LRB-1134/1
MJL&MGD:cmh:rs
2005 - 2006 LEGISLATURE
April 15, 2005 - Introduced by Representatives Staskunas, Black, Zepnick, Hahn,
Berceau, Van Akkeren, Cullen, Turner, Lehman, Pocan, Ott, Shilling,
Gunderson, Seidel, McCormick, Hines, Stone, Albers, Pridemore and
Molepske, cosponsored by Senators Hansen, Carpenter, Coggs and Darling.
Referred to Committee on Judiciary.
AB320,1,2
1An Act to create 895.507 of the statutes;
relating to: notice regarding
2unauthorized use of personal information.
Analysis by the Legislative Reference Bureau
This bill requires a business (or other corporate entity) that knows of the
unauthorized use of unencrypted personal identifying information that was
obtained from the business to make reasonable efforts to notify the individual whose
personal identifying information was used. Generally, a business must notify the
individual within 30 days after the business learns of the unauthorized use.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB320, s. 1
3Section
1. 895.507 of the statutes is created to read:
AB320,1,5
4895.507 Notice of unauthorized use of personal identifying
5information. (1) Definitions. In this section:
AB320,1,76
(a) "Entity" means a person, other than an individual, that in the ordinary
7course of business maintains personal identifying information.
AB320,2,2
1(b) "Personal identifying information" has the meaning given in s. 943.201 (1)
2(b) but does not include publicly available information.
AB320,2,43
(c) "Publicly available information" means any information that an entity
4reasonably believes is one of the following:
AB320,2,55
1. Information that is lawfully made widely available through any media.
AB320,2,86
2. Information that is lawfully made available to the general public from
7federal, state, or local government records or disclosures to the general public that
8are required to be made by federal, state, or local law.
AB320,2,14
9(2) Required notice. (a) If an entity knows of the unauthorized use of
10unencrypted personal identifying information that was obtained from the entity
11while in the entity's possession, it shall make reasonable efforts to notify each
12individual who is the subject of the personal identifying information. The notice
13shall indicate that the entity knows of the unauthorized use of personal identifying
14information relating to the individual.
AB320,2,1815
(b) 1. The entity shall provide the notice under par. (a) in a manner and, subject
16to sub. (4), within a time that is reasonable, taking into consideration the number of
17notices that it must provide and the methods of communication available to the
18entity.
AB320,2,2219
2. Notwithstanding subd. 1., the entity shall provide any notice required under
20par. (a) within 30 days after the entity learns of the unauthorized use of the personal
21identifying information or, if sub. (4) applies, within 30 days after the end of the time
22period specified by a law enforcement agency under that subsection.
AB320,2,2523
(c) Notwithstanding pars. (a) and (b), an entity is not required to provide notice
24to an individual of the unauthorized use of personal identifying information relating
25to that individual if the entity learns of the unauthorized use from that individual.
AB320,3,3
1(3) Effect on civil claims. Compliance with this section is not a defense to a
2claim in a civil action or proceeding. Failure to comply with this section does not
3constitute negligence or a breach of any duty as a matter of law.
AB320,3,7
4(4) Request by law enforcement not to notify. If a law enforcement agency
5asks an entity not to provide a notice that is otherwise required under sub. (2) for any
6period of time, the notification process required under sub. (2) shall begin at the end
7of that time period.
