The bill also requires a licensee to make reasonable efforts to notify consumers
whose nonpublic information in the licensee's possession has been acquired by an
unauthorized person. The notice must be provided within a reasonable time, but no
later than 45 days after the licensee learns of the acquisition. Notification is not
required if the information's acquisition does not create a material risk of identity
theft or fraud or if the information was acquired in good faith by the licensee's
employee or agent and is used for a lawful purpose of the licensee. The insurer must
also notify a producer of record about the affected consumers, provide a copy of any
notice to the commissioner, and notify the consumer reporting agencies of events
requiring notification to at least 1,000 consumers.
The bill provides that failure to comply with any of the notification
requirements is not negligence or a breach of duty, but may be evidence of negligence
or breach of duty.
Under the bill, the commissioner has the power to examine and investigate the
affairs of a licensee to determine whether a violation of any of the above requirements
has occurred. A licensee must generally keep records relating to the requirements
for at least five years and produce them upon demand of the commissioner. Any
documents, materials, and other information from a licensee that are in the
possession or control of the commissioner are confidential and privileged.
The bill provisions do not apply to a licensee that is an employee, agent,
representative, or designee of a licensee and covered by that licensee's information
security program; a licensee affiliated with a depository institution that maintains
an information security program in compliance with the federal interagency
guidelines; or a licensee affiliated with a legal entity established pursuant to the
federal Farm Credit Act that maintains an information security program in
compliance with the federal Farm Credit Administration's guidance and regulations.
Additionally, except for the bill's requirement to notify the commissioner of a
cybersecurity event involving nonpublic information, the bill's provisions do not
apply to a licensee subject to the federal Department of Health and Human Services'
Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB160-SSA1,1
1Section
1. 601.465 (3) (f) of the statutes is created to read:
SB160-SSA1,3,32
601.465
(3) (f) All information protected under s. 601.955, which is subject only
3to the confidentiality provisions in s. 601.955.
SB160-SSA1,2
1Section
2. Subchapter IX (title) of chapter 601 [precedes 601.95] of the
2statutes is created to read:
SB160-SSA1,4,44
Subchapter IX
SB160-SSA1,4,55
Insurance data security
SB160-SSA1,3
6Section
3. 601.95 of the statutes is created to read:
SB160-SSA1,4,7
7601.95 Definitions. In this subchapter:
SB160-SSA1,4,10
8(1) “Authorized individual” means an individual who is known to and screened
9by a licensee and whose access to the licensee's information system or nonpublic
10information is determined by the licensee to be necessary and appropriate.
SB160-SSA1,4,12
11(2) “Consumer” means an individual who is a resident of this state and whose
12nonpublic information is in the possession, custody, or control of a licensee.
SB160-SSA1,4,16
13(3) “Cybersecurity event” means an event resulting in the unauthorized access
14to, or disruption or misuse of, an information system or the nonpublic information
15stored on an information system, except that a “cybersecurity event” does not include
16any of the following:
SB160-SSA1,4,1917
(a) The unauthorized acquisition of encrypted nonpublic information if the
18encryption process or key is not also acquired, released, or used without
19authorization.
SB160-SSA1,4,2220
(b) The unauthorized acquisition of nonpublic information if the licensee
21determines that the nonpublic information has not been used or released and has
22been returned to the licensee or destroyed.
SB160-SSA1,4,24
23(4) “Encrypted” means the transformation of data into a form that results in
24a low probability of assigning meaning without the use of a protective process or key.
SB160-SSA1,5,3
1(5) “Information security program” means the administrative, technical, and
2physical safeguards that a licensee uses to access, collect, distribute, process, protect,
3store, use, transmit, dispose of, or otherwise handle nonpublic information.
SB160-SSA1,5,8
4(6) “Information system” means a discrete set of electronic information
5resources organized for the collection, processing, maintenance, use, sharing,
6dissemination, or disposition of nonpublic information, as well as any specialized
7system, including an industrial or process controls system, telephone switching and
8private branch exchange system, and environmental control system.
SB160-SSA1,5,13
9(7) “Licensee” means a person licensed, authorized, or registered, or a person
10required to be licensed, authorized, or registered, under chs. 600 to 655, other than
11a purchasing or risk retention group that is chartered and licensed in another state
12or a person acting as an assuming insurer that is domiciled in another state or
13jurisdiction.
SB160-SSA1,5,15
14(8) “Multifactor authentication” means authentication through verification of
15at least 2 of the following types of authentication factors:
SB160-SSA1,5,1616
(a) Knowledge factor, including a password.
SB160-SSA1,5,1717
(b) Possession factor, including a token or text message on a mobile phone.
SB160-SSA1,5,1818
(c) Inherence factor, including a biometric characteristic.
SB160-SSA1,5,21
19(9) “Nonpublic information” means electronic information in the possession,
20custody, or control of a licensee that is not publicly available information and is any
21of the following:
SB160-SSA1,5,2322
(a) Information concerning a consumer that can be used to identify the
23consumer, in combination with at least one of the following data elements: