Data Breach Requirements in the State of Wisconsin
Wis. Stat. § 134.98, also known as Wisconsin’s Data Breach Law, is a data breach notification law that was passed in the U.S. state of Wisconsin in 2006. Wisconsin’s Data Breach Law established the legal framework that governs data breaches within the state, effectively mandating that agencies, businesses, and organizations operating within said state adhere to various regulations and requirements in the event that a data breach occurs. Furthermore, the law also sets forth the various sanctions and penalties that can be imposed against business entities within Wisconsin, should these entities fail to comply with the law as it pertains to the compromised personal information of residents within the state.
How is a data breach defined under Wisconsin’s Data Breach Law?
As stated in Wisconsin’s Data Breach Law “when an Entity whose principal place of business is located in WI or an Entity that maintains or licenses PI in WI knows that PI in the Entity’s possession has been acquired by a person whom the Entity has not authorized to acquire the PI, or, in the case of an Entity whose principal place of business is not located in WI, when it knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI.” Alternatively, entities within Wisconsin are not responsible for personal information that may be compromised after being acquired by “by a person whom the Entity has not authorized to acquire the PI.”
What is the scope and application of Wis. Stat. § 134.98?
In terms of the scope and application of Wisconsin’s Data Breach Law, the law applies to all entities that maintain or license personal information that has been obtained from residents within the state. To this point, the law states that entities include “any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts; a city, village, town, or county; a person, other than an individual, that does any of the following”:
- Conducts business within the state of Wisconsin and maintains personal information during the course of operating said business.
- Licenses personal information within the state of Wisconsin.
- Maintains personal information for a “resident of WI a depository account”.
- Lends money to a resident within the state of Wisconsin.
What are the requirements of business entities under Wisconsin’s Data Breach Law?
Wisconsin’s Data Breach Law mandates that entities operating within the state provide all affected parties with data breach notifications in the event that such an incident occurs. These notifications must be provided to affected parties no later than 45 days after a data breach has been discovered, and must provide said parties with information concerning the categories of personal information that was compromised following the breach, as well as the scope and severity of the breach, among other things. Moreover, entities are also required to provide notice to the three major credit reporting agencies within the U.S. in the event that a data breach leads to the disclosure of personal information pertaining to more than 1,000 residents within Wisconsin.
What categories of personal information are covered under the law?
Under Wisconsin’s Data Breach Law, the following categories of personal information are protected under the law should a data breach occur, “in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable”:
- Social security numbers.
- Drivers license numbers and state identification card numbers.
- Account numbers, credit card numbers, and debit card numbers, as well as any access or passcodes that could be used to grant access to an individual’s financial account.
- DNA profiles.
- Unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
In terms of the sanctions and penalties that can be enforced individuals and entities within the state of Wisconsin that are found to be in violation of the law, the provisions of Wis. Stat. § 134.98 are enforced by the Attorney General of Wisconsin. Subsequently, the Attorney General of Wiscon has the authority to impose civil penalties and other remedies against entities within the state that fail to comply with the law. Notably, entities and individuals that violate the law are also subject to criminal charges, in contrast to many other state-level data breach notification laws throughout the U.S.
Wisconsin’s Data Breach Law represents the primary means by which residents of the state can seek legal recourse against entities that are found to have failed to notify them should their information be compromised as a result of a data breach. Through the provisions of the law, business entities and organizations within the state of Wisconsin face numerous sanctions and punishments should they fail in their duty to said citizens as it concerns compliance with the law. As such, residents of Wisconsin can rest assured that certain categories of personal information concerning them will be legally protected should said information be disclosed following a security breach.