The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Wisconsin
Data Breach Notification Statue
Highlights
Covered Entities: “Entity" means a person, other than an individual, that does any of the following: (a) conducts business in this state and maintains personal information in the ordinary course of business; (b) licenses personal information in this state; (c) maintains for a resident of this state a depository account; or (d) lends money to a resident of this state. Entities additionally include the state and any office, department, independent agency, city, village, town, county, or other body in state government.
Consumer Notification: The entity shall provide consumer notice within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information.
Regulatory Notification: Insurance Data Security Law requires licensees to notify the commissioner no later than three (3) business days from the determination of a cybersecurity incident.
Notification Timeline: Consumer notification within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. No regulatory timeline.
Data Format: Paper or Electronic.
Citations: Wis. Stat. § 134.98
More Details
Definitions:
- Breach: Unauthorized acquisition of personal information.
- Personal information (PI):
- An individual's last name and the individual's first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
- Social Security number;
- Driver's license number or state identification number;
- Financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account;
- DNA profile; or
- Unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
- An individual's last name and the individual's first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
- Medical Information: N/A
- Health Insurance Information: N/A
Safe Harbors:
- Encryption: Information that is encrypted, redacted, or altered in a manner that renders the element unreadable does not constitute personal information.
- Good Faith: An entity is not required to provide notice of the acquisition of personal information if the personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.
- Risk of Harm: An entity is not required to provide notice of the acquisition of personal information if the acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information.
- Law Enforcement Delay: A law enforcement agency may, in order to protect an investigation or homeland security, ask an entity not to provide a notice for any period of time and the notification process required shall begin at the end of that time period. If an entity receives such a request, the entity may not provide notice of or publicize an unauthorized acquisition of personal information, except as authorized by the law enforcement agency that made the request.
Direct Notice:
- Timing: The entity shall provide the notice within a reasonable time, not to exceed 45 days after the entity learns of the acquisition of personal information. A determination as to reasonableness shall include consideration of the number of notices that an entity must provide and the methods of communication available to the entity.
- Format: N/A
- Content: The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information. Upon written request by a person who has received a notice, the entity that provided the notice shall identify the personal information that was acquired.
- Method: An entity shall provide the notice by mail or by a method the entity has previously employed to communicate with the subject of the personal information.
Substitute Notice:
If an entity cannot with reasonable diligence determine the mailing address of the subject of the personal information, and if the entity has not previously communicated with the subject of the personal information, the entity shall provide notice by a method reasonably calculated to provide actual notice to the subject of the personal information.
Remediation Services:
N/A
Regulatory Notice:
Insurance Data Security Law requires licensees to notify the commissioner no later than three business days from the determination of a cybersecurity incident
Credit Reporting Agencies Notice:
If, as the result of a single incident, an entity is required to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies of the timing, distribution, and content of the notices sent to the individuals.
Third-Party Notice:
If an entity that stores personal information pertaining to a resident of this state, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the entity storing the personal information has not authorized to acquire the personal information, the entity storing the personal information shall notify the person that owns or licenses the personal information of the acquisition as soon as practicable.
HIPAA:
This section does not apply to an entity that is described in 45 CFR 164.104 (a), if the entity complies with the requirements of 45 CFR part 164 (HIPAA).
Private Action:
Failure to comply with this section is not negligence or a breach of any duty but may be evidence of negligence or a breach of a legal duty. No private right of action.
Associated Regulations:
- Insurance Data Security (Wis. Stat. §§ 601.95, 601.951 to 601.956).
Insurance Data Security Statute
Highlights
Covered Entities: Any entity licensed, authorized, or registered, or an entity required to be licensed, authorized, or registered, under chs. 600 to 655. Wis. Stat. § 601.95(7). Risk retention groups chartered and licensed in another state and insurers acting as an assuming insurer domiciled in another state are exempt from the definition of licensee. It should be also noted that while the law generally applies to all licensees, certain requirements are limited to licensees domiciled in Wisconsin.
Security Standard: A licensee must conduct a risk assessment and based on the risk assessment, develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards to protect the licensee’s information systems and nonpublic information. In addition, the notice must occur within a reasonable time, not to exceed 45 days after the licensee learns of the acquisition of nonpublic information. A determination as to reasonableness includes consideration of the number of notices that the licensee must provide and the methods of communication available to the licensee.
Consumer Notification: If a licensee knows that nonpublic information of a consumer in the licensee’s possession has been acquired by a person whom the licensee has not authorized to acquire the nonpublic information, the licensee must make reasonable efforts to notify each consumer who is of the nonpublic information.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: Wis. Stat § 601.95, 601.951 to 601.956
More Details
Definitions:
- Consumer: An individual, who is a resident of Wisconsin and whose nonpublic information is in the possession, custody, or control of a licensee.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, except that a “cybersecurity event” does not include any of the following:
- The unauthorized acquisition of encrypted nonpublic information if the encryption process or key is not also acquired, released, or used without authorization.
- The unauthorized acquisition of nonpublic information if the licensee determines that the nonpublic information has not been used or released and has been returned to the licensee or destroyed.
- Licensee: Any entity licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered under Wisconsin insurance laws.
- Nonpublic Information: Electronic information in the possession, custody, or control of a licensee that is not publicly available information and is any of the following:
- Information concerning a consumer that can be used to identify the consumer, in combination with at least one (1) of the following data elements:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Information or data, other than information or data regarding age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify the consumer and that relates to any of the following:
- The physical, mental, or behavioral health or condition of the consumer or a member of the consumer’s family.
- The provision of health care to the consumer.
- Payment for the provision of health care to the consumer.
- Information concerning a consumer that can be used to identify the consumer, in combination with at least one (1) of the following data elements:
Regulatory Notice:
A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than 3 business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- The licensee is domiciled in Wisconsin and the cybersecurity event has a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee.
- The licensee reasonably believes that the cybersecurity event involves the nonpublic information of at least 250 consumers residing in Wisconsin and:
- Notice is required to be provided to a government body, self-regulatory agency, or other supervisory entity under state or federal law.
- There is a reasonable likelihood of materially harming a consumer or a material part of the normal operations of the licensee.
Content Requirements:
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date and source of the cybersecurity event and the time period during which information systems were compromised by the cybersecurity event.
- A description of how the cybersecurity event was discovered.
- A description of how the nonpublic information was exposed, lost, stolen, or breached and an explanation of how the information has been, or is in the process of being, recovered.
- A description of the specific data elements, including types of medical, financial, and personally identifiable information, that were acquired without authorization.
- The number of consumers affected by the cybersecurity event.
- A description of efforts to address the circumstances that allowed the cybersecurity event to occur.
- The results of any internal review related to the cybersecurity event, including the identification of a lapse in automated controls or internal procedures.
- Whether the licensee notified a government body, self-regulatory agency, or other supervisory licensee of the cybersecurity event and, if applicable, the date the notification was provided.
- A copy of the licensee’s privacy policy and a statement outlining the steps the licensee will take, or has taken, to investigate and notify consumers affected by the cybersecurity event.
- The name of a contact person who is familiar with the cybersecurity event and authorized to act for the licensee.
The licensee is required to update and supplement the information provided to address material changes to the information as additional information becomes available.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall the licensee shall provide notice to the commissioner no later than 3 days after the earlier of the date the third-party service provider notifies the licensee of the cybersecurity event or the licensee has actual knowledge of the cybersecurity event. The licensee is not required to comply with this subsection if the third-party service provider provides notice under sub.
Penalties:
The Insurance Commissioner may investigate licensees to determine whether the licensee has engaged in any violations and take any action that is necessary or appropriate to enforce the requirements under this statute.
Associated Regulations:
N/A