134.97(1)(c)(c) “Investment company” has the meaning given in s. 180.0103 (11e).
134.97(1)(d)(d) “Medical business” means any organization or enterprise operated for profit or not for profit, including a sole proprietorship, partnership, firm, business trust, joint venture, syndicate, corporation, limited liability company or association, that possesses information, other than personnel records, relating to a person’s physical or mental health, medical history or medical treatment.
134.97(1)(e)(e) “Personal information” means any of the following:
134.97(1)(e)1.1. Personally identifiable data about an individual’s medical condition, if the data are not generally considered to be public knowledge.
134.97(1)(e)2.2. Personally identifiable data that contain an individual’s account or customer number, account balance, balance owing, credit balance or credit limit, if the data relate to an individual’s account or transaction with a financial institution.
134.97(1)(e)3.3. Personally identifiable data provided by an individual to a financial institution upon opening an account or applying for a loan or credit.
134.97(1)(e)4.4. Personally identifiable data about an individual’s federal, state or local tax returns.
134.97(1)(f)(f) “Personally identifiable” means capable of being associated with a particular individual through one or more identifiers or other information or circumstances.
134.97(1)(g)(g) “Record” means any material on which written, drawn, printed, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
134.97(1)(h)(h) “Tax preparation business” means any organization or enterprise operated for profit, including a sole proprietorship, partnership, firm, business trust, joint venture, syndicate, corporation, limited liability company or association, that for a fee prepares an individual’s federal, state or local tax returns or counsels an individual regarding the individual’s federal, state or local tax returns.
134.97(2)(2)Disposal of records containing personal information. A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following:
134.97(2)(a)(a) Shreds the record before the disposal of the record.
134.97(2)(b)(b) Erases the personal information contained in the record before the disposal of the record.
134.97(2)(c)(c) Modifies the record to make the personal information unreadable before the disposal of the record.
134.97(2)(d)(d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record’s disposal and the record’s destruction.
134.97(3)(3)Civil liability; disposal and use.
134.97(3)(a)(a) A financial institution, medical business or tax preparation business is liable to a person whose personal information is disposed of in violation of sub. (2) for the amount of damages resulting from the violation.
134.97(3)(b)(b) Any person who, for any purpose, uses personal information contained in a record that was disposed of by a financial institution, medical business or tax preparation business is liable to an individual who is the subject of the information and to the financial institution, medical business or tax preparation business that disposed of the record for the amount of damages resulting from the person’s use of the information. This paragraph does not apply to a person who uses personal information with the authorization or consent of the individual who is the subject of the information.
134.97(4)(4)Penalties; disposal and use.
134.97(4)(a)(a) A financial institution, medical business or tax preparation business that violates sub. (2) may be required to forfeit not more than $1,000. Acts arising out of the same incident or occurrence shall be a single violation.
134.97(4)(b)(b) Any person who possesses a record that was disposed of by a financial institution, medical business or tax preparation business and who intends to use, for any purpose, personal information contained in the record may be fined not more than $1,000 or imprisoned for not more than 90 days or both. This paragraph does not apply to a person who possesses a record with the authorization or consent of the individual whose personal information is contained in the record.
134.97 HistoryHistory: 1999 a. 9; 2005 a. 155 s. 52; Stats. 2005 s. 134.97.
134.97 AnnotationLegislative Watch: Disposing Medical, Financial Records. Franklin. Wis. Law. Dec. 1999.
134.98134.98Notice of unauthorized acquisition of personal information.
134.98(1)(1)Definitions. In this section:
134.98(1)(a)1.1. “Entity” means a person, other than an individual, that does any of the following:
134.98(1)(a)1.a.a. Conducts business in this state and maintains personal information in the ordinary course of business.
134.98(1)(a)1.b.b. Licenses personal information in this state.
134.98(1)(a)1.c.c. Maintains for a resident of this state a depository account as defined in s. 815.18 (2) (e).
134.98(1)(a)1.d.d. Lends money to a resident of this state.
134.98(1)(a)2.2. “Entity” includes all of the following:
134.98(1)(a)2.a.a. The state and any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts.
134.98(1)(a)2.b.b. A city, village, town, or county.
134.98(1)(am)(am) “Name” means an individual’s last name combined with the individual’s first name or first initial.
134.98(1)(b)(b) “Personal information” means an individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
134.98(1)(b)1.1. The individual’s social security number.
134.98(1)(b)2.2. The individual’s driver’s license number or state identification number.
134.98(1)(b)3.3. The number of the individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account.
134.98(1)(b)4.4. The individual’s deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).
134.98(1)(b)5.5. The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
134.98(1)(c)(c) “Publicly available information” means any information that an entity reasonably believes is one of the following:
134.98(1)(c)1.1. Lawfully made widely available through any media.
134.98(1)(c)2.2. Lawfully made available to the general public from federal, state, or local government records or disclosures to the general public that are required to be made by federal, state, or local law.
134.98(2)(2)Notice required.
134.98(2)(a)(a) If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity’s possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information.
134.98(2)(b)(b) If an entity whose principal place of business is not located in this state knows that personal information pertaining to a resident of this state has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each resident of this state who is the subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the resident of this state who is the subject of the personal information.
134.98(2)(bm)(bm) If a person, other than an individual, that stores personal information pertaining to a resident of this state, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorized to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information, the person storing the personal information shall notify the person that owns or licenses the personal information of the acquisition as soon as practicable.
134.98(2)(br)(br) If, as the result of a single incident, an entity is required under par. (a) or (b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the timing, distribution, and content of the notices sent to the individuals.
134.98(2)(cm)(cm) Notwithstanding pars. (a), (b), (bm), and (br), an entity is not required to provide notice of the acquisition of personal information if any of the following applies:
134.98(2)(cm)1.1. The acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information.
134.98(2)(cm)2.2. The personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.
134.98(3)(3)Timing and manner of notice; other requirements.
134.98(3)(a)(a) Subject to sub. (5), an entity shall provide the notice required under sub. (2) within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness under this paragraph shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.
134.98(3)(b)(b) An entity shall provide the notice required under sub. (2) by mail or by a method the entity has previously employed to communicate with the subject of the personal information. If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information, and if the entity has not previously communicated with the subject of the personal information, the entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information.
134.98(3)(c)(c) Upon written request by a person who has received a notice under sub. (2) (a) or (b), the entity that provided the notice shall identify the personal information that was acquired.
134.98(3m)(3m)Regulated entities exempt. This section does not apply to any of the following:
134.98(3m)(a)(a) An entity that is subject to, and in compliance with, the privacy and security requirements of 15 USC 6801 to 6827, or a person that has a contractual obligation to such an entity, if the entity or person has in effect a policy concerning breaches of information security.
134.98(3m)(b)(b) An entity that is described in 45 CFR 164.104 (a), if the entity complies with the requirements of 45 CFR part 164.
134.98(4)(4)Effect on civil claims. Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.
134.98(5)(5)Request by law enforcement not to notify. A law enforcement agency may, in order to protect an investigation or homeland security, ask an entity not to provide a notice that is otherwise required under sub. (2) for any period of time and the notification process required under sub. (2) shall begin at the end of that time period. Notwithstanding subs. (2) and (3), if an entity receives such a request, the entity may not provide notice of or publicize an unauthorized acquisition of personal information, except as authorized by the law enforcement agency that made the request.
134.98(6m)(6m)Local ordinances or regulations prohibited. No city, village, town, or county may enact or enforce an ordinance or regulation that relates to notice or disclosure of the unauthorized acquisition of personal information.
134.98(7m)(7m)Effect of federal legislation. If the joint committee on administrative rules determines that the federal government has enacted legislation that imposes notice requirements substantially similar to the requirements of this section and determines that the legislation does not preempt this section, the joint committee on administrative rules shall submit to the legislative reference bureau for publication in the Wisconsin administrative register a notice of its determination. This section does not apply after publication of a notice under this subsection.
134.98 HistoryHistory: 2005 a. 138; 2007 a. 20; 2007 a. 97 s. 238.
134.98 AnnotationThis section does not create a private right of action. Fox v. Iowa Health System, 399 F. Supp. 3d 780 (2019).
134.99134.99Parties to a violation.
134.99(1)(1)Whoever is concerned in the commission of a violation of this chapter for which a forfeiture is imposed is a principal and may be charged with and convicted of the violation although he or she did not directly commit it and although the person who directly committed it has not been convicted of the violation.
134.99(2)(2)A person is concerned in the commission of the violation if the person:
134.99(2)(a)(a) Directly commits the violation;
134.99(2)(b)(b) Aids and abets the commission of it; or
134.99(2)(c)(c) Is a party to a conspiracy with another to commit it or advises, hires or counsels or otherwise procures another to commit it.
134.99 HistoryHistory: 1975 c. 365; 1979 c. 62; 1997 a. 111.
Loading...
Loading...
2023-24 Wisconsin Statutes updated through all Supreme Court and Controlled Substances Board Orders filed before and in effect on January 1, 2025. Published and certified under s. 35.18. Changes effective after January 1, 2025, are designated by NOTES. (Published 1-1-25)