2005 - 2006 LEGISLATURE
April 15, 2005 - Introduced by Representatives Staskunas, Black, Zepnick, Hahn,
Berceau, Van Akkeren, Cullen, Turner, Lehman, Pocan, Ott, Shilling,
Gunderson, Seidel, McCormick, Hines, Stone, Albers, Pridemore and
Molepske, cosponsored by Senators Hansen, Carpenter, Coggs and Darling.
Referred to Committee on Judiciary.
1An Act to create
895.507 of the statutes; relating to: notice regarding
2unauthorized use of personal information.
Analysis by the Legislative Reference Bureau
This bill requires a business (or other corporate entity) that knows of the
unauthorized use of unencrypted personal identifying information that was
obtained from the business to make reasonable efforts to notify the individual whose
personal identifying information was used. Generally, a business must notify the
individual within 30 days after the business learns of the unauthorized use.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB320, s. 1
895.507 of the statutes is created to read:
4895.507 Notice of unauthorized use of personal identifying
5information. (1) Definitions.
In this section:
(a) "Entity" means a person, other than an individual, that in the ordinary 7
course of business maintains personal identifying information.
(b) "Personal identifying information" has the meaning given in s. 943.201 (1) 2
(b) but does not include publicly available information.
(c) "Publicly available information" means any information that an entity 4
reasonably believes is one of the following:
1. Information that is lawfully made widely available through any media.
2. Information that is lawfully made available to the general public from 7
federal, state, or local government records or disclosures to the general public that 8
are required to be made by federal, state, or local law.
9(2) Required notice.
(a) If an entity knows of the unauthorized use of 10
unencrypted personal identifying information that was obtained from the entity 11
while in the entity's possession, it shall make reasonable efforts to notify each 12
individual who is the subject of the personal identifying information. The notice 13
shall indicate that the entity knows of the unauthorized use of personal identifying 14
information relating to the individual.
(b) 1. The entity shall provide the notice under par. (a) in a manner and, subject 16
to sub. (4), within a time that is reasonable, taking into consideration the number of 17
notices that it must provide and the methods of communication available to the 18
2. Notwithstanding subd. 1., the entity shall provide any notice required under 20
par. (a) within 30 days after the entity learns of the unauthorized use of the personal 21
identifying information or, if sub. (4) applies, within 30 days after the end of the time 22
period specified by a law enforcement agency under that subsection.
(c) Notwithstanding pars. (a) and (b), an entity is not required to provide notice 24
to an individual of the unauthorized use of personal identifying information relating 25
to that individual if the entity learns of the unauthorized use from that individual.
1(3) Effect on civil claims.
Compliance with this section is not a defense to a 2
claim in a civil action or proceeding. Failure to comply with this section does not 3
constitute negligence or a breach of any duty as a matter of law.
4(4) Request by law enforcement not to notify.
If a law enforcement agency 5
asks an entity not to provide a notice that is otherwise required under sub. (2) for any 6
period of time, the notification process required under sub. (2) shall begin at the end 7
of that time period.