The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
2895.507 Notice of unauthorized acquisition of personal information. 3(1) Definitions.
In this section:
(a) 1. "Entity" means a person, other than an individual, that does any of the 5
a. Conducts business in this state and maintains personal information in the 7
ordinary course of business.
b. Licenses personal information in this state.
c. Maintains for a resident of this state a depository account as defined in s. 10
815.18 (2) (e).
d. Lends money to a resident of this state.
2. "Entity" includes all of the following:
a. The state and any office, department, independent agency, authority, 14
institution, association, society, or other body in state government created or 15
authorized to be created by the constitution or any law, including the legislature and 16
b. A city, village, town, or county.
(am) "Name" means an individual's last name combined with the individual's 19
first name or first initial.
(b) "Personal information" means an individual's last name and the 2
individual's first name or first initial, in combination with and linked to any of the 3
following elements, if the element is not publicly available information and is not 4
encrypted, redacted, or altered in a manner that renders the element unreadable:
1. The individual's social security number.
2. The individual's driver's license number or state identification number.
3. The number of the individual's financial account number, including a credit 8
or debit card account number, or any security code, access code, or password that 9
would permit access to the individual's financial account.
4. The individual's deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).
5. The individual's unique biometric data, including fingerprint, voice print, 12
retina or iris image, or any other unique physical representation.
(c) "Publicly available information" means any information that an entity 14
reasonably believes is one of the following:
1. Lawfully made widely available through any media.
2. Lawfully made available to the general public from federal, state, or local 17
government records or disclosures to the general public that are required to be made 18
by federal, state, or local law.
19(2) Notice required.
(a) If an entity whose principal place of business is 20
located in this state or an entity that maintains or licenses personal information in 21
this state knows that personal information in the entity's possession has been 22
acquired by a person whom the entity has not authorized to acquire the personal 23
information, the entity shall make reasonable efforts to notify each subject of the 24
personal information. The notice shall indicate that the entity knows of the
unauthorized acquisition of personal information pertaining to the subject of the 2
(b) If an entity whose principal place of business is not located in this state 4
knows that personal information pertaining to a resident of this state has been 5
acquired by a person whom the entity has not authorized to acquire the personal 6
information, the entity shall make reasonable efforts to notify each resident of this 7
state who is the subject of the personal information. The notice shall indicate that 8
the entity knows of the unauthorized acquisition of personal information pertaining 9
to the resident of this state who is the subject of the personal information.
(bm) If a person, other than an individual, that stores personal information 11
pertaining to a resident of this state, but does not own or license the personal 12
information, knows that the personal information has been acquired by a person 13
whom the person storing the personal information has not authorized to acquire the 14
personal information, and the person storing the personal information has not 15
entered into a contract with the person that owns or licenses the personal 16
information, the person storing the personal information shall notify the person that 17
owns or licenses the personal information of the acquisition as soon as practicable.
(cm) Notwithstanding pars. (a), (b), and (bm), an entity is not required to 19
provide notice of the acquisition of personal information if any of the following 20
1. The acquisition of personal information does not create a material risk of 22
identity theft or fraud to the subject of the personal information.
2. The personal information was acquired in good faith by an employee or agent 24
of the entity, if the personal information is used for a lawful purpose of the entity.
1(3) Timing and manner of notice; other requirements.
(a) Subject to sub. (5), 2
an entity shall provide the notice required under sub. (2) within a reasonable time, 3
not to exceed 45 days after the entity learns of the acquisition of personal 4
information. A determination as to reasonableness under this paragraph shall 5
include consideration of the number of notices that an entity must provide and the 6
methods of communication available to the entity.
(b) An entity shall provide the notice required under sub. (2) by mail or by a 8
method the entity has previously employed to communicate with the subject of the 9
personal information. If an entity cannot with reasonable diligence determine the 10
mailing address of the subject of the personal information, and if the entity has not 11
previously communicated with the subject of the personal information, the entity 12
shall provide notice by a method reasonably calculated to provide actual notice to the 13
subject of the personal information.
(c) Upon written request by a person who has received a notice under sub. (2), 15
the entity that provided the notice shall identify the personal information that was 16
17(3m) Regulated entities exempt.
This section does not apply to any of the 18
(a) An entity that is subject to, and in compliance with, the privacy and security 20
requirements of 15 USC 6801
, or a person that has a contractual obligation 21
to such an entity, if the entity or person has in effect a policy concerning breaches of 22
(b) An entity that is described in 45 CFR 164.104
(a), if the entity complies with 24
the requirements of 45 CFR part 164
1(4) Effect on civil claims.
Failure to comply with this section is not negligence 2
or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.
3(5) Request by law enforcement not to notify.
A law enforcement agency 4
may, in order to protect an investigation or homeland security, ask an entity not to 5
provide a notice that is otherwise required under sub. (2) for any period of time and 6
the notification process required under sub. (2) shall begin at the end of that time 7
period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the 8
entity may not provide notice of or publicize an unauthorized acquisition of personal 9
information, except as authorized by the law enforcement agency that made the 10
11(6m) Local ordinances or regulations prohibited.
No city, village, town, or 12
county may enact or enforce an ordinance or regulation that relates to notice or 13
disclosure of the unauthorized acquisition of personal information.
14(7m) Effect of federal legislation.
If the joint committee on administrative 15
rules determines that the federal government has enacted legislation that imposes 16
notice requirements substantially similar to the requirements of this section and 17
determines that the legislation does not preempt this section, the joint committee on 18
administrative rules shall submit to the revisor of statutes for publication in the 19
Wisconsin administrative register a notice of its determination. This section does not 20
apply after publication of a notice under this subsection.