(1) If a licensee learns that a cybersecurity event involving the licensee’s information systems or nonpublic information has or may have occurred, the licensee, or an outside vendor or service provider designated to act on behalf of the licensee, shall conduct a prompt investigation that, at a minimum, includes all of the following: (a) An assessment of the nature and scope of the cybersecurity event. (b) The identification of any nonpublic information that was or may have been involved in the cybersecurity event. (c) The performance of reasonable measures to restore the security of the licensee’s information systems compromised in the cybersecurity event and prevent additional unauthorized acquisition, release, or use of nonpublic information. (2) If a licensee knows that a cybersecurity event has or may have occurred in an information system maintained by a 3rdparty service provider, the licensee shall comply with sub. (1) or make reasonable efforts to confirm and document that the 3rdparty service provider has either complied with sub. (1) or failed to cooperate with the investigation under sub. (1). (3) The licensee shall maintain records concerning a cybersecurity event for a period of at least 5 years starting from the date of the cybersecurity event and shall produce the records upon demand of the commissioner.
‹ Prev All Wisconsin sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.