Wisconsin Does Not Have Appropriate Security Breach Laws

May 24, 2019

The Wisconsin Department of Agriculture, Trade and Consumer Protection says Wisconsin’s laws regulating how companies respond to data stolen by hackers are lagging behind other states, according to a news report.

According to the Legislative Reference Bureau report, Wisconsin’s data breach laws are unclear on whether companies that don’t report can face lawsuits for negligence. According to the statute, "failure to comply with this section is not negligence or a breach of any duty, but may be evidence of negligence or a breach of a legal duty."

Findings in a Data Breaches: Risk, Recovery, and Regulation report prepared for the Wisconsin Policy Project earlier this year include:

A few of the largest data breaches that took place in 2018:

Facebook exposed at least 87 million profile records, including demographic, personality, social, and site/app engagement information.
Fitness and nutrition site MyFitnessPal exposed 150 million user records including usernames, email addresses and encrypted passwords.
Saks Fifth Avenue and Lord & Taylor exposed more than 5 million payment cards.
UnityPoint Health exposed 1.4 million patients’ demographic, medical, and insurance
information, and possibly payment card and social security information as well.

A list of diverse and separate regulations cover individual areas of data privacy, such as:

The Health Insurance Portability and Accountability Act (HIPAA) regulates medical information, the process of applying to healthcare providers, insurers, pharmacies, and more.
The Fair Credit Reporting Act regulates the collection and disclosure of information such as credit history, credit capacity, character, and general reputation by consumer reporting agencies.
2018 U.S. S. 2155 (became Federal Public Law 115-174) amends the Fair Credit Reporting Act (15 U.S.C. 1681c–1) to extend credit freezes from 90 days to one year in duration and requires that consumer reporting agencies freeze consumers’ credit free of charge and in a timely manner.
The Federal Trade Commission Act prohibits unfair or deceptive practices toward consumers, including online privacy and data security issues such as failures to comply with posted privacy policies and unauthorized disclosures of PII.
The Financial Services Modernization Act regulates the use of consumers’ financial information, including the disclosure of financial and related PII.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.