Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Within reasonable time not greater than 45 days
Government Notification Required: No
Scope of this Summary:
Notification requirements applicable to entities, other than individuals, that conduct business in the state and maintain covered info in ordinary course of business, license covered info in the state, maintain deposit accounts for a resident, or lend money to a resident. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if acquisition of covered info does not create a material risk of identity theft or fraud to the affected person.
Unauthorized acquisition of covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted, redacted, or altered in a manner that renders it unreadable.
Form of Covered Information
Electronic or Paper
An individual's last name and first name or first initial, in combination with and linked to any of the following elements:
- The individual's Social Security number.
- The individual's driver's license number or state identification number.
- The individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account.
- The individual's deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).
- The individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
Consumer Notice Timing
Must make reasonable efforts to notify affected residents within a reasonable time not to exceed 45 days after discovery of the breach, subject to law enforcement delay.
Consumer Notice Method
By mail or by a method the entity has previously used to communicate with the affected person. If address is not known and covered entity has not previously communicated with the affected person, covered entity must provide notice by a method reasonably calculated to actually notify the affected person.
Consumer Notice Content
Notice must indicate that covered entity knows of the unauthorized acquisition of covered info pertaining to the resident. Upon written request from a notified individual, the covered entity must identify the covered info that was acquired.
Notification must be delayed if law enforcement determines delay necessary to protect an investigation or homeland security.
The Wisconsin general notification statute does not require notice to any government or regulatory agencies.
Consumer Reporting Agency Notice
If more than 1,000 individuals are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
The statute includes certain exceptions for entities that are subject to and in compliance with either: The Gramm-Leach-Bliley Act or the privacy and security regulations implemented under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), if it complies with the regulations, including the breach notification requirements.
If you maintain covered info on behalf of another entity, you must notify it as soon as practicable following determination of a breach.
Private Right of Action
Although Wisconsin's general breach notification statute does not explicitly provide for a private right of action, it provides that, while a violation itself is not negligence or a breach of any duty, it may be evidence of negligence or a breach of a legal duty (Wis. Stat. § 134.98(4)).
Violations may result in civil penalties.