Wisconsin Data Breach Notification Package
(Compliant with Wis. Stat. § 134.98 and prevailing best-practice standards)
[// GUIDANCE: This template provides two coordinated letters—one for the Wisconsin Attorney General (or other designated state regulator) and one for affected Wisconsin residents. Use both letters together. Bracketed text must be customized. Remove all guidance comments before finalizing.]
TABLE OF CONTENTS
- Cover Memorandum (Internal Use Only)
- Letter A – Attorney General / Regulator Notification
- Letter B – Consumer Notification
- Exhibit 1 – “Reference Guide: Protecting Your Personal Information” (to accompany Letter B)
1. COVER MEMORANDUM
(Internal – do not submit)
• Subject: Wisconsin Data Security Incident – Statutory Notification Packet
• Statute Triggered: Wis. Stat. § 134.98 (Notice of unauthorized acquisition of personal information)
• Statutory Deadlines: Notice “within a reasonable time, not to exceed 45 days” after discovery, unless law-enforcement delay applies.
• Agency Notice: No statutory AG notice is mandated; however, many organizations send courtesy notice to the Wisconsin Department of Justice and/or the Department of Agriculture, Trade & Consumer Protection. This template assumes such notice is desired.
• Consumer Reporting Agencies: Required if ≥ 1,000 individuals nationwide are being notified.
• Law-Enforcement Hold: [YES/NO]. If “YES,” attach written request and recalibrate deadlines.
[// GUIDANCE: Keep this memo in the file to evidence statutory compliance and decision-making.]
2. LETTER A – ATTORNEY GENERAL / REGULATOR NOTIFICATION
[COMPANY LETTERHEAD]
[Street Address] • [City, State ZIP] • [Telephone] • [Email]
[DATE]
VIA ELECTRONIC & FEDERAL EXPRESS
The Honorable [Name]
Attorney General of the State of Wisconsin
Wisconsin Department of Justice
17 West Main Street
Madison, WI 53703
Re: Courtesy Notice of Data Security Incident – Wis. Stat. § 134.98 Compliance
Dear Attorney General [Last Name]:
[1.] Introduction & Statutory Basis
Pursuant to Wis. Stat. § 134.98 and as a matter of courtesy, [COMPANY LEGAL NAME], a [STATE OF INCORPORATION] [corporation/LLC/other] (“Company”), hereby provides notice of a data security incident involving the unauthorized acquisition of Personal Information of certain Wisconsin residents (“Incident”).
[2.] Date of Incident & Discovery
The Incident occurred on or about [INCIDENT DATE(S)]. It was discovered on [DISCOVERY DATE]. Company completed a prompt and thorough investigation on [INVESTIGATION CONCLUSION DATE] and is providing this notice within the 45-day statutory period.
[3.] Nature of the Incident
Preliminary forensics indicate that an unauthorized third party gained access to [SYSTEM/PLATFORM] via [VECTOR, e.g., phishing credentials], permitting the acquisition of files that contained Personal Information.
[4.] Types of Personal Information Impacted
The impacted data elements may have included one or more of the following, as defined in Wis. Stat. § 134.98(1)(b):
• Full name in combination with:
– Social Security number;
– Driver’s license or Wisconsin ID card number;
– Financial account number in combination with access code/PIN; and/or
– [Other data elements].
[5.] Affected Population
Total individuals impacted: [TOTAL #], of which [WI RESIDENT #] are Wisconsin residents.
[// GUIDANCE: If ≥ 1,000 individuals are affected, add the consumer-reporting-agency paragraph below.]
[6.] Consumer Reporting Agency Notice
Because more than 1,000 individuals nationwide are being notified, Company concurrently notified the nationwide consumer reporting agencies pursuant to Wis. Stat. § 134.98(3m)(a).
[7.] Remediation Measures
Immediately upon discovery, Company:
a. Contained and eradicated the threat;
b. Engaged a leading cybersecurity forensics firm;
c. Reset all relevant credentials and enhanced MFA protocols;
d. Implemented system hardening recommendations; and
e. Is offering [12/24] months of complimentary credit monitoring and identity-theft restoration services to affected individuals.
[8.] Consumer Notification
Written notice to affected Wisconsin residents will be mailed (first-class) beginning [MAIL-START DATE], a sample of which is enclosed as Exhibit A.
[9.] Contact Information
Please direct any questions to:
• [NAME, TITLE]
• Telephone: [DIRECT LINE]
• Email: [EMAIL ADDRESS]
Respectfully submitted,
[NAME]
[Title]
[COMPANY LEGAL NAME]
Enclosures:
• Exhibit A – Sample Consumer Notification Letter
3. LETTER B – CONSUMER NOTIFICATION
[COMPANY LETTERHEAD]
[Street Address] • [City, State ZIP] • [Toll-Free Call Center #] • [Incident-Specific Email/Website]
[DATE]
[First Name] [Last Name]
[Street Address]
[City, State ZIP]
Re: Notice of Data Security Incident
Dear [First Name],
[1.] What Happened?
On [INCIDENT DATE], we detected suspicious activity in our [SYSTEM/PLATFORM]. Our investigation, concluded on [INVESTIGATION CONCLUSION DATE], determined that an unauthorized person acquired copies of certain files between [DATE RANGE].
[2.] What Information Was Involved?
The information involved varies by individual and may have included your:
• [☐] Social Security number
• [☐] Driver’s license or Wisconsin ID card number
• [☐] Financial account number + access code/PIN
• [☐] [Other]
Importantly, no passwords or biometric data were involved.
[// GUIDANCE: Delete/modify as applicable.]
[3.] What We Are Doing
• We immediately secured our systems and engaged a nationally recognized cybersecurity firm.
• We reported the Incident to federal law enforcement and will cooperate with any investigation.
• We are enhancing our network security, including multi-factor authentication and continuous monitoring.
• Complimentary Credit Monitoring: We have arranged for [12/24] months of free credit monitoring and identity-theft protection through [SERVICE PROVIDER]. Your unique enrollment code is: [CODE]. Please enroll by [ENROLLMENT DEADLINE].
[4.] What You Can Do
We encourage you to:
a. Enroll in the credit-monitoring service.
b. Review the “Reference Guide” enclosed, which includes contact information for major credit bureaus, guidance on fraud alerts and security freezes, and additional best practices.
c. Remain vigilant by reviewing account statements and monitoring free credit reports.
[5.] For More Information
If you have questions, please contact our dedicated call center at [TOLL-FREE #] (Monday–Friday, 8 a.m.–8 p.m. CT) or email [EMAIL ADDRESS].
We regret any concern this Incident may cause and are committed to safeguarding your information.
Sincerely,
[NAME]
[Title]
[COMPANY LEGAL NAME]
Enclosure:
• Exhibit 1 – “Reference Guide: Protecting Your Personal Information”
4. EXHIBIT 1 – REFERENCE GUIDE: PROTECTING YOUR PERSONAL INFORMATION
[// GUIDANCE: Provide standardized consumer-protection information, including credit-bureau contact data, fraud-alert instructions, security-freeze instructions (Wisconsin allows freezes free of charge), FTC identity-theft resources, and IRS fraud-affidavit information for SSN exposure.]
KEY STATUTORY COMPLIANCE CHECKLIST (WI)
- Notice dispatched ≤ 45 days after discovery (Wis. Stat. § 134.98(2)(a)).
- Law-enforcement delay documented if applicable (Id. § 134.98(2)(b)).
- Individual notice by first-class mail unless an alternative permitted method is selected (Id. § 134.98(3)).
- Substitute notice criteria reviewed if cost > $250,000 or ≥ 500,000 persons or insufficient addresses (Id. § 134.98(3m)(b)).
- Consumer-reporting-agency notice provided if ≥ 1,000 persons (Id. § 134.98(3m)(a)).
- Courtesy AG notice prepared (best practice; not statutorily mandated).
[// GUIDANCE:
1. Confirm Wisconsin residency counts carefully—include former addresses if last known address is in WI.
2. Retain written proof of all mailings and dates for at least five years.
3. Review any contractual or federal sector-specific notice obligations (HIPAA, GLBA, etc.) that may run concurrently.
4. Remove any information that could impede a criminal investigation, if so requested by law enforcement.
]
© [YEAR] [COMPANY LEGAL NAME]. All rights reserved. This template is provided for attorney use and must be customized to the facts of each Incident.