Wisconsin residents now have new protection for their personal information under recently enacted legislation (2005 Wisconsin Act 138, effective March 31, 2006). The new law applies to partnerships, associations and corporations that maintain personal information about Wisconsin residents. This update will provide a brief overview of the key elements of the law and describe the requirement to notify Wisconsin residents when their personal information is acquired by third parties without authorization.

Who must comply?
Partnerships, associations, and corporations (regardless of whether the principal place of business is in Wisconsin) must comply with the law if they:

• Conduct business in Wisconsin and maintain personal information in the ordinary course of business;
• License personal information in Wisconsin;
• Maintain a depository account for a Wisconsin resident; or
• Lend money to a Wisconsin resident.

The law also applies to the state, cities, villages, towns and counties that intentionally or inadvertently disclose personal information to third parties.

Specifically excluded from the new law are "covered entities" that are in compliance with the Health Insurance Portability Accountability Act (HIPAA) Privacy Rule (such as hospitals and medical clinics), and entities that are in compliance with the Gramm-Leach-Bliley Act (or an entity with a contractual obligation to such an entity), if a policy concerning breaches of information security is in effect.

When is action required?
The requirement to notify a Wisconsin resident is triggered when his or her information that is maintained by the entity is acquired by a third party without authorization from the entity. The key consideration is whether the entity has authorized the release, not whether the Wisconsin resident authorized the release. Notice must be provided within 45 days after the entity learns of the unauthorized acquisition or disclosure of personal information. No notice is required to be given if the acquisition of personal information does not create a material risk of identity theft or fraud or when the personal information is acquired by an agent or employee of the entity and the use is lawful.

What personal information is covered?
To be considered personal information under the new law, the information must include the first and last name (or first initial) of the Wisconsin resident in combination with and linked to any of the following:

• Social security number;
• Driver’s license number or state identification;
• Account number (including security code, password, or access number);
• DNA profile; or
• Biometric data (fingerprint, voice print, retina, etc.).

Excluded from the new law is personal information that is publicly available (lawfully) or that is encrypted, redacted, or otherwise made unreadable.

What are the notice requirements?
An entity must generally provide notice by mail to the Wisconsin resident whose personal information has been acquired by a third party without authorization from the entity. The notice must indicate that the entity knows of the unauthorized acquisition of the individual’s personal information. If the unauthorized acquisition of personal information involves more than 1,000 people, notification to all consumer reporting agencies is also required without unreasonable delay. Notification to the consumer reporting agencies must include the timing, distribution, and content of the notices sent to the individuals who have been affected by the acquisition of personal information. Upon request from a notified individual, the entity must identify the personal information that was acquired without authorization from the entity.

What Are The Penalties For Violation?
The new law does not set forth any specific penalties for violation of the notice requirements. Instead, the law indicates that a failure to provide notice is not negligence or a breach of a duty, but may be evidence of negligence or a breach of legal duty. Hence, failure to provide the required notice under the new law may be used as evidence against
an entity for a different type of privacy claim, such as a claim for invasion of the right of privacy.

Recommendations
Because of the broad application of the new Personal Information Disclosure Law, any business (both businesses located in Wisconsin and those doing business in Wisconsin) with qualifying personal information about Wisconsin residents should do the following:

• Prepare a simple policy to monitor for unauthorized acquisition of personal information of Wisconsin residents by third parties and, when required, provide notice as required by this law. In developing such a policy, each business should review which department(s) or employees have regular access to personal information concerning Wisconsin residents.
• Consider providing some level of training to employees on the policy and the requirements of the new law to ensure that unauthorized acquisitions of personal information are discovered in a timely fashion.
• Regulated entities subject to HIPAA or the Gramm-Leach-Bliley Act should ensure they are in full compliance with those laws before presuming exclusion from the provisions of Act 138.

If you have any questions about the applicability of Wisconsin’s New Personal Information Disclosure Law to your business, or need assistance in developing an appropriate policy, please contact Thomas N. Shorter at tshorter@gklaw.com or 608-284-2239 or your Godfrey & Kahn attorney.