Wisconsin Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Wisconsin's data breach notification law strikes a balance between consumer protection and business flexibility. While the state includes biometric data and DNA profiles in its definition of personal information, setting it apart from states with narrower definitions, it does not require any notification to state agencies and lacks a private right of action for affected consumers.

The statute is codified at Wis. Stat. 134.98. Originally enacted in 2006, the law has been updated periodically, though it remains more concise than the breach notification statutes of many other states.

For a broader look at Wisconsin's privacy framework, see the parent guide to [Wisconsin Data Privacy Laws](/us-laws/data-privacy-laws/wisconsin-data-privacy-laws).

Who Must Comply

Wisconsin's breach notification law applies to any entity whose principal place of business is located in Wisconsin, or any entity that maintains or licenses personal information in the state, if that entity knows that personal information in its possession has been acquired by an unauthorized person.

The term "entity" is defined broadly to include corporations, business trusts, estates, partnerships, limited liability companies, associations, organizations, joint ventures, governments, governmental subdivisions, agencies, and any other legal or commercial entity.

Third-party data custodians are also covered. If a person or entity that stores personal information on behalf of another entity, but does not own or license that information, learns of an unauthorized acquisition, it must notify the data owner or licensee as soon as practicable. The data owner then bears responsibility for consumer notification.

What Qualifies as Personal Information

Under Wis. Stat. 134.98(1)(b), personal information means an individual's last name and first name or first initial, combined with one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password
• Deoxyribonucleic acid (DNA) profile, as defined in Wis. Stat. 939.74(2d)(a)
• Unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation

The inclusion of DNA profiles and biometric data distinguishes Wisconsin from states with narrower definitions. However, unlike states such as Washington or Colorado, Wisconsin does not include medical records, health insurance information, passport numbers, military IDs, or login credentials in its definition.

Personal information does not include information that is lawfully obtained from publicly available records or from federal, state, or local government records lawfully made available to the general public.

What Triggers the Notification Requirement

Notification is required when an entity knows that personal information in its possession has been acquired by a person whom the entity has not authorized to acquire the personal information.

Unlike many states, Wisconsin does not explicitly require a risk-of-harm analysis as part of the notification trigger. The trigger is based on unauthorized acquisition itself, not on whether the breach is likely to cause harm. Once the entity knows an unauthorized acquisition has occurred, the notification obligation begins.

Good-faith acquisition of personal information by an employee or agent of the entity is not an unauthorized acquisition, provided the information is not used or disclosed in an unauthorized manner.

The 45-Day Notification Deadline

Wisconsin requires entities to provide notice within a reasonable time, not to exceed 45 days after the entity learns of the unauthorized acquisition of personal information.

The 45-day clock begins when the entity learns of the acquisition, not when the breach itself occurred. The statute emphasizes that notification must occur within a "reasonable time," meaning that 45 days is the outer limit, not the target.

A law enforcement agency may request a delay in notification to protect an investigation or homeland security. During such a delay, the entity may not provide notice of or publicize the breach except as authorized by the law enforcement agency. The notification process begins at the end of the delay period.

What the Consumer Notice Must Include

Wisconsin's statute requires that the notice "indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information."

Beyond this basic requirement, the statute does not prescribe specific content elements. This is less detailed than many states, which require inclusion of credit reporting agency contact information, FTC contact details, and specific remediation steps.

However, the DATCP guidance recommends that notifications include:

• A description of the incident
• The types of personal information involved
• Steps the entity has taken to address the breach
• Contact information for the entity
• Recommendations for consumers to protect themselves
• Contact information for the credit reporting agencies and the FTC

Methods of Notification

Wisconsin allows notification through two primary methods:

• Mail sent to the last known address of the affected individual
• A method the entity has previously used to communicate with the individual

If the entity cannot with reasonable diligence determine the mailing address and has not previously communicated with the individual, it must provide notice by a method reasonably calculated to provide actual notice to the individual.

No Attorney General Notification

Wisconsin does not require notification to the Attorney General, DATCP, or any other state agency when a data breach occurs. This places Wisconsin among a diminishing number of states that do not mandate government notification.

Consumer Reporting Agency Notification

If a single breach requires notification to more than 1,000 individuals, the entity must also notify the nationwide consumer reporting agencies (Equifax, Experian, and TransUnion) without unreasonable delay.

The notice to the credit bureaus must include the timing, distribution, and content of the consumer notifications. This requirement aligns with most other states' consumer reporting agency notification provisions.

Encryption Safe Harbor

Wisconsin provides an encryption safe harbor. The notification requirements apply only to personal information that has not been "encrypted, redacted, or altered in a manner that renders the personal information unreadable."

If the compromised data was properly encrypted or rendered unreadable at the time of the unauthorized acquisition, notification is not required.

Federal Regulation Safe Harbors

Wisconsin provides specific safe harbors under Wis. Stat. 134.98(3m):

Financial institutions: An entity subject to and in compliance with the privacy and security requirements of the Gramm-Leach-Bliley Act (15 U.S.C. 6801-6827), or a person with contractual obligations to such an entity, is exempt from Wisconsin's notification requirements if it maintains a policy addressing breaches of information security.

Healthcare entities: An entity described in 45 CFR 164.104(a) that is in compliance with HIPAA security and privacy requirements (45 CFR Part 164) is exempt from the notification requirements.

These safe harbors are broader than those in many states, which often require federally regulated entities to still comply with certain state-specific requirements.

Effect on Civil Claims

Wisconsin includes an important provision in Wis. Stat. 134.98(4): failure to comply with the notification requirements is not negligence or a breach of any duty, but may be used as evidence of negligence or a breach of a legal duty in a civil action.

This means that while there is no standalone private right of action under the breach notification statute, a failure to notify could potentially strengthen a plaintiff's case in a separate negligence or breach-of-duty claim.

Enforcement and Penalties

The Wisconsin Attorney General and the Department of Agriculture, Trade and Consumer Protection (DATCP) share enforcement authority over the breach notification law.

Violations may result in civil forfeitures of up to $10,000 per violation. There is no private right of action that allows individual consumers to sue directly under this statute, though the evidentiary provision in subsection (4) may support related civil claims.

DATCP maintains guidance documents for businesses on complying with the notification requirements and provides consumer resources for individuals affected by data breaches.

More Wisconsin Laws

• Wisconsin Recording Laws
• Wisconsin Data Privacy Laws
• Wisconsin Recording Laws
• Wisconsin Recording Laws
• Wisconsin Recording Laws
• Wisconsin Car Seat Laws
• Wisconsin Whistleblower Laws
• Wisconsin Lemon Laws

Sources and References

This article references Wisconsin state statutes and official guidance from the Wisconsin Department of Agriculture, Trade and Consumer Protection. Nothing in this article constitutes legal advice. Consult a licensed attorney in Wisconsin for guidance on specific compliance obligations.

• Wis. Stat. 134.98: Notice of Unauthorized Acquisition of Personal Information
• DATCP: Wisconsin's Data Breach Notification Law (Guidance)
• DATCP: Data Breach, What To Do If It Happens To You
• Wisconsin State Law Library: Privacy Law
• Wisconsin Legislative Council: Records Containing Personal Information