SB164-SSA1,1,5 4895.507 Notice of unauthorized acquisition of personal information.
5(1) Definitions. In this section:

SB164-SSA1,1,76 (a) 1. "Entity" means a person, other than an individual, that does any of the
7following:

SB164-SSA1,1,98 a. Conducts business in this state and maintains personal information in the
9ordinary course of business.

SB164-SSA1,1,1010 b. Stores personal information in this state.

SB164-SSA1,1,1211 c. Maintains for a resident of this state a depository account as defined in s.
12815.18 (2) (e).

SB164-SSA1,2,1

---

1d. Lends money to a resident of this state.

SB164-SSA1,2,22 2. "Entity" includes all of the following:

SB164-SSA1,2,63 a. The state and any office, department, independent agency, authority,
4institution, association, society, or other body in state government created or
5authorized to be created by the constitution or any law, including the legislature and
6the courts.

SB164-SSA1,2,77 b. A city, village, town, or county.

SB164-SSA1,2,88 (am) "Name" includes all of the following:

SB164-SSA1,2,99 1. An individual's first name.

SB164-SSA1,2,1110 2. The first letter of an individual's first name combined with the individual's
11last name.

SB164-SSA1,2,1412 (b) "Personal information" means any of the information specified in s. 943.201
13(1) (b) 4., 5., 9., 11., 12. a. and c., and 13. if the information is accompanied by the name
14of the individual to whom the information pertains and is not publicly available.

SB164-SSA1,2,1615 (c) "Publicly available information" means any information that an entity
16reasonably believes is one of the following:

SB164-SSA1,2,1717 1. Information that is lawfully made widely available through any media.

SB164-SSA1,2,2018 2. Information that is lawfully made available to the general public from
19federal, state, or local government records or disclosures to the general public that
20are required to be made by federal, state, or local law.

SB164-SSA1,3,2 21(2) Notice required. (a) If an entity whose principal place of business is
22located in this state or an entity that stores personal information in this state knows
23that personal information in the entity's possession has been acquired by a person
24whom the entity has not authorized to acquire the personal information, the entity
25shall make reasonable efforts to notify each subject of the personal information. The

---

1notice shall indicate that the entity knows of the unauthorized acquisition of
2personal information pertaining to the subject of the personal information.

SB164-SSA1,3,93 (b) If an entity whose principal place of business is not located in this state
4knows that personal information pertaining to a resident of this state has been
5acquired by a person whom the entity has not authorized to acquire the personal
6information, the entity shall make reasonable efforts to notify each resident of this
7state who is the subject of the personal information. The notice shall indicate that
8the entity knows of the unauthorized acquisition of personal information pertaining
9to the resident of this state who is the subject of the personal information.

SB164-SSA1,3,1210 (cm) Notwithstanding pars. (a) and (b), an entity is not required to provide
11notice of the acquisition of personal information in good faith by an employee or agent
12of the entity, if the personal information is used for a lawful purpose of the entity.

SB164-SSA1,3,18 13(3) Timing and manner of notice. (a) Subject to sub. (5), an entity shall provide
14the notice required under sub. (2) within a reasonable time, not to exceed 30 business
15days after the entity learns of the acquisition of personal information. A
16determination as to reasonableness under this paragraph shall include
17consideration of the number of notices that an entity must provide and the methods
18of communication available to the entity.

SB164-SSA1,3,2519 (b) An entity shall provide the notice required under sub. (2) by mail or by a
20method the entity has previously employed to communicate with the subject of the
21personal information. If an entity cannot with reasonable diligence determine the
22mailing address of the subject of the personal information, and if the entity has not
23previously communicated with the subject of the personal information, the entity
24shall provide notice by a method reasonably calculated to provide actual notice to the
25subject of the personal information.

SB164-SSA1,4,2

---

1(3m) Regulated entities exempt. This section does not apply to any of the
2following:

SB164-SSA1,4,43 (a) An entity that is a financial institution, or any person under contract with
4such an entity, that is all of the following:

SB164-SSA1,4,75 1. Subject to the interagency guidance on response programs for unauthorized
6access to customer information and customer notice as published in the federal
7register on March 29, 2005.

SB164-SSA1,4,88 2. In compliance with the interagency guidance specified in subd. 1.

SB164-SSA1,4,109(b) An entity that is described in 45 CFR 164.104 (a), if the entity complies with
10the requirements of 45 CFR part 164.

SB164-SSA1,4,15 11(4) Effect on civil claims. An entity that complies with this section is not
12liable for damages caused by the acquisition of personal information by a person
13whom the entity has not authorized to acquire the personal information. Failure to
14comply with this section is not negligence or a breach of any duty, but may be evidence
15of negligence or a breach of a legal duty.

SB164-SSA1,4,23 16(5) Request by law enforcement not to notify. A law enforcement agency
17may, in order to protect an investigation or homeland security, ask an entity not to
18provide a notice that is otherwise required under sub. (2) for any period of time and
19the notification process required under sub. (2) shall begin at the end of that time
20period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the
21entity may not provide notice of or publicize an unauthorized acquisition of personal
22information, except as authorized by the law enforcement agency that made the
23request.

SB164-SSA1,5,3

---

1(6m) Local ordinances or regulations prohibited. No city, village, town, or
2county may enact or enforce an ordinance or regulation that relates to notice or
3disclosure of the unauthorized acquisition of personal information.

SB164-SSA1,5,10 4(7m) Effect of federal legislation. If the joint committee on administrative
5rules determines that the federal government has enacted legislation that imposes
6notice requirements substantially identical to the requirements of this section and
7determines that the legislation does not preempt this section, the joint committee on
8administrative rules shall submit to the revisor of statutes for publication in the
9Wisconsin administrative register a notice of its determination. This section does not
10apply after publication of a notice under this subsection.