LRB-2214/1
CTS:cmh&jld:jf
2005 - 2006 LEGISLATURE
April 8, 2005 - Introduced by Senators Kanavas, Stepp, A. Lasee, Darling, Kedzie
and Olsen, cosponsored by Representatives J. Fitzgerald, Gundrum, Davis,
Nischke, Loeffelholz, Jensen, Bies, Hines, Ott, Vrakas, Ballweg, Kleefisch,
Owens, Freese, Hundertmark, McCormick
and Cullen.
SB164,1,2 1An Act to create 895.507 of the statutes; relating to: notice regarding
2unauthorized acquisition of personal information.
Analysis by the Legislative Reference Bureau
This bill requires an entity that possesses certain personal information about
an individual to notify the individual when the information is accessed by a person
who the entity has not authorized to do so (unauthorized access). The bill's notice
requirements apply to entities, including the state and local governments, that do
any of the following: conduct business in Wisconsin and maintain personal
information in the ordinary course of business; store personal information in this
state; maintain a depository account for a Wisconsin resident; or lend money to a
Wisconsin resident.
Under the bill, personal information includes any of the following information
about an individual, if accompanied by the name of the individual to whom the
information pertains: electronic mail address; driver's license number; social
security number; employer or place of employment; mother's maiden name;
depository account number and certain other financial information;
deoxyribonucleic acid (DNA) profile; and any other information about an individual
that can be associated with an individual through identifiers or other information.
Personal information does not include information that is lawfully available to the
public.
As to an entity whose principal place of business is located in Wisconsin or that
stores personal information in Wisconsin, if the entity knows or has reason to know
of an unauthorized access, the bill requires the entity to make reasonable efforts to

notify the individual that is the subject of the personal information (subject) that the
individual's personal information has been accessed. As to an entity whose principal
place of business is not located in Wisconsin, if the entity knows or has reason to know
of an unauthorized access involving information pertaining to a Wisconsin resident,
the bill requires the entity to make reasonable efforts to notify the subject.
An entity required to notify a subject must, within 15 business days after
learning of the unauthorized access, inform the subject that the entity knows of the
unauthorized use of personal information pertaining to the subject. The entity must
deliver the notice by mail or by another method the entity has previously used to
communicate with the subject. If the entity cannot reasonably determine the
subject's mailing address, the entity may notify the subject by another means
reasonably calculated to provide actual notice to the subject. Under the bill, if a law
enforcement agency requests an entity to delay a required notice for any period of
time, the entity must begin the notification process after the requested delay period.
The bill provides that compliance with the bill's requirements is not a defense
to civil claims. A failure to comply is not negligence or a breach of a legal duty, but
may be evidence of negligence or a breach of a legal duty.
For further information see the state and local fiscal estimate, which will be
printed as an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB164, s. 1 1Section 1. 895.507 of the statutes is created to read:
SB164,2,3 2895.507 Notice of unauthorized use of personal identifying
3information.
(1) Definitions. In this section:
SB164,2,54 (a) 1. "Entity" means a person, other than an individual, that does any of the
5following:
SB164,2,76 a. Conducts business in this state and maintains personal information in the
7ordinary course of business.
SB164,2,88 b. Stores personal information in this state.
SB164,2,109 c. Maintains for a resident of this state a depository account as defined in s.
10815.18 (2) (e).
SB164,2,1111 d. Lends money to a resident of this state.
SB164,2,1212 2. "Entity" includes all of the following:
SB164,3,4
1a. The state and any office, department, independent agency, authority,
2institution, association, society, or other body in state government created or
3authorized to be created by the constitution or any law, including the legislature and
4the courts.
SB164,3,55 b. A city, village, town, or county.
SB164,3,86 (b) Except as provided in par. (c), "personal information" means any of the
7following information, if the information is accompanied by the name of the
8individual to whom the information pertains and is not publicly available:
SB164,3,99 1. An individual's electronic mail address.
SB164,3,1010 2. Any of the information specified in s. 943.201 (1) (b) 4. to 15.
SB164,3,1211 (c) "Publicly available information" means any information that an entity
12reasonably believes is one of the following:
SB164,3,1313 1. Information that is lawfully made widely available through any media.
SB164,3,1614 2. Information that is lawfully made available to the general public from
15federal, state, or local government records or disclosures to the general public that
16are required to be made by federal, state, or local law.
SB164,3,23 17(2) Notice required. (a) If an entity whose principal place of business is
18located in this state or an entity that stores personal information in this state knows
19that personal information in the entity's possession has been obtained by a person
20whom the entity has not authorized to obtain the personal information, the entity
21shall make reasonable efforts to notify each individual who is the subject of the
22personal information. The notice shall indicate that the entity knows of the
23unauthorized use of personal information pertaining to the individual.
SB164,4,524 (b) If an entity whose principal place of business is not located in this state
25knows that personal information pertaining to a resident of this state has been

1obtained by a person whom the entity has not authorized to obtain the personal
2information, the entity shall make reasonable efforts to notify each resident of this
3state who is the subject of the personal information. The notice shall indicate that
4the entity knows of the unauthorized use of personal information pertaining to the
5individual.
SB164,4,11 6(3) Timing and manner of notice. (a) Subject to sub. (5), an entity shall provide
7the notice required under sub. (2) within a reasonable time, not to exceed 15 business
8days after the entity learns of the acquisition of personal information. A
9determination as to reasonableness under this paragraph shall include
10consideration of the number of notices that an entity must provide and the methods
11of communication available to the entity.
SB164,4,1812 (b) An entity shall provide the notice required under sub. (2) by mail or by a
13method the entity has previously employed to communicate with the subject of the
14personal information. If an entity cannot with reasonable diligence determine the
15mailing address of the subject of the personal information, and if the entity has not
16previously communicated with the subject of the personal information, the entity
17shall provide notice by a method reasonably calculated to provide actual notice to the
18subject of the personal information.
SB164,4,22 19(4) Effect on civil claims. Compliance with this section is not a defense to a
20claim in a civil action or proceeding. Failure to comply with this section is not
21negligence or a breach of any duty, but may be evidence of negligence or a breach of
22a legal duty.
SB164,5,2 23(5) Request by law enforcement not to notify. If a law enforcement agency
24asks an entity not to provide a notice that is otherwise required under sub. (2) for any

1period of time, the notification process required under sub. (2) shall begin at the end
2of that time period.
SB164,5,33 (End)
Loading...
Loading...