ASSEMBLY SUBSTITUTE AMENDMENT 1,
TO 2005 SENATE BILL 164
February 21, 2006 - Offered by Committee on State Affairs.
SB164-ASA1,1,2 1An Act to create 895.507 of the statutes; relating to: notice regarding
2unauthorized acquisition of personal information.
Analysis by the Legislative Reference Bureau
This substitute amendment requires an entity that possesses certain personal
information about an individual to notify the individual when the information is
acquired by a person who the entity has not authorized to do so (unauthorized
acquisition). The substitute amendment's notice requirements apply to entities,
including the state and local governments, that do any of the following: conduct
business in Wisconsin and maintain personal information in the ordinary course of
business; license personal information in this state; maintain a depository account
for a Wisconsin resident; or lend money to a Wisconsin resident.
Under the substitute amendment, personal information includes any of the
following information about an individual, if combined with the name of the
individual to whom the information pertains: driver's license number; social
security number; financial account number and certain related information; and
deoxyribonucleic acid (DNA) profile and other biometric data. Personal information
does not include information that is lawfully available to the public or information
that is encrypted.
As to an entity whose principal place of business is located in Wisconsin or that
licenses personal information in Wisconsin, if the entity knows or has reason to know
of an unauthorized acquisition, the substitute amendment requires the entity to

make reasonable efforts to notify the individual that is the subject of the personal
information (subject) that the individual's personal information has been acquired.
As to an entity whose principal place of business is not located in Wisconsin, if the
entity knows or has reason to know of an unauthorized acquisition involving
information pertaining to a Wisconsin resident, the substitute amendment requires
the entity to make reasonable efforts to notify the subject. An entity is not required
to give notice if the acquisition of personal information does not create a material risk
of identity theft or fraud, or if the personal information was acquired in good faith
by an employee of the entity and the personal information is used for a lawful purpose
of the entity.
Under the substitute amendment, an entity required to notify a subject must,
within a reasonable time not to exceed 45 days after learning of the unauthorized
acquisition, inform the subject that the entity knows of the unauthorized use of
personal information pertaining to the subject. The entity must deliver the notice
by mail or by another method the entity has previously used to communicate with
the subject. If the entity cannot reasonably determine the subject's mailing address,
the entity may notify the subject by another means reasonably calculated to provide
actual notice to the subject. Upon request by a person who receives a notice, an entity
must identify the personal information that was acquired.
Under the substitute amendment, a separate notification requirement applies
to a person, other than an individual, that stores personal information pertaining to
a resident of this state, but does not own or license the personal information. The
requirement only applies if there is no contract between the person that stores the
personal information and the person that owns or licenses the personal information.
If such a person knows that personal information in the person's possession has been
acquired by a person whom the entity has not authorized to acquire the personal
information, the entity must notify the person that owns or licenses the personal
information as soon as practicable.
Under the substitute amendment, a law enforcement agency may request an
entity to delay a required notice for any period of time in order to protect an
investigation or homeland security. An entity that receives such a request must
begin the notification process after the requested delay period.
The substitute amendment contains exemptions from the notice requirements
for certain entities that are subject to, and in compliance with, certain requirements
imposed by federal law and regulations that generally relate to the privacy and
security of medical and financial data. The substitute amendment also prohibits the
enactment or enforcement by a city, village, town, or county of an ordinance or
regulation that relates to notice or disclosure of the unauthorized acquisition of
personal information.

The substitute amendment provides that failure to comply with the substitute
amendment's requirements is not negligence or a breach of a legal duty, but may be
evidence of negligence or a breach of a legal duty.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB164-ASA1, s. 1 1Section 1. 895.507 of the statutes is created to read:
SB164-ASA1,3,3 2895.507 Notice of unauthorized acquisition of personal information.
3(1) Definitions. In this section:
SB164-ASA1,3,54 (a) 1. "Entity" means a person, other than an individual, that does any of the
5following:
SB164-ASA1,3,76 a. Conducts business in this state and maintains personal information in the
7ordinary course of business.
SB164-ASA1,3,88 b. Licenses personal information in this state.
SB164-ASA1,3,109 c. Maintains for a resident of this state a depository account as defined in s.
10815.18 (2) (e).
SB164-ASA1,3,1111 d. Lends money to a resident of this state.
SB164-ASA1,3,1212 2. "Entity" includes all of the following:
SB164-ASA1,3,1613 a. The state and any office, department, independent agency, authority,
14institution, association, society, or other body in state government created or
15authorized to be created by the constitution or any law, including the legislature and
16the courts.
SB164-ASA1,3,1717 b. A city, village, town, or county.
SB164-ASA1,3,1918 (am) "Name" means an individual's last name combined with the individual's
19first name or first initial.
SB164-ASA1,4,4
1(b) "Personal information" means an individual's last name and the
2individual's first name or first initial, in combination with and linked to any of the
3following elements, if the element is not publicly available information and is not
4encrypted, redacted, or altered in a manner that renders the element unreadable:
SB164-ASA1,4,55 1. The individual's social security number.
SB164-ASA1,4,66 2. The individual's driver's license number or state identification number.
SB164-ASA1,4,97 3. The number of the individual's financial account number, including a credit
8or debit card account number, or any security code, access code, or password that
9would permit access to the individual's financial account.
SB164-ASA1,4,1010 4. The individual's deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).
SB164-ASA1,4,1211 5. The individual's unique biometric data, including fingerprint, voice print,
12retina or iris image, or any other unique physical representation.
SB164-ASA1,4,1413 (c) "Publicly available information" means any information that an entity
14reasonably believes is one of the following:
SB164-ASA1,4,1515 1. Lawfully made widely available through any media.
SB164-ASA1,4,1816 2. Lawfully made available to the general public from federal, state, or local
17government records or disclosures to the general public that are required to be made
18by federal, state, or local law.
SB164-ASA1,5,2 19(2) Notice required. (a) If an entity whose principal place of business is
20located in this state or an entity that maintains or licenses personal information in
21this state knows that personal information in the entity's possession has been
22acquired by a person whom the entity has not authorized to acquire the personal
23information, the entity shall make reasonable efforts to notify each subject of the
24personal information. The notice shall indicate that the entity knows of the

1unauthorized acquisition of personal information pertaining to the subject of the
2personal information.
SB164-ASA1,5,93 (b) If an entity whose principal place of business is not located in this state
4knows that personal information pertaining to a resident of this state has been
5acquired by a person whom the entity has not authorized to acquire the personal
6information, the entity shall make reasonable efforts to notify each resident of this
7state who is the subject of the personal information. The notice shall indicate that
8the entity knows of the unauthorized acquisition of personal information pertaining
9to the resident of this state who is the subject of the personal information.
SB164-ASA1,5,1710 (bm) If a person, other than an individual, that stores personal information
11pertaining to a resident of this state, but does not own or license the personal
12information, knows that the personal information has been acquired by a person
13whom the person storing the personal information has not authorized to acquire the
14personal information, and the person storing the personal information has not
15entered into a contract with the person that owns or licenses the personal
16information, the person storing the personal information shall notify the person that
17owns or licenses the personal information of the acquisition as soon as practicable.
SB164-ASA1,5,2018 (cm) Notwithstanding pars. (a), (b), and (bm), an entity is not required to
19provide notice of the acquisition of personal information if any of the following
20applies:
SB164-ASA1,5,2221 1. The acquisition of personal information does not create a material risk of
22identity theft or fraud to the subject of the personal information.
SB164-ASA1,5,2423 2. The personal information was acquired in good faith by an employee or agent
24of the entity, if the personal information is used for a lawful purpose of the entity.
SB164-ASA1,6,6
1(3) Timing and manner of notice; other requirements. (a) Subject to sub. (5),
2an entity shall provide the notice required under sub. (2) within a reasonable time,
3not to exceed 45 days after the entity learns of the acquisition of personal
4information. A determination as to reasonableness under this paragraph shall
5include consideration of the number of notices that an entity must provide and the
6methods of communication available to the entity.
SB164-ASA1,6,137 (b) An entity shall provide the notice required under sub. (2) by mail or by a
8method the entity has previously employed to communicate with the subject of the
9personal information. If an entity cannot with reasonable diligence determine the
10mailing address of the subject of the personal information, and if the entity has not
11previously communicated with the subject of the personal information, the entity
12shall provide notice by a method reasonably calculated to provide actual notice to the
13subject of the personal information.
SB164-ASA1,6,1614 (c) Upon written request by a person who has received a notice under sub. (2),
15the entity that provided the notice shall identify the personal information that was
16acquired.
SB164-ASA1,6,18 17(3m) Regulated entities exempt. This section does not apply to any of the
18following:
SB164-ASA1,6,2219 (a) An entity that is subject to, and in compliance with, the privacy and security
20requirements of 15 USC 6801 to 6827, or a person that has a contractual obligation
21to such an entity, if the entity or person has in effect a policy concerning breaches of
22information security.
SB164-ASA1,6,2423(b) An entity that is described in 45 CFR 164.104 (a), if the entity complies with
24the requirements of 45 CFR part 164.
SB164-ASA1,7,2
1(4) Effect on civil claims. Failure to comply with this section is not negligence
2or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.
SB164-ASA1,7,10 3(5) Request by law enforcement not to notify. A law enforcement agency
4may, in order to protect an investigation or homeland security, ask an entity not to
5provide a notice that is otherwise required under sub. (2) for any period of time and
6the notification process required under sub. (2) shall begin at the end of that time
7period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the
8entity may not provide notice of or publicize an unauthorized acquisition of personal
9information, except as authorized by the law enforcement agency that made the
10request.
SB164-ASA1,7,13 11(6m) Local ordinances or regulations prohibited. No city, village, town, or
12county may enact or enforce an ordinance or regulation that relates to notice or
13disclosure of the unauthorized acquisition of personal information.
SB164-ASA1,7,20 14(7m) Effect of federal legislation. If the joint committee on administrative
15rules determines that the federal government has enacted legislation that imposes
16notice requirements substantially similar to the requirements of this section and
17determines that the legislation does not preempt this section, the joint committee on
18administrative rules shall submit to the revisor of statutes for publication in the
19Wisconsin administrative register a notice of its determination. This section does not
20apply after publication of a notice under this subsection.
Loading...
Loading...