner. |
|
Subject Entities |
Applies to individuals, businesses, governmental entities, and other entities that own, license, or maintain personal information. Certain entities may be exempted from particular or all provisions of the law. |
|
Definition of Personal Information |
Last name and first name or first initial, in combination with any of the following elements, if it is not encrypted, redacted, or altered in a manner that renders the element unreadable:
|
|
Definition of Breach |
Personal information acquired by an unauthorized person, excluding certain good faith acquisitions. |
|
Type of Data Covered |
Electronic or paper. |
|
Encryption Safe Harbor |
Statute does not apply to information that is encrypted, redacted, or altered in a manner that renders it unreadable. |
|
Risk of Harm Analysis |
Notice is not required if the acquisition of personal information does not create a material risk of identity theft or fraud to the consumer. |
|
Consumer Notice Requirements |
Timing: Must be made within a reasonable time, but no more than 45 days after the entity learns of the acquisition of personal information. Content: The notice must indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the individual. Upon written request, the entity must identify the personal information that was acquired. Method: By mail or by a method that the entity has previously employed to communication with the consumer. |
|
Substitute Notice Requirements |
Substitute notice may be provided if the entity cannot provide notice by other means, and if the entity has not previously communicated with the subject of the personal information. Must be by a method reasonably calculated to provide actual notice to the consumer. |
|
Delayed Notice Requirements |
Notification may be reasonably delayed if required by a law enforcement agency to protect an investigation or homeland security. |
|
Third Party Notice Requirements |
If personal information is maintained on behalf of another entity, the owner must be notified of a breach incident as soon as practicable. |
|
Consumer Reporting Agency Obligations |
If more than 1,000 residents are notified, the entity must notify consumer reporting agencies that compile and maintain files on a nationwide basis. |
|
Potential Penalties |
Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty. Violations may result in civil penalties or other remedies. |
|
Notice Requirements for Government Agencies |
Please see the statute for specific requirements and/or penalties for applicable government agencies. |
|
Additional Provisions |
Certain provisions of the statute does not apply to entities subject to and in compliance with GLBA or HIPAA. Wisconsin’s Insurance Data Security Law requires licensees to notify the commissioner no later than three business days from the determination of a cybersecurity incident subject to provisions in 2021 Wis. SB 160 § 601.954. |
Last updated: January 2024
