
Wisconsin's Data Breach Law Gives You 45 Days. Here's What § 134.98 Actually Requires.
Wisconsin businesses that suffer a data breach have specific legal obligations — a 45-day notification deadline, credit-agency notices at 1,000 affected people, and more. A plain-English walkthrough of the statute.
Ask most Wisconsin business owners what the law requires them to do after a data breach, and you'll get a shrug. That is a problem, because Wisconsin Statute § 134.98 has specific answers — and a specific deadline.
Here is the statute in plain English. (This is an overview for planning purposes, not legal advice — if you are actually in a breach situation, call your attorney first.)
What counts as "personal information"
The law cares about a specific combination: a person's name plus at least one of the following:
- Social Security number
- Driver's license or state ID number
- A financial account number together with the code needed to access the account
- DNA profile
- Unique biometric data (fingerprint, voice print, retina or iris image)
Two important qualifiers. The data has to be about a specific, identifiable person — and the obligation applies when that information was not encrypted, redacted, or otherwise unreadable. That last part is worth reading twice: encryption is effectively a legal shield in Wisconsin. Encrypted data that walks out the door generally doesn't trigger the statute the way plaintext does.
The 45-day clock
If your business knows that personal information in its possession was acquired by someone not authorized to have it, you must make reasonable efforts to notify each affected person — "within a reasonable time, not to exceed 45 days after the entity learns of the acquisition."
The clock starts when you learn of the breach, and 45 days is the ceiling, not the target. Notice goes out by mail or by a method you've previously used to communicate with that person.
The 1,000-person threshold
If a single incident affects 1,000 or more people, you have an additional duty: notifying the nationwide consumer reporting agencies (the credit bureaus) about the timing and scope of the notices you're sending — "without unreasonable delay."
When notice is NOT required
The statute includes a materiality exception: notice isn't required if the acquisition "does not create a material risk of identity theft or fraud," or if the information was picked up in good faith by an employee or agent for a lawful business purpose. In practice, deciding whether an incident clears that bar is exactly the kind of judgment call you want your attorney making — with good technical evidence in hand.
There is also a law-enforcement provision: police can ask you to delay notification to protect an investigation, and the clock resumes when that hold ends.
What happens if you don't comply
Wisconsin's statute is unusual in how it frames consequences. It says failure to comply "is not negligence or a breach of any duty, but may be evidence of negligence" — and it does not create a private right of action. Translation: the statute itself won't be the lawsuit, but your non-compliance can absolutely be used against you in one. And § 134.98 is rarely the only law in play — healthcare organizations have HIPAA, dealerships have the FTC Safeguards Rule with its own 30-day federal reporting requirement, and businesses with customers in other states inherit those states' laws too.
How to be ready before it matters
Everything above assumes something most businesses can't actually do under pressure: quickly figuring out what was taken, whose information it was, and whether it was encrypted. That capability gets built in advance or not at all.
- Know where personal information lives in your systems — you can't assess a breach of data you didn't know you had.
- Encrypt it — at rest and in transit. In Wisconsin, that decision alone can change your legal exposure.
- Keep logs. Determining what was accessed, and when you "learned" of it, depends on records existing.
- Have a written incident response plan with your attorney's number in it, so day one of a breach is execution, not improvisation.
The takeaway
The 45-day deadline sounds generous until you're inside it — juggling forensics, legal review, customer communication, and running your actual business. The companies that handle breaches well are the ones that did the unglamorous preparation years earlier.
Coulee Tech helps Wisconsin businesses build that preparation — security assessments, encryption, monitoring, and compliance management — so that if the day comes, you're reading your plan instead of a statute. The Wisconsin DATCP fact sheet is also a good one-page reference to keep on file.


