Wis. Stat. § 601.95 |
Type of Data Covered | Deadline for Government Notification | Government Notice Requirement |
Electronic. | As promptly as possible but no than three (3) business days after determining that a cybersecurity event occurred | Yes - Notify Insurance Commissioner |
Licensees |
Applies to a “licensee”, defined as a person licensed, authorized to operate, or registered, or a person required to be licensed, authorized, or registered under Wisconsin insurance laws.
Risk retention groups chartered and licensed in another state and insurers acting as an assuming insurer domiciled in another state are exempt from the definition of licensee. |
Security Standard under the Insurance Data Security Law |
Licensees must conduct a risk assessment and based on the risk assessment, develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards to protect the licensee’s information systems and nonpublic information.
The comprehensive written information security program must be designed to do all of the following:
Exemption: Licensees who meet any of the following criteria are not required to develop, implement, or maintain a comprehensive written information security program:
|
Type of Data Covered |
Electronic. |
Definitions |
“Consumer” means an individual who is a resident of Wisconsin and whose nonpublic information is in the possession, custody, or control of a licensee.
“Cybersecurity event” means an event resulting in the unauthorized access to, or disruption or misuse of, an information system or the nonpublic information stored on an information system, except that a “cybersecurity event” does not include any of the following:
“Nonpublic information” means electronic information in the possession, custody, or control of a licensee that is not publicly available information and is any of the following:
|
Methods of Compliance |
Risk Assessment As part of the risk assessment, a licensee must:
|
Methods of Compliance Continued |
Written Information Security Program Based on the risk assessment, a licensee must:
|
Methods of Compliance Continued |
Adjustments to Written Information Security Program
|
Methods of Compliance Continued |
Incident Response Plan Licensees must establish, as part of its written information security program, a written incident response plan designed to promptly respond to, and recover from, a cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee’s information systems, or the continuing functionality of any aspect of the licensee’s business or operations.
The Incident Response Plan must include all of the following:
Oversight of Third-Party Service Providers Licensees must exercise due diligence in selecting a third-party service provider and make reasonable efforts to require third-party service providers to:
|
Methods of Compliance Continued |
Oversight by a Board of Directors If a licensee has a board of directors, the board or an appropriate committee of the board must, at a minimum, do all of the following:
Certification of Compliance:
|
Duty to Investigate Cybersecurity Events |
If a licensee learns that a cybersecurity event involving the licensee's information systems or nonpublic information has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, must conduct a prompt investigation that includes the following:
If a licensee knows that a cybersecurity event has or may have occurred in an information system maintained by a third-party service provider, the licensee must conduct an investigation as outlined above or make reasonable efforts to confirm and document that the third-party service provider has either completed the investigation or failed to cooperate with the investigation.
Licensees must maintain records concerning a cybersecurity event for a period of five (5) years starting from the date of the cybersecurity event and must produce the records upon demand of the Insurance Commissioner. |
Commissioner Notice Requirements |
A licensee must notify the Insurance Commissioner that a cybersecurity event involving nonpublic information has occurred if any of the following conditions is met:
|
Commissioner Notice Requirements Continued |
Timing: A licensee shall provide the notification as promptly as possible, but no later than three (3) business days from the determination that the cybersecurity event occurred.
Contents: The licensee shall provide as much of the following information as possible:
The licensee is required to update and supplement the information provided to address material changes to the information as additional information becomes available.
Method: In electronic form, as directed by the Commissioner. |
Consumer Notification Requirements |
If a licensee knows that nonpublic information of a consumer in the licensee’s possession has been acquired by a person whom the licensee has not authorized to acquire the nonpublic information, the licensee must make reasonable efforts to notify each consumer who is of the nonpublic information.
Timing: Notice must occur within a reasonable time, not to exceed 45 days after the licensee learns of the acquisition of nonpublic information. A determination as to reasonableness includes consideration of the number of notices that the licensee must provide and the methods of communication available to the licensee.
Contents: The notice shall indicate that the licensee knows of the unauthorized acquisition of nonpublic information pertaining to consumer.
Upon written request by a consumer who has received a notice, the licensee that provided the notice must identify the nonpublic information that was acquired.
Method: Notice is required by mail or by a method the licensee has previously employed to communicate with the consumer who is the of the nonpublic information. If a licensee cannot with reasonable diligence determine the mailing address, and if the licensee has not previously communicated with the of the nonpublic information, the licensee shall provide notice by a method reasonably calculated to provide actual notice. |
Consumer Reporting Agencies Notification Requirement |
If a licensee is required to notify 1,000 or more Wisconsin residents, the licensee must notify all consumer reporting agencies without unreasonable delay of the timing, distribution, and content of the notices sent to the consumers. |
Exceptions to Notice Requirement |
Notification to consumers and consumer reporting agencies is not required if:
These exceptions do not affect the requirement to notify the Insurance Commissioner. |
Enforcement |
The Insurance Commissioner may investigate licensees to determine whether the licensee has engaged in any violations and take any action that is necessary or appropriate to enforce the requirements under this statute. |
Last updated: January 2024