Wisconsin Statutes §
Type of Data Covered: Any personal information.
Is Breach Defined?
The definitions section lacks a definition for breach but it defines the violation as an unauthorized access or acquisition of "personal information," which is defined as follows:
(b) “Personal information” means an individual’s last name and the individual’s first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
1. The individual’s social security number.
2. The individual’s driver’s license number or state identification number.
3. The number of the individual’s financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual’s financial account.
4. The individual’s deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).
5. The individual’s unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
When is notice required?
Notice is required for any affected resident "within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information." Notice "should be by mail or by a method the entity has previously employed to communicate with..." the resident. Substitute notice procedures may be used if the contact information cannot be found for a resident. Upon written request, the entity must disclose the personal information that was compromised and the initial notice must indicate that the entity knows of the unauthorized access of personal records. If over 1,000 residents are affected then credit reporting agencies must be notified as well.
What are the penalties for non-compliance?
Civil claims are addressed in § 134.98(4), which reads as follows:
"(4) Effect on civil claims. Failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty."
It is worth highlighting that § 134.97 discusses standards for records disposal and imposes penalties on certain entities who violate the standards therein.