Wisconsin - Sectoral Privacy Overview
1.1. Constitutional right to privacy
The Wisconsin Constitution recognises an individual's right to privacy under Section 11, which states, 'The right of people to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures shall not be violated; and no warrant shall issue but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized.'
1.2. Common law right to privacy
The Wisconsin Supreme Court has also recognised a limited right of privacy under common law. Specifically, Wisconsin has recognised the tort of misappropriation of one's name and likeness under common law but has declined to recognise other types of privacy rights under common law (see Hirsch v. S.C. Johnson & Son, Inc., 90 Wis.2d 379 (1979)).
Wisconsin has codified the traditional common law invasion of privacy torts at §995.50 of Chapter 995 of the Wisconsin Statutes ('Wis. Stat.'). The statute specifically states that '[t]he right of privacy recognised in this section shall be interpreted in accordance with the developing common law of privacy, including defences of absolute and qualified privilege, with due regard for maintaining freedom of communication, privately and through the public media' (Wis. Stat. §995.50(3)).
For more on Wis. Stat. §995.50, see section on statutory right to privacy below.
Wisconsin has enacted several laws designed to safeguard personal information and the individual right to privacy. In the last three years, lawmakers have proposed several pieces of legislation aimed at strengthening privacy rights for Wisconsin residents and consumer. For example, in February 2020, three separate bills (Assembly Bill 870, Assembly Bill 871, and Assembly Bill 872) comprised the Wisconsin Data Privacy Act ('WDPA'). The WDPA was based upon the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and was designed to give consumers significant rights over data collected by companies, both online and through other methods. However, the WDPA failed to make any progress as it was never put up for a vote. Likewise, in 2021 and 2022, multiple bills were introduced related to consumer data protection, including Assembly Bill 957, Assembly Bill 807, and Senate Bill 779. However, all of these bills died before coming to a vote.
2.1. Statutory right to privacy
Wis. Stat. §995.50 recognises an individual's right to privacy in Wisconsin. 'Invasion of privacy' means any of the following actions (Wis. Stat. §995.50(2)(am)):
- Intrusion upon the privacy of another of a nature highly offensive to a reasonable person in a place that a reasonable person would consider private, or in a manner that is actionable for trespass.
- The use, for advertising purposes or for purposes of trade, of the name, portrait, or picture of any living person, without having first obtained the written consent of the person or, if the person is a minor, of their parent or guardian.
- Publicity given to a matter concerning the private life of another, of a kind highly offensive to a reasonable person, if the defendant has acted either unreasonably or recklessly as to whether there was a legitimate public interest in the matter involved, or with actual knowledge that none existed. It is not an invasion of privacy to communicate any information available to the public as a matter of public record.
- Unauthorised capture, reproduction, possession, or distribution of an 'intimate representation' of a person under circumstances that the person has a reasonable expectation of privacy. 'Intimate representation' means representation of a nude or partially nude person, representation of clothed, covered, or partially clothed or covered genitalia or buttock that is not otherwise visible to the public; representation of a person urinating, defecating, or using a feminine hygiene product or a representation of person engaged in sexual intercourse or sexual contact. Actions under this are crimes under Wis. Stat. §942.09 but are subject to a private right of action under Wis. Stat. §995.50.
Similarly, Wis. Stat. §942.08 makes it a Class I felony to knowingly install or use "any device, instrument, mechanism, or contrivance to intentionally view, broadcast, or record under the outer clothing of an individual that individual’s genitals, pubic area, breast, or buttocks, including genitals, pubic area, breasts, or buttocks that are covered by undergarments, or to intentionally view, broadcast, or record a body part of an individual that is not otherwise visible, without that individual’s consent[.]"
Invasion of privacy does not include the use of a surveillance device used in connection with real estate sales.
The right of privacy recognised under Wis. Stat. §995.50 is to be interpreted in accordance with the developing common law of privacy, including the defences of absolute and qualified privilege, with due regard for maintaining freedom of communication privately and through the public media. Wis. Stat. §995.50 was modelled after New York's privacy statute, under Article 5, Chapter 6, on Civil Rights of the Consolidated Laws of New York, and duplicates much of that statute's text. As such, case law under the New York privacy statute may be particularly useful when interpreting the Wisconsin Statute (see Bogie v. Rosenberg, 705 F.3d 603, 610 (2013)).
The statute provides significant potential relief, including equitable relief, compensatory damages, and reasonable attorneys' fees. While compensatory damages are not limited to pecuniary losses, they will not be presumed in the absence of proof.
The statute also provides significant relief if actions are brought in bad faith or without basis. If a court enters judgment in favour of the defendant in an action for invasion of privacy, the court must determine whether the claim was frivolous. An action is deemed frivolous if:
- the action was commenced in bad faith or for harassment purposes; or
- the action is devoid of arguable basis in law or equity.
If an action is found to be frivolous, the court will award the defendant reasonable fees and costs, including attorneys' fees, relating to the action.
2.2. Crimes against reputation, privacy and civil liberties
In Wisconsin, several activities that constitute violations of privacy rights are classified as criminal acts. For example, §942.01 et seq. of Chapter 942 of the Wis. Stat. enumerates eight actions that constitute criminal acts relating to privacy rights:
- giving false information for publication;
- opening letters without consent of addressee;
- use of polygraphs and similar tests without prior informed and written consent;
- use or requirements for genetic tests;
- invasion of privacy relating to a nude or partially nude person;
- representations depicting nudity without consent; and
- use of a drone with the intent to photograph, record or observe another in a place the person has a reasonable expectation of privacy.
In addition, §943.01 et seq. of Chapter 943 of the Wis. Stat. makes the following a crime:
- unauthorised use an individual's personal identifying information or documents (Wis. Stat. §943.201);
- unauthorised use or possession of a credit card scanner (Wis. Stat. §943.202);
- unauthorised use of an entity's identifying information or documents (Wis. Stat. §943.203);
- theft of mail (Wis. Stat. §943.204);
- theft of trade secrets (Wis. Stat. §943.205);
- recording performance without consent (Wis. Stat. §943.208); and
- threats to communicate derogatory or humiliating information (Wis. Stat. §943.31).
Below are some of the key Wisconsin laws related to privacy and confidentiality of patient health information found in §146.001 et seq. of Chapter 146 of the Wis. Stat., but this list is not exhaustive of the state's privacy laws related to health data. Additional laws can be found, for example, in §46.001 et seq. of Chapter 46 of the Wis. Stat., §51.001 et seq. of Chapter 51 of the Wis. Stat., and §252.01 et seq. of Chapter 252 of the Wis. Stat. Likewise, the Wisconsin Legislature passed additional data security laws for insurance companies in 2021 that also touches on the protection of patient health information (see section on Insurance data security law below).
3.1. Confidentiality of patient health care records
Under Wisconsin law, '[a]ll patient health care records shall remain confidential. Patient health care records may be released only to the persons designated [by law] or to other persons with the informed consent of the patient or of a person authorised by the patient' (Wis. Stat. §146.82(1)).
'Patient health care records' include 'all records related to the health of a patient prepared by or under the supervision of a health care provider [...] [and] includes billing statements and invoices for treatment or services provided by a health care provider' (Wis. Stat. §146.81(4)).
'Informed consent' is defined as 'written consent to the disclosure of information from patient health care records to an individual, agency or organisation' (Wis. Stat. §146.81(2)). Furthermore, the written consent must include the following information (Wis. Stat. §146.81(2)):
- the name of the patient whose record is being disclosed;
- the type of information to be disclosed;
- the types of health care providers making the disclosure;
- the purpose of the disclosure such as whether the disclosure is for further medical care, for an application for insurance, to obtain payment of an insurance claim, for a disability determination, for a vocational rehabilitation evaluation, for a legal investigation or for other specified purposes;
- the individual, agency or organisation to which disclosure may be made;
- the signature of the patient or the person authorised by the patient and, if signed by a person authorised by the patient, the relationship of that person to the patient or the authority of the person;
- the date on which the consent is signed; and
- the period during which the consent is effective.
3.2. Access to patient health care records
Patients are entitled to inspect their own health care records upon reasonable notice (Wis. Stat. §146.83(1c)). Specifically, the law states that any patient or person authorised by the patient may, upon submitting a statement of informed consent, inspect the health care records of a health care provider pertaining to that patient at any time during regular business hours, upon reasonable notice (Wis. Stat. §146.83(1c)). A patient, a patient's authorised representative, or a patient's health care provider, with informed consent, may request copies of the patient's health care record and may be charged a reasonable fee for such copies (Wis. Stat. §146.83(3f)).
3.3. Preservation or destruction of patient health care records
Pursuant to Wis. Stat. §146.819(1), before a health care provider may cease its business or practice, it must take one of three actions for all patient health care records in its possession:
- provide for the maintenance of the patient health care records by a person who states, in writing, that the records will be maintained in compliance with the law;
- provide for the deletion or destruction of the patient health care records; and
- provide for the maintenance of some of the patient health care records and for the deletion or destruction of some of the records.
Before taking any of the above action, the health care provider must give written notice to each patient or each patient's authorised representative (Wis. Stat. §146.819(2) and (3)).
3.4. Prohibitions and violations related to patient health care records
Wisconsin law prohibits individuals from taking any of the following action related to patient health care records (Wis. Stat. §146.83(4)):
- intentionally falsifying a patient health care record;
- concealing or withholding a patient health care record with intent to prevent or obstruct an investigation or prosecution or with intent to prevent its release to the patient, to their guardian, to their health care provider with a statement of informed consent, or under the conditions specified in Wis. Stat. §146.82(2), or to a person with a statement of informed consent; and
- intentionally destroying or damaging records in order to prevent or obstruct an investigation or prosecution.
Additionally, with limited exceptions, any person who violates the laws governing confidentiality or access to patient health records, may be liable for damages (Wis. Stat. §146.84(1)). For example, a person who knowingly and wilfully violates these laws 'shall be liable to any person injured as a result of the violation for actual damages to that person, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees' (Wis. Stat. §146.84(1)(b)). Likewise, if a person does any of the following, they may be fined up to $25,000 and/or imprisoned for up to nine months (Wis. Stat. §146.84(2)):
- requests or obtains confidential information under the laws related to confidentiality and access to patient health records under false pretences;
- discloses confidential information with knowledge that the disclosure is unlawful and is not reasonably necessary to protect another from harm; and
- violates the prohibitions listed above under Wis. Stat. §146.83(4).
Access to financial records and data must be kept confidential under §214.37 of Chapter 214 of the Wis. Stat. Generally, no person may have access to the books and records of a savings bank or receive a list of the members or stockholders (Wis. Stat. §214.37(2)). However, a person will have the right to inspect books and records of the savings bank that pertain to the person's deposit accounts or loans (Wis. Stat. §214.37(3)). Likewise, access to an individual's financial records may be permitted in certain limited circumstances, including, but not limited to (Wis. Stat. §214.37(4)):
- officers, employees, or agents of a savings bank, or a certified public accountant in the performance of an audit;
- in the exercise of that person's duties as an officer, employee, or agent; or
- in response to a subpoena, summons, warrant or court order.
A 'savings bank' is broadly defined as 'a financial institution organised under [Chapter 214]' (Wis. Stat. §214.37(4)). More specifically, under Wis. Stat. §214.01(jn), a 'financial institution' is 'a bank, a savings bank, a savings and loan association, a trust company, or a credit union, whether chartered under the laws of [Wisconsin], another state or territory under the laws of the United States.' 'Financial records' includes 'an original, copy or summary of any document or item containing information pertaining to any relationship established in the ordinary course of business between a savings bank and a customer' (Wis. Stat. §214.37(1)).
Please note that certain of the proposed legislation mentioned above, such as the WDPA, included information related to economic status or finances, but was never put up for a vote.
Wisconsin law does not explicitly protect employment data. However, under §103.13 of Chapter 103 of the Wis. Stat., the ability to inspect an employee's personnel documents is limited to the employee and/or their designated representative. This Section states that '[e]very employer shall, upon the request of an employee, which the employer may require the employee to make in writing, permit the employee to inspect any personnel documents which are used, or which have been used in determining that employee's qualifications for employment, promotion, transfer, additional compensation, termination or other disciplinary action, and medical records' (Wis. Stat. §103.13(2)). Note, prior to the COVID-19 pandemic, employers were required to provide the employee the opportunity to inspect their personnel record within seven business days after the employee's request (Wis. Stat. §103.13(2)). However, on 17 April 2020, considering the State's public health emergency declaration on 12 March 2020, Wis. Stat. §103.13(2m) was added, this seven day requirement was suspended (Wis. Stat. §103.13(2m)).
Likewise, if an employee is involved in an active dispute with its employer, the employee can designate, in writing, a representative who may inspect the employee's personnel records to the extent such records may have a bearing on the resolution of the grievance or dispute (Wis. Stat. §103.13(3)). There are certain limited exceptions to what an employee or an employee's designated representative can inspect that may be part of their personnel file, including letters of reference and certain test documents.
Pursuant to Wis. Stat. §103.13(8), employers who violate Wis. Stat. §103.13 may be subject to a fine between $10 and $100 for each violation, and each day of non-compliance is considered a separate violation.
As referenced in other sections of this Guidance Note, Wisconsin lawmakers proposed three separate bills to collectively comprise the WDPA in February 2020. While ultimately the WDPA failed to make any progress and was never put up for a vote, it was intended to give consumers significant rights over data collected by companies, including information potentially related to employment data.
Wisconsin does not have a comprehensive online privacy statute. However, it is worth noting that the failed WDPA was designed to give consumers significant rights over data collected by companies, both online and through other methods.
Wisconsin does not have any state laws that provide for special protections for the online privacy of children. However, the federal Children's Online Privacy Protection Act of 1998 ('COPPA') does apply in Wisconsin. COPPA prohibits unfair or deceptive acts or practices in connection with the collection, use and/or disclosure of personal information from and about children on the internet. For more information see OneTrust DataGuidance's Guidance Note on USA – COPPA.
Wis. Stat. §995.55 prohibits educational institutions, employers, and landlords from requesting or requiring a student, employee, or tenant (as applicable) to disclose access information for their personal internet accounts. Wis. Stat. §995.55 also prohibits educational institutions, employers, and landlords from discriminating against or taking adverse actions against any student, employee, or tenant who refuses to disclose their personal internet account information.
7.1. Email marketing
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM Act'), which is a federal law, establishes requirements for commercial messages sent to recipients in the US. The CAN-SPAM Act expressly pre-empts state laws or regulations that expressly regulate the use of electronic mail to send commercial messages, except to the extent that such laws or regulations prohibit false or deceptive actions.
Additionally, Wisconsin law prohibits sending unsolicited electronic email solicitations to a person that contain obscene material or a depiction of sexually explicit conduct without including the words 'ADULT ADVERTISEMENT' in the subject line of the electronic mail (§944.25 of Chapter 944 of the Wis. Stat.). Sending email messages in violation of this statute is a crime, and the sender can be charged with a Class A misdemeanour.
7.2. Telephone marketing
Wisconsin has also enacted opt-out legislation for telephone marketing and has required the creation of a state-wide registry containing the telephone numbers of consumers in the state who do not wish to be contacted by telephone for marketing purposes. Pursuant to §100.52 of Chapter 100 of the Wis. Stat., telephone solicitors are prohibited from calling persons whose telephone numbers are included in the Do Not Call Registry supported by the Federal Trade Commission. In addition, telemarketers are prohibited from using electronically pre-recorded messages without the consent of the person called. A person who violates this law may be required to forfeit $100 for each violation.
7.3. Facsimile marketing
Under §134.72 of Chapter 134 of the Wis. Stat., individuals are prohibited from sending solicitations via facsimile without the consent of the person solicited unless:
- the document transmitted by facsimile machine does not exceed one page in length and is received by the person soliciting after 9:00 pm and before 6:00 am;
- the person making the facsimile solicitation has had a previous business relationship with the person solicited; and
- the document transmitted contains the name of the person sending the document.
However, facsimile transmissions for solicitation purposes are strictly prohibited even if the above three elements are met if a person has notified the facsimile solicitor in writing, by telephone or by facsimile transmission that the person does not want to receive facsimile solicitations. The prohibitions in Wis. Stat. §134.72 apply to facsimile transmissions originating in Wisconsin, as well as transmissions originating outside of Wisconsin that are received by a person within the state of Wisconsin. A person who violates this law may be required to forfeit $500 per violation.
There are no specific Wisconsin laws that require the posting of privacy notices or privacy policies on websites. However, there are many other state and federal laws require the posting of privacy notices on websites that could impact those doing business in Wisconsin. Some sources of federal law requiring privacy notices include (without limitation):
- Graham-Leach-Bliley Act of 1999 ('GLBA'); and
- Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
Because a Wisconsin business's website may reach residents of other states, it is advisable to review those states' laws as well. While there are many, most notable is the California Consumer Privacy Act of 2018 (as amended) ('CCPA'), which requires companies to publish and provide privacy policies and to update them every 12 months.
9.1. Disposal of records
As set forth in Wis. Stat. §134.97, Wisconsin law has set forth certain requirements for the disposal of certain records that contain personal information. Financial institutions, medical businesses and tax preparation businesses are prohibited from disposing of records containing personal information unless the entity (or those it contracts with) first shreds the record, erases the personal information contained in the record, modifies the record to make the personal information unreadable, or takes actions it reasonably believes will ensure that no unauthorised person may access the personal information. 'Personal information' means:
- personally identifiable data about an individual's medical condition, if the data are not generally considered to be public knowledge;
- personally identifiable data that contain an individual's account or customer number, account balance, balance owing, credit balance or credit limit, if the data relate to an individual's account or transaction with a financial institution;
- personally identifiable data provided by an individual to a financial institution upon opening an account or applying for a loan or credit; or
- personally identifiable data about an individual's federal, state, or local tax returns.
'Personally identifiable' means capable of being associated with a particular individual through one or more identifiers or other information or circumstances. A 'record' is any material on which written, drawn, printed, spoken, visual or electromagnetic information is recorded or preserved, regardless of physical form or characteristics.
Failure to comply with the requirements of Wis. Stat. §134.97 may result in both civil liability as well as criminal fines up to $1,000 and 90 days of imprisonment.
9.2. Breach notification law
Wisconsin's data breach notification law is located at Wis. Stat. §134.98 ('the Breach Notification Law'). The Breach Notification Law does not require entities to maintain any specific cybersecurity standards. However, it does set forth the notification requirements when an entity becomes aware of the unauthorised access to personal information.
An 'entity' is defined as a person, other than an individual, that:
- conducts business in Wisconsin and maintains personal information in the ordinary course of business;
- licenses personal information in Wisconsin;
- maintains a state depository account for a resident of Wisconsin; or
- lends money to a resident of Wisconsin.
The definition of 'entity' also specifically includes state and local government bodies, including the state and any office, department, independent agency, authority, institution, society, or other body in state government created or authorised to be created by the constitution or any law, including the legislature and the courts, as well as any city, village, town, or county.
Regulated entities, such as those bound by federal privacy laws pertaining to financial institutions or health care entities, are exempt from the statute, provided such entities are following applicable regulations.
'Personal information' means an individual's first name or first initial, in combination with and linked to any of the following:
- the individual's social security number;
- the individual's driver's license number or state identification number;
- the number of the individual's financial account, including a credit or debit account number, or any security code, access code or password that would permit access to the person's financial account;
- the individual's DNA profile; or
- the individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.
'Personal information' does not include data elements that are publicly available. Likewise, information is not deemed 'personal information' if it is encrypted, redacted, or altered in a manner that renders the element unreadable.
There are three instances where an entity must provide notice to others of a data security incident:
- If an entity whose principal place of business is located in Wisconsin or an entity that maintains or licenses personal information in Wisconsin knows that personal information in the entity's possession has been acquired by a person whom the entity has not authorised to acquire the personal information, the entity must make reasonable efforts to notify each subject of the personal information.
- If an entity whose principal place of business is not located in Wisconsin knows that personal information pertaining to a resident of Wisconsin has been acquired by a person whom the entity has not authorised to acquire the personal information, the entity must make reasonable efforts to notify each resident of Wisconsin who is the subject of the personal information.
- If a person, other than an individual, that stores personal information pertaining to a resident of Wisconsin, but does not own or license the personal information, knows that the personal information has been acquired by a person whom the person storing the personal information has not authorised to acquire the personal information, and the person storing the personal information has not entered into a contract with the person that owns or licenses the personal information, the person storing the personal information must notify the person that owns or licenses the personal information of the acquisition as soon as practicable.
If, as the result of a single incident, an entity is required to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity must without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices sent to the individuals.
An entity is not required to provide notice of the acquisition of personal information if any of the following applies:
- the acquisition of personal information does not create a material risk of identity theft or fraud to the subject of the personal information; or
- the personal information was acquired in good faith by an employee or agent of the entity, if the personal information is used for a lawful purpose of the entity.
Timing & manner of notice
Notice must be provided within a reasonable time, not exceeding 45 days after the entity learns of the unauthorised acquisition of personal information. Reasonableness of the timing will include consideration of the number of notices that the entity must provide and methods of communication available to the entity.
If law enforcement asks an entity not to provide notification to protect an investigation or homeland security, the entity may not provide notice or publicise the unauthorised acquisition of personal information. In addition, the timing requirement for providing notice will not begin until law enforcement has authorised the entity to provide notice.
Notice must be provided by mail or any method the entity has previously used to communicate with the subject of the personal information. If, after conducting reasonable due diligence, the entity cannot determine the mailing address of the subject and if the entity had not previously communicated with the subject, the entity must provide notice by a method reasonably calculated to provide actual notice to the subject.
The statute does not include specific requirements for the content of the notices. However, if a recipient of any notice of unauthorised acquisition of personal information requests further information in writing, the entity must identify the specific personal information that was compromised.
Effect on civil claims
Failure to comply with the requirements of the Breach Notification Law is not considered negligence or breach of any duty. However, it can be considered evidence of negligence or breach of a duty.
The proposed WDPA would have significantly expanded the definition of personal information, and would have required entities to provide notice to the Wisconsin Department of Justice of any data breach within 30 days of becoming aware of a breach. The WDPA would have also provided significant penalties (fine of $10,000 or up to 2% of total annual revenue, whichever is greater) for violation of the data breach notification requirements. However, as set forth above, the WDPA failed to pass in 2020.
9.3. Insurance data security law
In July 2021, Wisconsin enacted new data security laws specific to insurance, found under §601-95 et seq. of Chapter 601 of the Wis. Stat. This new law sets forth the 'state standards applicable to licensees for data security, the investigation of a cybersecurity event, and notification of a cybersecurity event or unauthorized access to non-public information to the state government and consumers' (Wis. Stat. §601.951(1)).
A 'licensee' is 'a person licensed, authorized, or registered, or a person required to be licensed authorized, or registered [under Wisconsin insurance laws], other than a purchasing or risk retention group that is chartered and licensed in another state or a person acting as an assuming insurer that is domiciled in another state or jurisdiction' (Wis. Stat. §601.95(7)).
A 'cybersecurity event' is an event that results in unauthorised access to, disruption or misuse of, an information system (i.e., 'a discrete set of organized electronic information resources') or the non-public information stored on an information system (Wis Stat. §§601.95(3) and (6)). A cybersecurity event does not include either of the following (Wis. Stat. §601.95(3)):
- the unauthorised acquisition of encrypted non-public information if the encryption process or key is not also acquired, released, or used without authorisation; or
- the unauthorised acquisition of non-public information if the licensee determines that the non-public information has not been used or released and has been returned to the licensee or destroyed.
Under Wis. Stat. §601.95(9), 'non-public information' is electronic information in the possession, custody, or control of a licensee that is not publicly available information and is any of the following:
- information concerning a consumer that can be used to identify the consumer, in combination with at least one of the following data elements:
- social number;
- driver's license number or nondriver identification card number;
- financial account number or credit or debit card number;
- security code, access code, or password that permits access to a financial account; and
- biometric records;
- information or data, other than information or data regarding age or gender, in any form or medium created by or derived from a health care provider or a consumer that can be used to identify the consumer and that relates to any of the following:
- the physical, mental, or behavioural health or condition of the consumer or a member of the consumer's family;
- the provision of health care to the consumer; or
- payment for the provision of health care to the consumer.
Information security program
Under the new law, most licensees are required to 'develop, implement, and maintain a comprehensive written information security program based on the licensee's risk assessment' by 1 November 2022 that will 'contain administrative, technical, and physical safeguards for the protection of the licensee's information systems and public information' (Wis. Stat. §601.952(1)). The information security program must also include an incident response plan the outlines how the licensee will respond to and recover from a cybersecurity event (Wis. Stat. §601.952(5)).
If a licensee experiences an actual or potential cybersecurity event, it is required to investigate and provide notification (Wis. Stat. §§601.953 and 601.954). The investigation, which can be conducted by the licensee or an outside vendor, must be conducted 'promptly' and include the following three elements (Wis. Stat. §601.953(1)):
- assessment of the nature and scope of the cybersecurity event;
- identification of any non-public information that was or may have been involved; and
- performance of reasonable measures to restore security of the compromised information security systems and prevent additional unauthorised acquisition, release, or use of non-public information.
This investigation obligation extends to information systems maintained on behalf of a licensee by a third-party service provider (Wis. Stat. §601.953(2)). Licensees must retain records of a cybersecurity event for at least five years from the date of the cybersecurity event and may be required to produce such records to the Insurance Commissioner of the Wisconsin Office of the Commissioner of Insurance (Wis. Stat. §601.953(3)).
This investigation obligation extends to information systems maintained on behalf of a licensee by a third-party service provider (Wis. Stat. §601.953(2)).
Licensees must retain records of a cybersecurity event for at least five years from the date of the cybersecurity event and may be required to produce such records to the Insurance Commissioner (Wis. Stat. §601.953(3)). In certain circumstances, licensees must notify the Insurance Commissioner of a cybersecurity event (Wis. Stat §601.954(1)(a)). This notice, which is to be sent electronically within three business days from 'the determination that the cybersecurity event occurred', is to include as much detailed information about the cybersecurity event as possible, such as a description of how it was discovered, the number of consumers affected, and a description of the data element that were accessed (Wis. Stat. §601.954(b)).
Notice must also be provided to consumers '[i]f a licensee knows that non-public information of a consumer in the licensee's possession has been acquired by a person whom the licensee has not authorized to acquire the non-public information' (Wis. Stat. §601.954(2)(a)). The notice must be provided within 45 days after the licensee learns of the cybersecurity event and 'indicate that the licensee knows of the unauthorized acquisition of non-public information pertaining to the customer' (Wis. Stat. §§601.954(2)(a) and (d)). There are two exceptions to the consumer notice requirement, namely (Wis. Stat. §601.954(2)(c)):
- if the acquisition of non-public information does not create 'a material risk of identity theft or fraud' for the consumer; and
- if the non-public information was acquired in good faith by an employee or agent of the licensee and is used lawfully.