The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB164-SSA3, s. 1 1Section 1. 895.507 of the statutes is created to read:
SB164-SSA3,2,3 2895.507 Notice of unauthorized acquisition of personal information.
3(1) Definitions. In this section:
SB164-SSA3,3,2
1(a) 1. "Entity" means a person, other than an individual, that does any of the
2following:
SB164-SSA3,3,43 a. Conducts business in this state and maintains personal information in the
4ordinary course of business.
SB164-SSA3,3,55 b. Stores personal information in this state.
SB164-SSA3,3,76 c. Maintains for a resident of this state a depository account as defined in s.
7815.18 (2) (e).
SB164-SSA3,3,88 d. Lends money to a resident of this state.
SB164-SSA3,3,99 2. "Entity" includes all of the following:
SB164-SSA3,3,1310 a. The state and any office, department, independent agency, authority,
11institution, association, society, or other body in state government created or
12authorized to be created by the constitution or any law, including the legislature and
13the courts.
SB164-SSA3,3,1414 b. A city, village, town, or county.
SB164-SSA3,3,1615 (am) "Name" means an individual's last name combined with the individual's
16first name or first initial.
SB164-SSA3,3,1817 (b) "Personal information" means any of the information specified in s. 943.201
18(1) (b) 4., 5., 9., 11., 12. a. and c., and 13. if all of the following apply:
SB164-SSA3,3,2019 1. The information is accompanied by the name of the individual to whom the
20information pertains.
SB164-SSA3,3,2121 2. The information is not publicly available.
SB164-SSA3,3,2222 3. The information is not encrypted.
SB164-SSA3,3,2423 (c) "Publicly available information" means any information that an entity
24reasonably believes is one of the following:
SB164-SSA3,3,2525 1. Lawfully made widely available through any media.
SB164-SSA3,4,3
12. Lawfully made available to the general public from federal, state, or local
2government records or disclosures to the general public that are required to be made
3by federal, state, or local law.
SB164-SSA3,4,10 4(2) Notice required. (a) If an entity whose principal place of business is
5located in this state or an entity that stores personal information in this state knows
6that personal information in the entity's possession has been acquired by a person
7whom the entity has not authorized to acquire the personal information, the entity
8shall make reasonable efforts to notify each subject of the personal information. The
9notice shall indicate that the entity knows of the unauthorized acquisition of
10personal information pertaining to the subject of the personal information.
SB164-SSA3,4,1711 (b) If an entity whose principal place of business is not located in this state
12knows that personal information pertaining to a resident of this state has been
13acquired by a person whom the entity has not authorized to acquire the personal
14information, the entity shall make reasonable efforts to notify each resident of this
15state who is the subject of the personal information. The notice shall indicate that
16the entity knows of the unauthorized acquisition of personal information pertaining
17to the resident of this state who is the subject of the personal information.
SB164-SSA3,4,1918 (cm) Notwithstanding pars. (a) and (b), an entity is not required to provide
19notice of the acquisition of personal information if any of the following apply:
SB164-SSA3,4,2120 1. The acquisition of personal information does not compromise the security,
21confidentiality, or integrity of personal information in the entity's possession.
SB164-SSA3,4,2322 2. The personal information was acquired in good faith by an employee or agent
23of the entity, if the personal information is used for a lawful purpose of the entity.
SB164-SSA3,5,4 24(3) Timing and manner of notice. (a) Subject to sub. (5), an entity shall provide
25the notice required under sub. (2) within a reasonable time, not to exceed 30 business

1days after the entity learns of the acquisition of personal information. A
2determination as to reasonableness under this paragraph shall include
3consideration of the number of notices that an entity must provide and the methods
4of communication available to the entity.
SB164-SSA3,5,115 (b) An entity shall provide the notice required under sub. (2) by mail or by a
6method the entity has previously employed to communicate with the subject of the
7personal information. If an entity cannot with reasonable diligence determine the
8mailing address of the subject of the personal information, and if the entity has not
9previously communicated with the subject of the personal information, the entity
10shall provide notice by a method reasonably calculated to provide actual notice to the
11subject of the personal information.
SB164-SSA3,5,13 12(3m) Regulated entities exempt. This section does not apply to any of the
13following:
SB164-SSA3,5,1714 (a) An entity that is subject to, and in compliance with, the privacy and security
15requirements of 15 USC 6801 to 6827, or a person that has a contractual obligation
16to such an entity, if the entity or person has in effect a policy concerning breaches of
17information security.
SB164-SSA3,5,1918(b) An entity that is described in 45 CFR 164.104 (a), if the entity complies with
19the requirements of 45 CFR part 164.
SB164-SSA3,5,21 20(4) Effect on civil claims. Failure to comply with this section is not negligence
21or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.
SB164-SSA3,6,4 22(5) Request by law enforcement not to notify. A law enforcement agency
23may, in order to protect an investigation or homeland security, ask an entity not to
24provide a notice that is otherwise required under sub. (2) for any period of time and
25the notification process required under sub. (2) shall begin at the end of that time

1period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the
2entity may not provide notice of or publicize an unauthorized acquisition of personal
3information, except as authorized by the law enforcement agency that made the
4request.
SB164-SSA3,6,7 5(6m) Local ordinances or regulations prohibited. No city, village, town, or
6county may enact or enforce an ordinance or regulation that relates to notice or
7disclosure of the unauthorized acquisition of personal information.
SB164-SSA3,6,14 8(7m) Effect of federal legislation. If the joint committee on administrative
9rules determines that the federal government has enacted legislation that imposes
10notice requirements substantially similar to the requirements of this section and
11determines that the legislation does not preempt this section, the joint committee on
12administrative rules shall submit to the revisor of statutes for publication in the
13Wisconsin administrative register a notice of its determination. This section does not
14apply after publication of a notice under this subsection.
Loading...
Loading...