Wisconsin
Click here to review text of state statute |
Information Covered / Important Definitions
Information covered:
Personal information of Wisconsin residents.
Definition includes (i) an individual’s DNA data, and (ii) unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
Covered Entities* / Third Party Recipients
Subject to statute:
An entity whose principal place of business is located inside Wisconsin, or an entity located outside Wisconsin that maintains or licenses personal information in Wisconsin.
Includes entities that maintain a depository account for a resident or lends money to a resident.
Third party recipients:
Any entity (other than individuals) that store personal information pertaining to Wisconsin residents that it does not own or license must notify the owner or licensor of the security breach as soon as practicable following discovery of the breach (unless a contractual agreement states otherwise).
Notice Procedures & Timing / Other Obligations
Notice to victims of a security breach within a reasonable time not to exceed forty-five (45) days after discovery of the security breach, unless a law enforcement agency determines that notice will impede a criminal or civil investigation or jeopardize homeland security (in which case notification is delayed until authorized by law enforcement).
- Notice may be provided by mail or by a method the entity has previously employed to communicate with the affected persons. Upon written request from an affected person, the covered entity must identify the personal information that was acquired.
- Substitute notice is available by means described in statute if a covered entity cannot with reasonable diligence determine the mailing address of the subject of the personal information compromised.
- Notice not required if the security breach does not create a material risk of identity theft or fraud to the affected persons.
Other Obligations:
Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted, redacted, or otherwise altered in a manner that renders it unreadable.
Other exemptions:
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity if it is used solely for a lawful purpose.
Financial institutions regulated by certain federal laws described in the statute are exempt.
Entities covered by HIPAA are exempt.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute |