Does Wisconsin require attorney general notification of a data breach?

Wisconsin no ag notification requirement. Affected individuals must still be notified, and large breaches may require notice to consumer reporting agencies.

What are the penalties for failing to report a data breach in Wisconsin?

Civil forfeitures up to $10,000 per violation, enforced by the AG and DATCP. Wisconsin's statute is Wis. Stat. 134.98.

State File WI / Breach Notification StatuteWis. Stat. 134.98Verified June 2026

State notification register

Wisconsin data breach notification law: within 45 days after learning of the unauthorized acquisition.

Wisconsin's breach-notification obligations are set by Wis. Stat. 134.98. This page summarises the deadline to notify affected residents, the attorney general notification threshold, whether a private right of action exists, and the penalties for late or missing notification. Every provision is cited to its source statute and was verified in June 2026.

Individual deadline

45 days

From discovery / determination

AG notification

Not required

No AG notification requirement

Private action

No PROA under the statute

Statute

Wis. Stat. 134.98

Section WI.1

What the statute requires

Under Wis. Stat. 134.98, a business that owns or licenses computerized personal information of Wisconsin residents must notify affected individuals within 45 days after learning of the unauthorized acquisition.

Attorney general notification: no ag notification requirement.

Section WI.2

What triggers notification

Like most US state statutes, notification is triggered by the unauthorized acquisition of unencrypted, unredacted computerized personal information that compromises its security, confidentiality, or integrity. Two concepts recur across the states and apply here.

Encryption safe harbor

Personal information that was encrypted, and where the encryption key was not also acquired, generally does not trigger notification. A stolen device with full-disk encryption is typically a non-event; an unencrypted record, or an encrypted record where the key was exposed alongside it, is a reportable breach.

Who must be notified

[1] Affected Wisconsin residents: 45 days
[2] Attorney general / state agency: no ag notification requirement
[3] Consumer reporting agencies where the breach is large-scale

Section WI.3

Penalties and enforcement

Civil forfeitures up to $10,000 per violation, enforced by the AG and DATCP.

Private right of action: No. No PROA under the statute; failure to notify may support separate negligence claims.

Primary source:Wisconsin statute Wis. Stat. 134.98; verified June 2026 against state statutory summaries and the underlying statute text.

Section WI.4

How this compares to the strictest states

The strictest US deadlines are 30 days (California, Florida, Washington, Colorado, Maine, New York, New Jersey). The majority of states use a qualitative "without unreasonable delay" standard with no fixed day cap. Here is where Wisconsin sits.

Wisconsin imposes a fixed 45-day deadline. The strictest states cut this to 30 days, so Wisconsin sits 15 days behind the tightest regimes.

Cross-references

Index / All 50 states + DC

→

The full register: deadline and AG threshold for every state.

Schedule 09 / Notification laws

→

Global frameworks and the cost of notification.

01 / Breach cost calculator

→

Estimate your Wisconsin breach exposure, including notification cost.

Regulation / GDPR

→

The 72-hour clock and 4%-of-revenue fine framework.

Cost / Notification

→

Why notification is roughly 6% of total breach cost.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Wisconsin data breach notification statute (Wis. Stat. 134.98). Provisions verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's chart, and the underlying statute text.