Reproduction permitted for personal use only. For reprints and reprint permission, contact

Wisconsin identity theft law: A cheap plastic sword

Milwaukee, Wis. - Every week, we read high-profile stories about personally identifiable information being misplaced or stolen, usually from a laptop computer or computer network. This sensitive information is being misplaced or stolen from both private industry and the government, with little accountability for such security breaches.

So it's not surprising that our knights in shining armor, the Wisconsin Legislature and Gov. Jim Doyle, have come to our rescue again to protect us from this threat and do what they do best. They claim to have provided us with a sword in our fight against identity theft in the form of new identity theft legislation. But have they?

As it turns out, Wisconsin's new identity theft law, Act 138, is really just a cheap plastic sword. It's shiny, rattles, and looks like a sword, but in reality it provides no real protection. Like any good politicians, the Legislature and Governor rattled their new saber and touted how this law would help protect individuals from identity theft when the law was passed. But the law really does little, if anything, to protect individuals.

Act 138, enacted March 31, 2006 as Wisconsin Statute 895.507, requires that businesses and state and local governments notify us under limited circumstances of unauthorized access to our personally identifiable information, such as Social Security numbers, credit card numbers, driver's license numbers, DNA profiles, and other biometric data in combination with our first initial or first name and last name. This sounds good on its face, but when you read the law further, it really doesn't provide us with much, if any, protection from identity theft.

No penalty flag
First, this law imposes absolutely no penalties on companies and governmental entities that don't protect our personally identifiable information. The law does provide the potential basis for individuals to bring a negligence suit for an entity's failure to provide notice of a data security breach, but in the same breath it states that failure to comply with the law is not negligence or breach of a duty. The law merely reflects that the common law of negligence may apply to such compliance failure.

Second, the law only requires notice of unauthorized disclosure of personal information in limited cases. No disclosure is required if the ill-gotten data “does not create a material risk of identity theft or fraud.” By default, such determinations are left to the same people entrusted with guarding the compromised data in the first place. This is kind of like letting the fox guard the hen house.

There's little incentive to make such a disclosure, given that the downside of making such a disclosure may outweigh the upside. Such a disclosure could trigger an expensive defense of a consumer class action lawsuit or governmental investigation, such as occurred earlier this year when Providence Health System in Oregon, without any regulatory requirement to do so, notified patients that it had experienced a data breach.

Further, a recent survey of businesses by The Ponemon Institute, an organization that promotes responsible information and privacy management practices, revealed that data breaches cost companies an average total of $4.7 million, or $182 per compromised record, in 2006. About 70 percent of the costs were considered “indirect,” a result of lost business, also known as “churn.” Few consumers will continue to patronize businesses that tell them their credit card numbers and other entrusted information have been accessed or stolen by an “unauthorized party.”

Not surprisingly, since Act 138 has been enacted, there have only been a handful of publicized data security breach notices issued by companies doing business in Wisconsin. Most of these notices have been issued by companies required to do so under foreign state data breach notice laws, not under Wisconsin law. Because there is little incentive to disclose a data breach, the majority of the 32+ states that have passed data breach notice laws (California being the first) require that entities provide consumers with notice of unauthorized disclosure of personal information regardless of the risk of identity theft. Many of these laws also contain express penalties, including criminal penalties, for failure to make the required disclosures.

If you're a business, Wisconsin's law isn't necessarily a bad thing. In fact, it's probably a good thing. There's been a national clamor by consumers for protections from identity theft. What better way to quiet the masses than with new legislation that appears to be a strong weapon to combat identity theft, but in reality is just a cheap plastic sword.

Related stories

Safe Internet requires total network security, prof. says

Joseph Campana: Identity theft: The business time bomb

Managing the nightmare of identity theft

Gov. Jim Doyle: Cracking down on identity theft

Businesses can't hide personal information losses, theft

Mark Garsombke is an attorney with Whyte Hirschboeck Dudek, S.C., specializing in information technology, telecommunications, and HIPAA privacy and security law. He can be reached at (414) 978-5518 or

The opinions expressed herein or statements made in the above column are solely those of the author and do not necessarily reflect the views of Wisconsin Technology Network, LLC. WTN, LLC accepts no legal liability or responsibility for any claims made or opinions expressed herein.


Randy Henrick responded 8 years ago: #1

This article is dead on accurate. The California and New York laws require notice of ANY unauthorized access but most of the recent laws have a "risk threshold" that is decided by the affected company alone. I know of several companies who "decided" the risk didn't merit notice, what a surprise. Your best protection is a security freeze law which I believe Wisconsin has passed. You can lock down your credit file by sending a certified letter to each of Equifax, Experian, and TransUnion. This is great protection for consumers although, of course, the credit industry is lobbying Congress hard to overrule them. So freeze your file and you will have meaningful protection against an ID thief opening new accounts in your name.

Dave Rasmussen responded 8 years ago: #2

No question, the Legislature and Gov. Doyle missed the mark. But I am optimistic because of what I've seen happen in other states. Take Florida for example. They were the first state to pass legislation requiring their county officials to redact (black out) social security numbers as well as credit and debit card numbers. While Florida got it right, it took them three attempts.

It is not hard to protect the offical records that appear on the web. We (Extract Systems) have a fully automated solution in place where twenty Florida counties have already dealt with the problem. Our solution is also working in a dozen other states... many where no legislation exists but where the county offical feels it is their responsibility to protect their constituents.

Earlier this year we helped the Ohio Secretary of State redact 6 million images in 45 days. There was added urgency because he was running for governor and was being sued by an individual whose identity was stolen from the State's web site.

The FTC, in their January 2006 report states there were more than 250,000 identity theft complaints in the US. This is a 19% increase over 2003. The report also states that fully 9% of the ID thefts came from government sources.

I hope we don't have to wait too long for Wisconsin to get it right.

Abdul Tawala Alishtari responded 8 years ago: #3

You are spot on. You see the Homeland Security Laws after 9-11 and OECD bank treaties made privacy and confidentiality less a concern. So financial companies are trying to obey the law as ID theft took off. They were ambushed, surrounded and confuzzled. In the words of Visa and MasterCard, the bad guys are winning.

We got to stop chunkers from chunking. You see, the problem is chunkers. Chunkers are the guys who hire themselves out to cyber crime syndicates, as hackers, just to do one thing as white-collar criminals. They steal ID. They don't ask who, what, or why and they are paid usually in offshore accounts set up for one transaction only - often using offshore gold dealer card agencies which have the patina of respectability.

Chunkers started originally out of Russia, where there were more Ph.Ds and Master Degrees in programming without a viable economy to support them, so they hired themselves out to various post war cyber mafias on a per-task basis.

This started the present crisis because it mushroomed into an industry. Then a trend in the U. S. of A. is students don't want to be programmers anymore, so a lot of hi-tech engineers are now immported from Arab and Asian countries.

All a programmer has to do is buy systems upon which proprietary programming is designed and put a worm in it allowing him access and voila, worm wars, hacking, phishing, pharming and robots, oh my. Any ID online is not secure for this reason.

What is to stop terrorists from hiring a chunker for theft, sabotage, or money laundering and not telling him why? As if a chunker would care in the first place. It is foolish to assume this isn't happening.

Furthermore, the real problem is keeping private ID and PIN numbers off the Internet.

This exact thing was granted in July 22, 2003 in the U. S. A. by the USPTO to a predecessor company now owned by IDPixie LLC. That patent number is US 6,598.031 B1 to Mr. Jeffrey Ice, Inventor, for "APPARATUS AND METHOD FOR ROUTING ENCRYPTED TRANSACTION CARD IDENTIFYING DATA THROUGH A PUBLIC TELEPHONE NETWORK" i.e. Internet, phones or any electronic medium in the U. S. of A.

-Add Your Comment


Comment Policy: WTN News accepts comments that are on-topic and do not contain advertisements, profanity or personal attacks. Comments represent the views of the individuals who post them and do not necessarily represent the views of WTN Media or our partners, advertisers, or sources. Comments are moderated and are not immediately posted. Your email address will not be posted.

WTN Media cannot accept liability for the content of comments posted here or verify their accuracy. If you believe this comment section is being abused, contact

WTN InGroup
SupraNet Communications
WTN Media Presents