134.93 Annotation
“Person" in this section is subject to the definition in s. 990.01 (26), which includes not only natural persons, but also partnerships, associations, and bodies corporate and politic. Industry to Industry, Inc. v. Hillsman Modular Molding, Inc.
2002 WI 51,
252 Wis. 2d 544,
644 N.W.2d 236,
00-2180.
134.95
134.95
Violations against elderly or disabled persons. 134.95(1)(a)
(a) “Disabled person" means a person who has an impairment of a physical, mental or emotional nature that substantially limits at least one major life activity.
134.95(1)(b)
(b) “Elderly person" means a person who is at least 62 years of age.
134.95(1)(c)
(c) “Major life activity" means self-care, walking, seeing, hearing, speaking, breathing, learning, performing manual tasks or being able to be gainfully employed.
134.95(2)
(2)
Supplemental forfeiture. If a fine or a forfeiture is imposed on a person for a violation under s.
100.171,
100.173,
100.174,
100.175,
100.177,
134.71,
134.72,
134.73, or
134.87 or ch.
136 or a rule promulgated under these sections or that chapter, the person shall be subject to a supplemental forfeiture not to exceed $10,000 for that violation if the conduct by the defendant, for which the fine or forfeiture was imposed, was perpetrated against an elderly person or disabled person and if any of the factors under s.
100.264 (2) (a),
(b), or
(c) is present.
134.96
134.96
Use of lodging establishments. 134.96(2)
(2) Any person who procures lodging in a lodging establishment and permits or fails to take action to prevent any of the following activities from occurring in the lodging establishment is subject to the penalties provided in sub.
(5):
134.96(2)(a)
(a) Consumption of an alcohol beverage by any underage person not accompanied by his or her parent, guardian or spouse who has attained the legal drinking age.
134.96(2)(b)
(b) Illegal use of a controlled substance or controlled substance analog.
134.96(3)
(3) An owner or employee of a lodging establishment may deny lodging to an adult if the owner or employee reasonably believes that consumption of an alcohol beverage by an underage person not accompanied by his or her parent, guardian or spouse who has attained the legal drinking age, or illegal use of a controlled substance or controlled substance analog, may occur in the area of the lodging establishment procured.
134.96(4)
(4) An owner or employee of a lodging establishment may require a cash deposit or use of a credit card at the time of application for lodging.
134.96(5)
(5) A person who violates sub.
(2) or a local ordinance which strictly conforms to sub.
(2) shall forfeit:
134.96(5)(a)
(a) Not more than $500 if the person has not committed a previous violation within 12 months of the violation; or
134.96(5)(b)
(b) Not less than $200 nor more than $500 if the person has committed a previous violation within 12 months of the violation.
134.96 History
History: 1989 a. 94;
1991 a. 295;
1995 a. 27,
448;
1999 a. 82;
2005 a. 155 s.
41; Stats. 2005 s. 134.96.
134.97
134.97
Disposal of records containing personal information. 134.97(1)(am)
(am) “Dispose" does not include a sale of a record or the transfer of a record for value.
134.97(1)(b)
(b) “Financial institution" means any bank, savings bank, savings and loan association or credit union that is authorized to do business under state or federal laws relating to financial institutions, any issuer of a credit card or any investment company.
134.97(1)(d)
(d) “Medical business" means any organization or enterprise operated for profit or not for profit, including a sole proprietorship, partnership, firm, business trust, joint venture, syndicate, corporation, limited liability company or association, that possesses information, other than personnel records, relating to a person's physical or mental health, medical history or medical treatment.
134.97(1)(e)
(e) “Personal information" means any of the following:
134.97(1)(e)1.
1. Personally identifiable data about an individual's medical condition, if the data are not generally considered to be public knowledge.
134.97(1)(e)2.
2. Personally identifiable data that contain an individual's account or customer number, account balance, balance owing, credit balance or credit limit, if the data relate to an individual's account or transaction with a financial institution.
134.97(1)(e)3.
3. Personally identifiable data provided by an individual to a financial institution upon opening an account or applying for a loan or credit.
134.97(1)(e)4.
4. Personally identifiable data about an individual's federal, state or local tax returns.
134.97(1)(f)
(f) “Personally identifiable" means capable of being associated with a particular individual through one or more identifiers or other information or circumstances.
134.97(1)(g)
(g) “Record" means any material on which written, drawn, printed, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
134.97(1)(h)
(h) “Tax preparation business" means any organization or enterprise operated for profit, including a sole proprietorship, partnership, firm, business trust, joint venture, syndicate, corporation, limited liability company or association, that for a fee prepares an individual's federal, state or local tax returns or counsels an individual regarding the individual's federal, state or local tax returns.
134.97(2)
(2)
Disposal of records containing personal information. A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following:
134.97(2)(a)
(a) Shreds the record before the disposal of the record.
134.97(2)(b)
(b) Erases the personal information contained in the record before the disposal of the record.
134.97(2)(c)
(c) Modifies the record to make the personal information unreadable before the disposal of the record.
134.97(2)(d)
(d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record's disposal and the record's destruction.
134.97(3)
(3)
Civil liability; disposal and use. 134.97(3)(a)
(a) A financial institution, medical business or tax preparation business is liable to a person whose personal information is disposed of in violation of sub.
(2) for the amount of damages resulting from the violation.
134.97(3)(b)
(b) Any person who, for any purpose, uses personal information contained in a record that was disposed of by a financial institution, medical business or tax preparation business is liable to an individual who is the subject of the information and to the financial institution, medical business or tax preparation business that disposed of the record for the amount of damages resulting from the person's use of the information. This paragraph does not apply to a person who uses personal information with the authorization or consent of the individual who is the subject of the information.
134.97(4)(a)
(a) A financial institution, medical business or tax preparation business that violates sub.
(2) may be required to forfeit not more than $1,000. Acts arising out of the same incident or occurrence shall be a single violation.
134.97(4)(b)
(b) Any person who possesses a record that was disposed of by a financial institution, medical business or tax preparation business and who intends to use, for any purpose, personal information contained in the record may be fined not more than $1,000 or imprisoned for not more than 90 days or both. This paragraph does not apply to a person who possesses a record with the authorization or consent of the individual whose personal information is contained in the record.
134.97 History
History: 1999 a. 9;
2005 a. 155 s.
52; Stats. 2005 s. 134.97.
134.97 Annotation
Disposing Medical, Financial Records. Franklin. Wis.Law. Dec. 1999.
134.98
134.98
Notice of unauthorized acquisition of personal information. 134.98(1)(a)1.1. “Entity" means a person, other than an individual, that does any of the following:
134.98(1)(a)1.a.
a. Conducts business in this state and maintains personal information in the ordinary course of business.
134.98(1)(a)2.a.
a. The state and any office, department, independent agency, authority, institution, association, society, or other body in state government created or authorized to be created by the constitution or any law, including the legislature and the courts.
134.98(1)(am)
(am) “Name" means an individual's last name combined with the individual's first name or first initial.
134.98(1)(b)
(b) “Personal information" means an individual's last name and the individual's first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
134.98(1)(b)2.
2. The individual's driver's license number or state identification number.
134.98(1)(b)3.
3. The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account.
134.98(1)(b)5.
5. The individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
134.98(1)(c)
(c) “Publicly available information" means any information that an entity reasonably believes is one of the following:
134.98(1)(c)2.
2. Lawfully made available to the general public from federal, state, or local government records or disclosures to the general public that are required to be made by federal, state, or local law.
134.98(2)(a)(a) If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity's possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information.
134.98(2)(b)
(b) If an entity whose principal place of business is not located in this state knows that personal information pertaining to a resident of this state has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each resident of this state who is the subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the resident of this state who is the subject of the personal information.
134.98(2)(bm)
(bm) If a person, other than an individual, that stores personal information pertaining to a resident of this state, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorized to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information, the person storing the personal information shall notify the person that owns or licenses the personal information of the acquisition as soon as practicable.
134.98(2)(br)
(br) If, as the result of a single incident, an entity is required under par.
(a) or
(b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in
15 USC 1681a(p), of the timing, distribution, and content of the notices sent to the individuals.
134.98(2)(cm)
(cm) Notwithstanding pars.
(a),
(b),
(bm), and
(br), an entity is not required to provide notice of the acquisition of personal information if any of the following applies:
134.98(2)(cm)1.
1. The acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information.
134.98(2)(cm)2.
2. The personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.
134.98(3)
(3)
Timing and manner of notice; other requirements. 134.98(3)(a)
(a) Subject to sub.
(5), an entity shall provide the notice required under sub.
(2) within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness under this paragraph shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.
134.98(3)(b)
(b) An entity shall provide the notice required under sub.
(2) by mail or by a method the entity has previously employed to communicate with the subject of the personal information. If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information, and if the entity has not previously communicated with the subject of the personal information, the entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information.
134.98(3)(c)
(c) Upon written request by a person who has received a notice under sub.
(2) (a) or
(b), the entity that provided the notice shall identify the personal information that was acquired.
134.98(3m)
(3m)
Regulated entities exempt. This section does not apply to any of the following:
134.98(3m)(a)
(a) An entity that is subject to, and in compliance with, the privacy and security requirements of
15 USC 6801 to
6827, or a person that has a contractual obligation to such an entity, if the entity or person has in effect a policy concerning breaches of information security.