State Regulator Says Wisconsin Data Breach Laws Lagging Other States

The Wisconsin Department of Agriculture, Trade and Consumer Protection says Wisconsin’s laws regulating how companies respond to data stolen by hackers are lagging other states. The agency says current law was passed in 2008 and doesn’t include penalties for companies that don’t alert consumers that a data breach has occurred.

According to a report out this month on data breach risks, recovery and regulation released by the Wisconsin Legislative Reference Bureau, personal data is stolen by hackers on a constant basis. It says research shows that within the next 24 months, the probability of a significant breach at any given business or nonprofit organization is around 30 percent. In 2017, the Reference Bureau notes there were 1,579 data breaches that exposed nearly 179 million personal records.

The report also cites a state-by-state comparison of data breach laws by information security company Digital Guardian. The firm ranked Wisconsin’s laws as “less strict” than other states. Only Kentucky and Mississippi had a lower ranking.

Lara Sutherlin, an administrator at DATCP, said Wisconsin’s data breach laws passed in 2006 with a technical revision in 2008 are lagging compared with other states. While the law instructs businesses and other organizations to notify consumers within 45 days that a data breach occurs, she said, “what’s significant about that law is there’s no enforcement mechanism.”

“So, if no one does any notification there’s no provision in the law that allows the state to enforce it,” said Sutherlin, adding that organizations also don’t have to tell state regulators.

“There’s no requirement that they even tell the attorney general or the Department of Agriculture, Trade and Consumer Protection that a breach occurred,” said Sutherlin. “So, it’s a law that has some prescriptions but very little teeth, which makes it hard to actually be effective.”

According to the Legislative Reference Bureau report, Wisconsin’s data breach laws are unclear on whether companies that don’t report can face lawsuits for negligence. According to the statute, “failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty.”

While reporting breaches to the state isn’t explicitly required, Sutherland said many companies do and DATCP is able to help warn potential identity theft victims.

“By notifying the state if there’s a statewide data breach or a data breach in a hospital, the state can be a partner in helping get that information out to consumers so they can protect their data,” she said.

Sutherlin said even without an enforcement mechanism, many organizations do comply with state law when private data is stolen. But she said the reality is the state wouldn’t necessarily know about a breach unless it’s reported.

DATCP is looking to create a taskforce aimed at updating the state’s data breach laws, said Sutherlin. No timeline was provided but she said the agency plans to begin engaging with stakeholders soon.

Already in 2019, three data breaches have been reported to DATCP. According to the department’s website, North Country Business Products, Canyon Bakehouse LLC and Inmediata Health Group Corp. have reported customer data, including names, addresses and credit card numbers, being stolen.

Sutherlin said consumers concerned about their data security can reach out to DATCP and speak with members of their identity theft team.

“It is very likely that all of us have been the victim of some data breach,” said Sutherlin. “There’s just so many of them now it’s hard to avoid it. So, it’s really imperative that consumers stay on top of their credit, stay on top of their technological and financial world and pay attention so they can protect themselves as much as the government can help.”

Correction: Lara Sutherlin’s name was misspelled in an earlier version of this story. WPR regrets this error.