Wisconsin 2023-2024 Regular Session

Wisconsin Assembly Bill AB824 Compare Versions

Only one version of the bill is available at this time.

Old	New	Differences
1	1	LRB-2528/1
2	2	MDE:amn
3	3	2023 - 2024 LEGISLATURE
4	4	2023 ASSEMBLY BILL 824
5	5	December 22, 2023 - Introduced by Representatives ZIMMERMAN, GUSTAFSON,
6	6	MICHALSKI, BINSFELD and MAXEY. Referred to Committee on State Affairs.
7	7	*AUTHORS SUBJECT TO CHANGE*
8	8	AN ACT to create 100.75 of the statutes; relating to: establishing standards for
9	9	the sharing of sensitive information between separate legal entities.
10	10	Analysis by the Legislative Reference Bureau
11	11	This bill establishes requirements, standards, and collaborative requirements
12	12	for entities that own, control, and share personal data. The bill governs three types
13	13	of data controllers: 1) data owners, meaning any person that generates, collects, or
14	14	uses data for its own purposes; 2) data custodians, meaning any person that provides
15	15	data security and storage on behalf of a data owner; and 3) data stewards, meaning
16	16	any person that uses or facilitates the use of data on behalf of a data owner.
17	17	Data is defined in the bill as including “sensitive information,” which is defined
18	18	as information that, if disclosed or accessed by unauthorized parties, could result in
19	19	harm, privacy violations, or negative consequences for individuals or entities.
20	20	“Sensitive information” includes “personally identifiable information,” meaning
21	21	information that is or can reasonably be linked to an identified person, identifiable
22	22	person, or device linked to a person, and “nonpublic or privately held information,”
23	23	meaning information that is not publicly available or accessible to the general public;
24	24	is restricted to a specific group of individuals or entities; is considered confidential
25	25	or proprietary; is protected by privacy regulations; and requires appropriate
26	26	safeguards to prevent unauthorized access, use, or disclosure. The requirements of
27	27	the bill apply to data controllers who use or facilitate the use of sensitive information.
28	28	Under the bill, a data owner must limit the access to, sharing of, and use of its
29	29	data to what is adequate, relevant, and reasonably necessary for the purposes for
30	30	which the data is collected or generated. A data owner must also establish and
31	31	1
32	32	2 - 2 -2023 - 2024 Legislature LRB-2528/1
33	33	MDE:amn
34	34	ASSEMBLY BILL 824
35	35	ensure compliance with relevant regulatory requirements and with internal policies
36	36	related to the review of data sharing and data use requests; data handling best
37	37	practices; and the handling of data agreement breaches, security incidents, and
38	38	related disputes.
39	39	Under the bill, a data custodian must provide a secure environment for the
40	40	storage of a data owner's data that is designed and configured in a manner that
41	41	reflects best practices in data security on subjects including identity and access
42	42	management controls, role-based permissions, data encryption, cyber security
43	43	threat monitoring, and recovery capabilities in the event of a disaster. A data
44	44	custodian must also establish and ensure compliance with internal policies and
45	45	procedures related to data access control, data retention and data destruction,
46	46	auditing capabilities and the performance of audits, the periodic review of new and
47	47	changing business and regulatory requirements that may impact data solution
48	48	organization, and any other requirements established in a data agreement. A data
49	49	custodian must also establish and ensure compliance with internal policies and
50	50	procedures related to security incidents and auditing.
51	51	Under the bill, a data steward must establish and ensure compliance with
52	52	internal policies and procedures related to various data handling practices.
53	53	If a data owner enters into an agreement with a data custodian or a data
54	54	steward, the agreement must meet the requirements described in the bill. Such an
55	55	agreement must identify all relevant parties, data sets, permitted uses and
56	56	restrictions of data, confidentiality requirements, law governing the data, and law
57	57	governing the agreement. Such an agreement must also include statements
58	58	regarding the response to security incidents, the term of the agreement, the terms
59	59	for terminating the agreement, and the authorization for or prohibition of the
60	60	collection and analysis of metadata, or data that describes other data. Such an
61	61	agreement between a data owner and a data custodian must include statements
62	62	regarding auditing capabilities and requirements.
63	63	The people of the state of Wisconsin, represented in senate and assembly, do
64	64	enact as follows:
65	65	SECTION 1. 100.75 of the statutes is created to read:
66	66	100.75 Requirements and standards for the sharing of sensitive
67	67	information between separate legal entities. (1) DEFINITIONS. In this section:
68	68	(a) “Data” includes sensitive information, such as personally identifiable
69	69	information and nonpublic or privately held information, and nonsensitive
70	70	information, such as public information or deidentified personal information.
71	71	1
72	72	2
73	73	3
74	74	4
75	75	5
76	76	6 - 3 -2023 - 2024 Legislature
77	77	LRB-2528/1
78	78	MDE:amn
79	79	SECTION 1
80	80	ASSEMBLY BILL 824
81	81	(b) “Data agreement” means a written data contract entered into between data
82	82	controllers. “Data agreement” includes any of the following:
83	83	1. Data sharing agreements establishing terms for a data custodian providing
84	84	storage of data owned by a data owner.
85	85	2. Data use agreements establishing terms for a data steward using data owned
86	86	by a data owner for a specific mutually agreed-upon purpose.
87	87	3. Data access agreements establishing terms for a data steward using data
88	88	owned by a data owner and housed within a data custodian's data storage
89	89	environment.
90	90	(c) “Data controller” means any entity, public or private, that determines the
91	91	purposes and means of processing data, and that is responsible for complying with
92	92	applicable data protection laws and ensuring that data is handled in a lawful and
93	93	responsible manner. “Data controller” includes data custodians, data owners, and
94	94	data stewards.
95	95	(d) “Data custodian” means any person that provides data storage on behalf of
96	96	a data owner.
97	97	(e) “Data owner” means any person that generates, collects, or uses data for its
98	98	own purposes.
99	99	(f) “Data steward” means any person that uses or facilitates the use of data on
100	100	behalf of a data owner.
101	101	(g) “Deidentified personal information” means information that cannot
102	102	reasonably be linked to an identified person, identifiable person, or device linked to
103	103	a person. “Deidentified personal information” includes aggregated information,
104	104	generalized information, and randomized information.
105	105	1
106	106	2
107	107	3
108	108	4
109	109	5
110	110	6
111	111	7
112	112	8
113	113	9
114	114	10
115	115	11
116	116	12
117	117	13
118	118	14
119	119	15
120	120	16
121	121	17
122	122	18
123	123	19
124	124	20
125	125	21
126	126	22
127	127	23
128	128	24 - 4 -2023 - 2024 Legislature LRB-2528/1
129	129	MDE:amn
130	130	SECTION 1 ASSEMBLY BILL 824
131	131	(h) “Enhanced data” means data that has been standardized, derived,
132	132	aggregated, organized, corrected, verified, augmented, merged with other data, or
133	133	otherwise prepared for further analysis or use. “Enhanced data” may be based on
134	134	data from more than one data owner.
135	135	(i) “Metadata” means data that describes other data.
136	136	(j) “Nonpublic or privately held information” means information that is not
137	137	publicly available or accessible to the general public; is restricted to a specific group
138	138	of individuals or entities; is considered confidential or proprietary; is protected by
139	139	privacy regulations; and requires appropriate safeguards to prevent unauthorized
140	140	access, use, or disclosure. “Nonpublic or privately held information” includes
141	141	intellectual property, financial information, confidential business agreements, and
142	142	regulatory information.
143	143	(k) “Nonsensitive information” means information that is not subject to legal
144	144	protections due to its nature or potential impact on individuals' privacy, security, or
145	145	other rights. “Nonsensitive information” includes public information and
146	146	deidentified personal information.
147	147	(L) “Personally identifiable information” means information that is or can
148	148	reasonably be linked to an identified person, identifiable person, or device linked to
149	149	a person. “Personally identifiable information” includes identifying attributes,
150	150	contact information, personal characteristics, financial information, biometric data,
151	151	health and medical information, online identifiers, and education and employment
152	152	information.
153	153	(m) “Public information” means information that is lawfully made available
154	154	through federal, state, or local government records, or information that is reasonably
155	155	believed to be lawfully made available to the general public through widely
156	156	1
157	157	2
158	158	3
159	159	4
160	160	5
161	161	6
162	162	7
163	163	8
164	164	9
165	165	10
166	166	11
167	167	12
168	168	13
169	169	14
170	170	15
171	171	16
172	172	17
173	173	18
174	174	19
175	175	20
176	176	21
177	177	22
178	178	23
179	179	24
180	180	25 - 5 -2023 - 2024 Legislature
181	181	LRB-2528/1
182	182	MDE:amn
183	183	SECTION 1
184	184	ASSEMBLY BILL 824
185	185	distributed media by the consumer or by a person to whom the consumer has
186	186	disclosed the information, unless the consumer has restricted the information to a
187	187	specific audience.
188	188	(n) “Sensitive information” means any type of information that, if disclosed or
189	189	accessed by unauthorized parties, could result in harm, privacy violations, or
190	190	negative consequences for individuals or entities. “Sensitive information” includes
191	191	information that requires special protection due to its nature and includes
192	192	personally identifiable information and nonpublic or privately held information.
193	193	“Sensitive information” includes nonsensitive information that is mingled with
194	194	sensitive information.
195	195	(2) REQUIREMENTS FOR DATA CONTROLLERS. (a) A data owner that generates,
196	196	collects, or uses sensitive information shall do all of the following:
197	197	1. Limit the access to, sharing of, and use of its data to what is adequate,
198	198	relevant, and reasonably necessary for the purposes for which the data is collected
199	199	or generated.
200	200	2. Establish and ensure compliance with internal policies and procedures
201	201	governing the review of data sharing and data use requests. Such policies and
202	202	procedures shall include all of the following:
203	203	a. A schedule indicating how often the data owner will review requests.
204	204	b. Assessment criteria for the approval or rejection of requests.
205	205	c. Documentation of the rationale for the rejection of a request.
206	206	d. Notice of the rejection to the requesting entity.
207	207	3. Establish and ensure compliance with internal policies and with any
208	208	relevant regulatory requirements on the sharing of sensitive information with
209	209	another legal entity.
210	210	1
211	211	2
212	212	3
213	213	4
214	214	5
215	215	6
216	216	7
217	217	8
218	218	9
219	219	10
220	220	11
221	221	12
222	222	13
223	223	14
224	224	15
225	225	16
226	226	17
227	227	18
228	228	19
229	229	20
230	230	21
231	231	22
232	232	23
233	233	24
234	234	25 - 6 -2023 - 2024 Legislature LRB-2528/1
235	235	MDE:amn
236	236	SECTION 1 ASSEMBLY BILL 824
237	237	4. Establish and ensure compliance with internal policies and procedures that
238	238	reflect best practices of data handling on all of the following subjects:
239	239	a. Identity and access management controls, including limiting the access to
240	240	any data subject to a data agreement.
241	241	b. Data retention and data destruction.
242	242	c. The periodic review of new and changing business and regulatory
243	243	requirements that may impact data sharing.
244	244	5. Establish and ensure compliance with internal policies and procedures
245	245	regarding the handling of data agreement breaches; security incidents, in
246	246	compliance with s. 134.98; and related disputes.
247	247	(b) A data custodian that provides storage for sensitive information shall do all
248	248	of the following:
249	249	1. Provide a secure environment for the storage of a data owner's data. The
250	250	environment shall be designed and configured in a manner that reflects best
251	251	practices of data security on subjects including all of the following:
252	252	a. Identity and access management controls, including limiting the access to
253	253	any data subject to a data agreement.
254	254	b. Role-based permissions, including limiting the access to data subject to a
255	255	data agreement to only authorized users.
256	256	c. Data encryption at rest and in transit.
257	257	d. Cyber security monitoring and threat detection.
258	258	e. Recovery capabilities in the event of a disaster, such as fail-over, backup, and
259	259	restore capabilities.
260	260	2. Establish and ensure compliance with internal policies and procedures that
261	261	reflect best practices on all of the following subjects:
262	262	1
263	263	2
264	264	3
265	265	4
266	266	5
267	267	6
268	268	7
269	269	8
270	270	9
271	271	10
272	272	11
273	273	12
274	274	13
275	275	14
276	276	15
277	277	16
278	278	17
279	279	18
280	280	19
281	281	20
282	282	21
283	283	22
284	284	23
285	285	24
286	286	25 - 7 -2023 - 2024 Legislature
287	287	LRB-2528/1
288	288	MDE:amn
289	289	SECTION 1
290	290	ASSEMBLY BILL 824
291	291	a. Data access control.
292	292	b. Data retention and data destruction.
293	293	c. Auditing capabilities and the performance of audits.
294	294	d. The periodic review of new and changing business and regulatory
295	295	requirements that may impact data solution organization.
296	296	e. Any other requirements established in a data agreement.
297	297	3. Establish and ensure compliance with internal policies and procedures
298	298	related to security incidents that include all of the following:
299	299	a. A description of the severity levels by which security incidents are classified
300	300	with descriptions and relevant examples for each severity classification.
301	301	b. The number of hours after a security incident is detected when a data
302	302	custodian must notify the data owner and data steward of the incident and the timing
303	303	of subsequent updates, based on the nature or severity of the incident.
304	304	c. A policy and process to designate a specific member of the data custodian's
305	305	team to provide security incident communications to the data owner and data
306	306	steward.
307	307	d. A policy to inform the data owner and data steward of the time the incident
308	308	occurred, if known; the time the incident was detected; the nature of the incident,
309	309	including which data sets were known to have been impacted; the severity of the
310	310	incident; the remediation steps that have been or will be taken; the estimated
311	311	timeline to resolve the incident; and a way for the data owner or data steward to
312	312	contact the data custodian to seek further information about the incident.
313	313	e. A policy to provide a follow-up notification after the resolution of an incident
314	314	that includes the time the incident was resolved, the nature of the resolution, any
315	315	changes to the data custodian's systems or protocols to prevent subsequent incidents,
316	316	1
317	317	2
318	318	3
319	319	4
320	320	5
321	321	6
322	322	7
323	323	8
324	324	9
325	325	10
326	326	11
327	327	12
328	328	13
329	329	14
330	330	15
331	331	16
332	332	17
333	333	18
334	334	19
335	335	20
336	336	21
337	337	22
338	338	23
339	339	24
340	340	25 - 8 -2023 - 2024 Legislature LRB-2528/1
341	341	MDE:amn
342	342	SECTION 1 ASSEMBLY BILL 824
343	343	and any recommended changes to the data owner's or data steward's systems
344	344	protocols to prevent subsequent incidents.
345	345	f. A record retention policy that requires the data custodian to maintain records
346	346	detailing its response to security incidents for a reasonable time after the resolution
347	347	of the security incident.
348	348	4. Establish and ensure compliance with internal policies and procedures
349	349	related to auditing capabilities that require the data custodian to perform an audit
350	350	of its systems at the request of the data owner.
351	351	(c) A data steward that uses or facilitates the use of sensitive information shall
352	352	do all of the following:
353	353	1. Establish and ensure compliance with internal policies and procedures that
354	354	reflect best practices of data handling on subjects including all of the following:
355	355	a. Standards, policies, procedures, and requirements for requesting, accessing,
356	356	interpreting, and using data.
357	357	b. Identity and access management controls, including limiting the access to
358	358	any data subject to a data agreement.
359	359	c. Verification of data outputs to meet quality, accuracy, and reliability
360	360	specifications.
361	361	d. Establishment of data element definitions and lineage.
362	362	e. Establishment and maintenance of auditing policies, procedures, and
363	363	reporting.
364	364	f. Policies and procedures regarding data retention and destruction.
365	365	g. Interpretation of new and changing business and regulatory requirements
366	366	that may impact data solution organization.
367	367	h. Any other requirements established in a data agreement.
368	368	1
369	369	2
370	370	3
371	371	4
372	372	5
373	373	6
374	374	7
375	375	8
376	376	9
377	377	10
378	378	11
379	379	12
380	380	13
381	381	14
382	382	15
383	383	16
384	384	17
385	385	18
386	386	19
387	387	20
388	388	21
389	389	22
390	390	23
391	391	24
392	392	25 - 9 -2023 - 2024 Legislature
393	393	LRB-2528/1
394	394	MDE:amn
395	395	SECTION 1
396	396	ASSEMBLY BILL 824
397	397	2. Establish and ensure compliance with policies and procedures regarding the
398	398	handling of data agreement breaches, security incidents, in compliance with s.
399	399	134.98, and related disputes.
400	400	(3) AGREEMENTS BETWEEN DATA CONTROLLERS. Data agreements are required
401	401	when sensitive information controlled by one data controller is to be shared with,
402	402	accessed by, or used by another data controller. A data agreement shall contain all
403	403	of the following provisions:
404	404	(a) Identification of the parties to the agreement.
405	405	(b) Identification of the data subject to the agreement.
406	406	(c) Identification of the permitted uses and restrictions of the data subject to
407	407	the agreement, including whether the data owner permits the data controller to
408	408	share with another entity any enhanced data that was based on the data owner's
409	409	original data.
410	410	(d) Identification of any confidentiality requirements for the data subject to the
411	411	agreement.
412	412	(e) Identification of the law governing the data subject to the agreement, such
413	413	as the federal Family Educational Rights and Privacy Act, the federal Health
414	414	Insurance Portability and Accountability Act, the federal Health Information
415	415	Technology for Economic and Clinical Health Act, the federal Criminal Justice
416	416	Information Services Security Policy, or the federal Children's Online Privacy
417	417	Protection Rule.
418	418	(f) Identification of the governing law and venue that shall govern the validity,
419	419	construction, enforcement, and interpretation of the agreement.
420	420	(g) Provisions governing the response to security incidents, in compliance with
421	421	s. 134.98, including all of the following:
422	422	1
423	423	2
424	424	3
425	425	4
426	426	5
427	427	6
428	428	7
429	429	8
430	430	9
431	431	10
432	432	11
433	433	12
434	434	13
435	435	14
436	436	15
437	437	16
438	438	17
439	439	18
440	440	19
441	441	20
442	442	21
443	443	22
444	444	23
445	445	24
446	446	25 - 10 -2023 - 2024 Legislature LRB-2528/1
447	447	MDE:amn
448	448	SECTION 1 ASSEMBLY BILL 824
449	449	1. The name and contact information of one or more individuals who are
450	450	authorized to provide and receive security incident communications pertaining to
451	451	the data subject to the agreement.
452	452	2. An attestation from a data custodian that it has established and agrees to
453	453	comply with security incident policies and procedures under sub. (2) (b) 3.
454	454	(h) Definition of the term of the data agreement. A data agreement under this
455	455	section shall remain in effect until a mutually agreed upon termination date or until
456	456	all data subject to the agreement is destroyed or returned to the data owner,
457	457	whichever occurs first.
458	458	(i) Provisions regarding the right to terminate the agreement, including all of
459	459	the following:
460	460	1. Conditions under which the agreement may be terminated.
461	461	2. The method of notification required before termination is effective.
462	462	3. The advance notice period required before termination is effective.
463	463	4. Any special circumstances under which immediate termination of the
464	464	agreement may be pursued.
465	465	(j) Provisions regarding authorization for or prohibition of the collection and
466	466	analysis of metadata.
467	467	(k) In a data sharing agreement between a data owner and a data custodian,
468	468	provisions regarding auditing capabilities and the performance of audits. A data
469	469	custodian shall attest that it has enabled appropriate capabilities to support
470	470	compliance with the regulatory statutes identified in the agreement and shall agree,
471	471	at the request of the data owner, to perform an audit of the data owner's data under
472	472	its custodianship. Such an audit shall have a mutually agreed upon scope and shall
473	473	be performed within a mutually agreed upon time frame.
474	474	1
475	475	2
476	476	3
477	477	4
478	478	5
479	479	6
480	480	7
481	481	8
482	482	9
483	483	10
484	484	11
485	485	12
486	486	13
487	487	14
488	488	15
489	489	16
490	490	17
491	491	18
492	492	19
493	493	20
494	494	21
495	495	22
496	496	23
497	497	24
498	498	25 - 11 -2023 - 2024 Legislature
499	499	LRB-2528/1
500	500	MDE:amn
501	501	SECTION 1
502	502	ASSEMBLY BILL 824
503	503	(L) Any other requirements as established by any party to the agreement.
504	504	(END)
505	505	1
506	506	2