LRB-2195/3
CTS:wlj:rs
2005 - 2006 LEGISLATURE
August 24, 2005 - Introduced by Representatives Molepske, Black, Staskunas,
Benedict, Hahn, Ott, Parisi, Berceau, McCormick, Zepnick, Lehman,
Gunderson, Fields and
Schneider, cosponsored by Senators Erpenbach,
Roessler, Carpenter and Wirch. Referred to Committee on Financial
Institutions.
AB621,1,3
1An Act to create 100.54 of the statutes;
relating to: requiring notice of
2unauthorized acquisitions of computerized personal information and granting
3rule-making authority.
Analysis by the Legislative Reference Bureau
This bill requires notification of the unauthorized acquisition of personal
information that is stored on a computer or other electronic medium (unauthorized
acquisition). The bill's notice requirements apply to entities, including the state, that
do any of the following: 1) conduct business in Wisconsin and maintain personal
information in the ordinary course of business; 2) store personal information in this
state; 3) maintain a depository account for a Wisconsin resident; or 4) lend money to
a Wisconsin resident.
Under the bill, personal information includes any of the following information
about an individual, if accompanied by the name of the individual to whom the
information pertains: electronic mail address; driver's license number; social
security number; employer or place of employment; mother's maiden name;
depository account number and certain other financial information;
deoxyribonucleic acid (DNA) profile; and any other information about an individual
that can be associated with an individual through identifiers or other information.
Personal information does not include information that is lawfully available to the
public.
Under the bill, if an entity that owns or licenses computerized personal
information knows or has reason to know of an unauthorized acquisition, the entity
must, within 15 business days, give notice to the individual who is the subject of the
information that was acquired and to at least three major credit reporting agencies.
The bill requires that the notice to the individual contain certain information,
including a warning that an unauthorized acquisition may adversely affect the
individual's credit rating, an advisory to monitor the individual's credit information,
and telephone numbers and addresses for at least three major credit reporting
agencies. The notice must be given in writing by mail, except that, if an entity is
required to give notice to more than one individual as a result of a single
unauthorized acquisition and the cost of giving written notice to all individuals
would exceed $250,000, notice may be given by doing all of the following: 1) sending
an electronic mail message to the individuals; 2) posting a notice on the Internet; and
3) notifying news media. The bill requires that a notice to credit reporting agencies
include the name of the individual who is the subject of the unauthorized disclosure
and a general identification of the type of information that was acquired.
Also under the bill, if an entity that maintains computerized personal
information owned or licensed by another knows or has reason to know that the
information has been acquired by a person not authorized to do so by the owner or
licensee of the information, that entity must, within 15 business days, notify the
owner or licensee.
The bill provides that the Department of Justice or the district attorney may
bring an action for an injunction against a person who violates the provisions of the
bill. The bill also permits an individual injured by a violation to bring an action
against the violator, including the state or any body in state government, for
damages.
For further information see the state fiscal estimate, which will be printed as
an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
AB621, s. 1
1Section
1. 100.54 of the statutes is created to read:
AB621,2,3
2100.54 Notice of unauthorized disclosure of computerized personal
3information. (1) Definitions. In this section:
AB621,2,44
(a) "Business day" has the meaning given in s. 421.301 (6).
AB621,2,65
(ag) "Computerized personal information" means personal information that is
6stored on a computer or on an optical, electromagnetic, or other electronic medium.
AB621,2,87
(ar) 1. "Entity" means a person, other than an individual, that does any of the
8following:
AB621,3,2
1a. Conducts business in this state and maintains personal information in the
2ordinary course of business.
AB621,3,33
b. Stores personal information in this state.
AB621,3,54
c. Maintains for a resident of this state a depository account as defined in s.
5815.18 (2) (e).
AB621,3,66
d. Lends money to a resident of this state.
AB621,3,107
2. "Entity" includes the state and any office, department, independent agency,
8authority, institution, association, society, or other body in state government created
9or authorized to be created by the constitution or any law, including the legislature
10and the courts.
AB621,3,1411
(b) "Major credit reporting agencies" means firms, as determined by the
12department, most actively engaged in the business of collecting and dispensing
13financial information regarding individuals, including information regarding
14creditworthiness.
AB621,3,1615
(c) "Personal information" means any of the following information, unless the
16information is publicly available:
AB621,3,1717
1. An individual's electronic mail address.
AB621,3,1818
2. Any of the information specified in s. 943.201 (1) (b) 4. to 15.
AB621,3,2019
(d) "Publicly available information" means any information that an entity
20reasonably believes is one of the following:
AB621,3,2121
1. Information that is lawfully made widely available through any media.
AB621,3,2422
2. Information that is lawfully made available to the general public from
23federal, state, or local government records or disclosures to the general public that
24are required to be made by federal, state, or local law.
AB621,4,7
1(2) Notification of unauthorized acquisition. (a) If an entity that owns
2computerized personal information or licenses computerized personal information
3from another knows or has reason to know that the computerized personal
4information has been acquired by a person who is not authorized to do so by the
5individual who is the subject of the computerized personal information, the entity
6shall, within 15 business days after the entity learned that the information was
7acquired, do all of the following:
AB621,4,98
1. Provide written notice under sub. (3) (a) to the individual who is the subject
9of the computerized personal information that has been acquired.
AB621,4,1110
2. Provide notice under sub. (3) (b) to not less than 3 major credit reporting
11agencies.
AB621,4,1712
(b) If an entity that maintains computerized personal information owned or
13licensed by another knows or has reason to know that the computerized personal
14information has been acquired by a person who has not been authorized to do so by
15the owner or licensee of the computerized personal information, the entity shall,
16within 15 business days after the entity learn that the information was acquired,
17notify the owner or licensee of the computerized personal information.
AB621,4,19
18(3) Content and form of notice. (a) Notice under sub. (2) (a) 1. shall be given
19in writing by mail and contain all of the following:
AB621,4,2220
1. A statement that computerized personal information pertaining to the
21individual and owned or licensed by the entity giving notice has been acquired by a
22person who is not authorized to do so by the individual.
AB621,4,2423
2. A description of the personal information that has been acquired and, if
24known, the approximate date when the acquisition occurred.
AB621,5,3
13. A warning that the unauthorized acquisition of personal information may
2adversely affect the individual's credit rating, and an advisory to monitor the
3individual's credit information.
AB621,5,54
4. Telephone numbers and mailing addresses for not less than 3 major credit
5reporting agencies.
AB621,5,76
(b) Notice under sub. (2) (a) 2. shall be given in writing by mail and contain all
7of the following:
AB621,5,118
1. A statement that computerized personal information pertaining to an
9individual and owned or licensed by the entity giving notice has been acquired by a
10person who is not authorized to do so by the individual who is the subject of the
11personal information.
AB621,5,1212
2. The name of the individual who is the subject of the personal information.
AB621,5,1413
3. A general identification of the type of personal information that has been
14acquired.
AB621,5,1615
4. The approximate date when the personal information was acquired, if
16known.
AB621,5,2017
(c) If an entity is required to give notice under sub. (2) (a) 1. to more than one
18individual as a result of a single acquisition of computerized personal information
19and the cost of giving written notice to all individuals would exceed $250,000, the
20entity may give notice by doing all of the following:
AB621,5,2221
1. Sending an electronic mail message to an individual's electronic mail
22address.
AB621,5,2323
2. Conspicuously posting notice at the entity's Internet Web site.
