Today’s digital landscape is different, and it’s going to keep changing. Cybersecurity is no longer just an IT issue. With the rising frequency and sophistication of cyberattacks, businesses face not only operational disruptions but also significant legal liabilities. Simultaneously, individuals are becoming more aware of their rights when their personal data is compromised. This article gives you a short summary of what businesses must do to mitigate legal risks and what rights consumers have when data breaches occur.

What Legal Obligations Are There for Businesses?

Regulations such as the General Data Protection Regulation (GDPR) in Europe, or the California Consumer Privacy Act (CCPA), are looking to become the building blocks for various state-level laws in the US requiring businesses to implement robust data protection measures. In Wisconsin, the Wisconsin Personal Information Disclosure Act, also known as Wis. Stat. § 134.98 or Section 134.98, was enacted in March 2006. While the Wisconsin law is not nearly as broad as the GDPR or CCPA, it does provide some protections for individuals. The law requires most businesses to notify individuals if an unauthorized person has acquired their personal information. The business must be operating in Wisconsin and maintaining personal information about individuals who reside in Wisconsin. This law also applies to Wisconsin state government agencies, cities, towns, villages, and counties.

What Protected Personal Information is Covered?

Section 134.98 defines protected “personal information” as a person’s last name, with either a first name or first initial, connected to any of the following elements:

  1. Social security number
  2. Driver’s license number
  3. Financial account numbers or security codes or passwords
  4. Genetic Data or DNA profile
  5. Any unique biometric data such as fingerprint, voiceprint, or retina scans

When the information in the elements above is not publicly available information and not encrypted, redacted, or altered in a manner that renders it unreadable, the information is considered to be “personal information” under Section 134.98.

If you have any questions on whether your business would be required to make a report of a data breach, reach out to a trusted Axley attorney who can help guide you and your business through the process.

When and How is a Business/Governmental Entity Required to Give Notice?

Section 134.98 requires the business or governmental entity to notify a person whenever protected personal information held by the business or governmental entity is obtained by an unauthorized person. However, notice is not required if the unauthorized acquisition does not create a material risk of identity theft or fraud. The notice must be given within a reasonable time, not to exceed 45 days after the entity learns of the unauthorized acquisition. The notice must be given by mail or by a method that the entity has previously used to communicate with the subject of the information. For example, if a business has communicated with a customer by email, notice may be given by email. Upon written request of the person whose information was acquired, the entity must also identify the nature of the personal information acquired. In cases where the personal information of more than 1,000 individuals was acquired at one time, the breached entity must also give notice to all consumer reporting companies that compile and maintain files on consumers on a nationwide basis. This would include the major credit reporting companies.

It is important to note that all 50 states require organizations to notify affected individuals of a breach. However, the specifics of these requirements vary from state to state, and it can be difficult to navigate these frameworks. Thus, if you require assistance navigating the statutory requirements, attorneys at Axley are here for you. The good news is that if your business has cyber liability coverage, in most cases that insurance will cover the cost, and assist in the process of providing notice to customers. Axley has experience working with clients and their insurers to make sure businesses can comply with their notice obligations.

Legal Liabilities for Data Breaches

When businesses fail to protect consumer data, they can face legal liability to affected individuals. Wisconsin’s general breach notification statute does not explicitly grant a private right of action. However, it states that although a violation is not inherently considered negligence or a breach of duty, it may serve as evidence of such negligence or breach of legal duty. Thus, if you have recently been affected by a data breach, you should reach out to a trusted Axley attorney to determine if you have a claim against the organization that lost your data. In many cases, the business suffering the data breach will provide credit monitoring, which can help mitigate the effects of data loss—and provide some peace of mind if you have been a victim.

Conclusion

Cybersecurity is a challenge that carries significant legal implications for businesses. If your business has fallen prey to a data breach, understanding the requirements on how to move forward is pivotal. For consumers, awareness of your rights empowers you to take action when your data is mishandled.