State Regulator Says Wisconsin Data Breach Laws Lagging Other States

The Wisconsin Department of Agriculture, Trade and Consumer Protection says Wisconsin’s laws regulating how companies respond to data stolen by hackers are lagging other states. The agency says current law was passed in 2008 and doesn’t include penalties for companies that don’t alert consumers that a data breach has occurred.

According to a report out this month on data breach risks, recovery and regulation released by the Wisconsin Legislative Reference Bureau, personal data is stolen by hackers on a constant basis. It says research shows that within the next 24 months, the probability of a significant breach at any given business or nonprofit organization is around 30 percent. In 2017, the Reference Bureau notes there were 1,579 data breaches that exposed nearly 179 million personal records.

Lara Sutherland, an administrator at DATCP, said Wisconsin’s data breach laws passed in 2006 with a technical revision in 2008 are lagging compared with other states. While the law instructs businesses and other organizations to notify consumers within 45 days that a data breach occurs, she said, “what’s significant about that law is there’s no enforcement mechanism.”

“So, if no one does any notification there’s no provision in the law that allows the state to enforce it,” said Sutherland, adding that organizations also don’t have to tell state regulators.

“There’s no requirement that they even tell the attorney general or the Department of Agriculture, Trade and Consumer Protection that a breach occurred,” said Sutherland. “So, it’s a law that has some prescriptions but very little teeth, which makes it hard to actually be effective.”

According to the Legislative Reference Bureau report, Wisconsin’s data breach laws are unclear on whether companies that don’t report can face lawsuits for negligence. According to the statute, “failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.”

While reporting breaches to the state isn’t explicitly required, Sutherland said many companies do and DATCP is able to help warn potential identity theft victims.

“By notifying the state if there’s a statewide data breach or a data breach in a hospital, the state can be a partner in helping get that information out to consumers so they can protect their data,” she said.

DATCP is looking to create a taskforce aimed at updating the state’s data breach laws, said Sutherland. No timeline was provided but she said the agency plans to begin engaging with stakeholders soon.