SB160,13,1614 (b) The commissioner may issue an order to a licensee who is otherwise exempt
15under par. (a) to comply with this section if the commissioner determines that the
16order is warranted by the licensee's unique circumstances.

SB160,13,1917 (c) A licensee who ceases to qualify for the exemption under par. (a) or who
18receives an order under par. (b) shall comply with this section no later than 180 days
19after the date the licensee ceases to qualify or receives the order.

SB160,13,25 21601.953 Investigation of cybersecurity event. (1) If a licensee learns that
22a cybersecurity event involving the licensee's information systems or nonpublic
23information has or may have occurred, the licensee, or an outside vendor or service
24provider designated to act on behalf of the licensee, shall conduct a prompt
25investigation that, at a minimum, includes all of the following:

1(a) An assessment of the nature and scope of the cybersecurity event.

SB160,14,32 (b) The identification of any nonpublic information that was or may have been
3involved in the cybersecurity event.

SB160,14,64 (c) The performance of reasonable measures to restore the security of the
5licensee's information systems compromised in the cybersecurity event and prevent
6additional unauthorized acquisition, release, or use of nonpublic information.

SB160,14,11 7(2) If a licensee knows that a cybersecurity event has or may have occurred in
8an information system maintained by a 3rd-party service provider, the licensee shall
9comply with sub. (1) or make reasonable efforts to confirm and document that the
103rd-party service provider has either complied with sub. (1) or failed to cooperate
11with the investigation under sub. (1).

SB160,14,14 12(3) The licensee shall maintain records concerning a cybersecurity event for a
13period of at least 5 years starting from the date of the cybersecurity event and shall
14produce the records upon demand of the commissioner.

SB160,14,19 16601.954 Notification of a cybersecurity event. (1) Notification to the
17commissioner. (a) A licensee shall notify the commissioner that a cybersecurity
18event involving nonpublic information has occurred if any of the following conditions
19is met:

SB160,14,2220 1. The licensee is domiciled in this state and the cybersecurity event has a
21reasonable likelihood of materially harming a consumer or a material part of the
22normal operations of the licensee.

SB160,14,2523 2. The cybersecurity event is any of the following and the licensee reasonably
24believes that the cybersecurity event involves the nonpublic information of at least
25250 consumers:

SB160,15,3

1a. A cybersecurity event for which notice is required to be provided to a
2government body, self-regulatory agency, or other supervisory entity under state or
3federal law.

SB160,15,54 b. A cybersecurity event that has a reasonable likelihood of materially harming
5a consumer or a material part of the normal operations of the licensee.

SB160,15,96 (b) A licensee shall provide the notification under par. (a) in electronic form and
7as promptly as possible, but no later than 3 business days from the determination
8that the cybersecurity event occurred. In the notification, the licensee shall provide
9as much of the following information as possible:

SB160,15,1110 1. The date and source of the cybersecurity event and the time period during
11which information systems were compromised by the cybersecurity event.

SB160,15,1212 2. A description of how the cybersecurity event was discovered.

SB160,15,1513 3. A description of how the nonpublic information was exposed, lost, stolen, or
14breached and an explanation of how the information has been, or is in the process
15of being, recovered.

SB160,15,1816 4. A description of the specific data elements, including types of medical,
17financial, and personally identifiable information, that were acquired without
18authorization.

SB160,15,1919 5. The number of consumers affected by the cybersecurity event.

SB160,15,2120 6. A description of efforts to address the circumstances that allowed the
21cybersecurity event to occur.

SB160,15,2322 7. The results of any internal review related to the cybersecurity event,
23including the identification of a lapse in automated controls or internal procedures.

SB160,16,3

18. Whether the licensee notified a government body, self-regulatory agency, or
2other supervisory entity of the cybersecurity event and, if applicable, the date the
3notification was provided.

SB160,16,64 9. A copy of the licensee's privacy policy and a statement outlining the steps the
5licensee will take, or has taken, to investigate and notify consumers affected by the
6cybersecurity event.

SB160,16,87 10. The name of a contact person who is familiar with the cybersecurity event
8and authorized to act for the licensee.

SB160,16,119 (c) The licensee shall update and supplement the information provided under
10par. (b) to address material changes to the information as additional information
11becomes available to the licensee.

SB160,16,21 12(2) Notice to consumers and producers of record. A licensee required to
13notify the commissioner under sub. (1) shall comply with s. 134.98, if applicable, and
14provide to the commissioner a copy of any notice sent under s. 134.98 (2). If the
15licensee is an insurer whose services are accessed by consumers through an
16independent insurance producer, the licensee shall notify the producer of record of
17any consumers affected by the cybersecurity event no later than the date at which
18notice is provided under s. 134.98, except that notice is not required to a producer of
19record who is not authorized by law or contract to sell, solicit, or negotiate on behalf
20of the licensee or if the licensee does not have the current producer of record
21information for a consumer.