2005 - 2006 LEGISLATURE
SENATE SUBSTITUTE AMENDMENT 3,
TO 2005 SENATE BILL 164
November 1, 2005 - Offered by Senator Kanavas.
1An Act to create
895.507 of the statutes; relating to: notice regarding
2unauthorized acquisition of personal information.
Analysis by the Legislative Reference Bureau
This substitute amendment requires an entity that possesses certain personal
information about an individual to notify the individual when the information is
accessed by a person who the entity has not authorized to do so (unauthorized
access). The substitute amendment's notice requirements apply to entities,
including the state and local governments, that do any of the following: conduct
business in Wisconsin and maintain personal information in the ordinary course of
business; store personal information in this state; maintain a depository account for
a Wisconsin resident; or lend money to a Wisconsin resident.
Under the substitute amendment, personal information includes any of the
following information about an individual, if accompanied by the name of the
individual to whom the information pertains: driver's license number; social
security number; depository account number and certain other financial
information; deoxyribonucleic acid (DNA) profile and other biometric data; and
certain other information that can be used to obtain money, goods, or services, or
other things of value. Personal information does not include information that is
lawfully available to the public or information that is encrypted.
As to an entity whose principal place of business is located in Wisconsin or that
stores personal information in Wisconsin, if the entity knows or has reason to know
of an unauthorized access, the substitute amendment requires the entity to make
reasonable efforts to notify the individual that is the subject of the personal
information (subject) that the individual's personal information has been accessed.
As to an entity whose principal place of business is not located in Wisconsin, if the
entity knows or has reason to know of an unauthorized access involving information
pertaining to a Wisconsin resident, the substitute amendment requires the entity to
make reasonable efforts to notify the subject. An entity is not required to give notice
if the acquisition of personal information does not compromise the security,
confidentiality, or integrity of the personal information, or if the personal
information was acquired in good faith by an employee of the entity and the personal
information is used for a lawful purpose of the entity.
Under the substitute amendment, an entity required to notify a subject must,
within a reasonable time not to exceed 30 business days after learning of the
unauthorized access, inform the subject that the entity knows of the unauthorized
use of personal information pertaining to the subject. The entity must deliver the
notice by mail or by another method the entity has previously used to communicate
with the subject. If the entity cannot reasonably determine the subject's mailing
address, the entity may notify the subject by another means reasonably calculated
to provide actual notice to the subject. Under the substitute amendment, a law
enforcement agency may request an entity to delay a required notice for any period
of time in order to protect an investigation or homeland security. An entity that
receives such a request must begin the notification process after the requested delay
The substitute amendment contains exemptions from the notice requirements
for certain entities that are subject to, and in compliance with, certain requirements
imposed by federal law and regulations that generally relate to the privacy and
security of medical and financial data. The substitute amendment also prohibits the
enactment or enforcement by a city, village, town, or county of an ordinance or
regulation that relates to notice or disclosure of the unauthorized acquisition of
The substitute amendment provides that failure to comply with the substitute
amendment's requirements is not negligence or a breach of a legal duty, but may be
evidence of negligence or a breach of a legal duty.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
2895.507 Notice of unauthorized acquisition of personal information. 3(1) Definitions.
In this section:
(a) 1. "Entity" means a person, other than an individual, that does any of the 2
a. Conducts business in this state and maintains personal information in the 4
ordinary course of business.
b. Stores personal information in this state.
c. Maintains for a resident of this state a depository account as defined in s. 7
815.18 (2) (e).
d. Lends money to a resident of this state.
2. "Entity" includes all of the following:
a. The state and any office, department, independent agency, authority, 11
institution, association, society, or other body in state government created or 12
authorized to be created by the constitution or any law, including the legislature and 13
b. A city, village, town, or county.
(am) "Name" means an individual's last name combined with the individual's 16
first name or first initial.
(b) "Personal information" means any of the information specified in s. 943.201 18
(1) (b) 4., 5., 9., 11., 12. a. and c., and 13. if all of the following apply:
1. The information is accompanied by the name of the individual to whom the 20
2. The information is not publicly available.
3. The information is not encrypted.
(c) "Publicly available information" means any information that an entity 24
reasonably believes is one of the following:
1. Lawfully made widely available through any media.
2. Lawfully made available to the general public from federal, state, or local 2
government records or disclosures to the general public that are required to be made 3
by federal, state, or local law.
4(2) Notice required.
(a) If an entity whose principal place of business is 5
located in this state or an entity that stores personal information in this state knows 6
that personal information in the entity's possession has been acquired by a person 7
whom the entity has not authorized to acquire the personal information, the entity 8
shall make reasonable efforts to notify each subject of the personal information. The 9
notice shall indicate that the entity knows of the unauthorized acquisition of 10
personal information pertaining to the subject of the personal information.
(b) If an entity whose principal place of business is not located in this state 12
knows that personal information pertaining to a resident of this state has been 13
acquired by a person whom the entity has not authorized to acquire the personal 14
information, the entity shall make reasonable efforts to notify each resident of this 15
state who is the subject of the personal information. The notice shall indicate that 16
the entity knows of the unauthorized acquisition of personal information pertaining 17
to the resident of this state who is the subject of the personal information.
(cm) Notwithstanding pars. (a) and (b), an entity is not required to provide 19
notice of the acquisition of personal information if any of the following apply:
1. The acquisition of personal information does not compromise the security, 21
confidentiality, or integrity of personal information in the entity's possession.
2. The personal information was acquired in good faith by an employee or agent 23
of the entity, if the personal information is used for a lawful purpose of the entity.
24(3) Timing and manner of notice.
(a) Subject to sub. (5), an entity shall provide 25
the notice required under sub. (2) within a reasonable time, not to exceed 30 business
days after the entity learns of the acquisition of personal information. A 2
determination as to reasonableness under this paragraph shall include 3
consideration of the number of notices that an entity must provide and the methods 4
of communication available to the entity.
(b) An entity shall provide the notice required under sub. (2) by mail or by a 6
method the entity has previously employed to communicate with the subject of the 7
personal information. If an entity cannot with reasonable diligence determine the 8
mailing address of the subject of the personal information, and if the entity has not 9
previously communicated with the subject of the personal information, the entity 10
shall provide notice by a method reasonably calculated to provide actual notice to the 11
subject of the personal information.
12(3m) Regulated entities exempt.
This section does not apply to any of the 13
(a) An entity that is subject to, and in compliance with, the privacy and security 15
requirements of 15 USC 6801
, or a person that has a contractual obligation 16
to such an entity, if the entity or person has in effect a policy concerning breaches of 17
(b) An entity that is described in 45 CFR 164.104
(a), if the entity complies with 19
the requirements of 45 CFR part 164
20(4) Effect on civil claims.
Failure to comply with this section is not negligence 21
or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.
22(5) Request by law enforcement not to notify.
A law enforcement agency 23
may, in order to protect an investigation or homeland security, ask an entity not to 24
provide a notice that is otherwise required under sub. (2) for any period of time and 25
the notification process required under sub. (2) shall begin at the end of that time
period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the 2
entity may not provide notice of or publicize an unauthorized acquisition of personal 3
information, except as authorized by the law enforcement agency that made the 4
5(6m) Local ordinances or regulations prohibited.
No city, village, town, or 6
county may enact or enforce an ordinance or regulation that relates to notice or 7
disclosure of the unauthorized acquisition of personal information.
8(7m) Effect of federal legislation.
If the joint committee on administrative 9
rules determines that the federal government has enacted legislation that imposes 10
notice requirements substantially similar to the requirements of this section and 11
determines that the legislation does not preempt this section, the joint committee on 12
administrative rules shall submit to the revisor of statutes for publication in the 13
Wisconsin administrative register a notice of its determination. This section does not 14
apply after publication of a notice under this subsection.