AB123-SA1,7,1919 6. As otherwise required or authorized by law.

AB123-SA1,7,2420 (d) Solicitation and exercise of customer approval. 1. A broadband Internet
21access service provider shall request the approval required under par. (a) or (b) at the
22point of sale to a customer and at the time the provider makes a material change to
23its policies concerning the privacy of information that the provider obtains about a
24customer.

AB123-SA1,8,3

---

12. A broadband Internet access service provider shall request customer
2approval clearly and conspicuously, in language that is readily understandable and
3not misleading, and each request shall include all of the following:

AB123-SA1,8,54 a. A disclosure of the types of customer proprietary information for which the
5provider is seeking customer approval to use, disclose, or permit access to.

AB123-SA1,8,76 b. A disclosure of the purposes for which the customer's proprietary
7information will be used.

AB123-SA1,8,98 c. A disclosure of the categories of entities to which the provider intends to
9disclose or permit access to the customer proprietary information.

AB123-SA1,8,1010 d. A means to easily access the notice required under sub. (2) (a) or (c).

AB123-SA1,8,1111 e. A means to easily access the mechanism required under subd. 3.

AB123-SA1,8,1412 3. A broadband Internet access service provider shall make available, at no
13additional cost to the customer, a mechanism for a customer to grant, deny, or
14withdraw opt-in approval or opt-out approval, or both, at any time.

AB123-SA1,8,1815 4. A broadband Internet access service provider shall give effect to a customer's
16grant, denial, or withdrawal of approval promptly, and the grant, denial, or
17withdrawal of approval shall remain in effect until the customer revokes or limits the
18grant, denial, or withdrawal of approval.

AB123-SA1,8,2319 5. If a broadband Internet access service provider transacts business with a
20customer in a language other than English, the provider shall translate the contents
21required under subd. 2. and the instructions for using the mechanism required under
22subd. 3. into the language through which the provider transacts business with the
23customer.

AB123-SA1,9,3

---

1(4) Data security. (a) A broadband Internet access service provider shall take
2reasonable security measures to protect customer proprietary information from
3unauthorized use, disclosure, or access.

AB123-SA1,9,64 (b) In implementing reasonable security measures under par. (a), a broadband
5Internet access service provider shall appropriately take into account each of the
6following factors:

AB123-SA1,9,77 1. The nature and scope of the provider's activities.

AB123-SA1,9,88 2. The sensitivity of the data it collects.

AB123-SA1,9,99 3. The size of the provider.

AB123-SA1,9,1010 4. The technical feasibility of implementing the security measures.

AB123-SA1,9,17 11(5) Data breach notification. (a) Customer notification. 1. Except as provided
12in subd. 4., a broadband Internet access service provider shall, without unreasonable
13delay, notify a customer about any breach of security involving customer proprietary
14information pertaining to that customer within 30 days after the provider reasonably
15determines that a breach of security has occurred unless the provider reasonably
16determines that no harm to the customer is reasonably likely to occur as a result of
17the breach of security.

AB123-SA1,9,1918 2. A broadband Internet access service provider shall notify a customer about
19a breach of security under subd. 1. by at least one of the following methods:

AB123-SA1,9,2320 a. A written notification sent to either the customer's electronic mail address
21or the postal address of record of the customer, or, for former customers, to the last
22postal address ascertainable after reasonable investigation using commonly
23available sources.

AB123-SA1,9,2524 b. Other electronic means of prompt communication agreed upon by the
25customer for contacting that customer for breach of security notification purposes.

AB123-SA1,10,2

---

13. A broadband Internet access service provider shall provide all of the
2following information in a notice required under subd. 1.:

AB123-SA1,10,33 a. The date, estimated date, or estimated date range of the breach of security.

AB123-SA1,10,64 b. A description of the customer proprietary information that was involved in
5the breach of security or reasonably believed to have been involved in the breach of
6security.

AB123-SA1,10,97 c. Information that the customer may use to contact the provider to inquire
8about the breach of security and the customer proprietary information that the
9provider maintains about that customer.

AB123-SA1,10,1110 d. Information about how to contact the department and any federal agencies
11relevant to the service provided to the customer.

AB123-SA1,10,1612 e. If the breach of security creates a risk of financial harm, information about
13the national credit-reporting agencies and the steps customers can take to guard
14against identity theft, including any credit monitoring, credit reporting, credit
15freezes, or other consumer protections that the provider is offering customers
16affected by the breach of security, including security freezes under s. 100.54.

AB123-SA1,10,1817 4. Upon the request of a law enforcement agency, a broadband Internet access
18service provider shall not disclose a breach of security to a customer.

AB123-SA1,10,2419 (b) Notification to government agencies. 1. Except as provided in subd. 3., a
20broadband Internet access service provider shall notify the department and the
21department of justice of any breach of security affecting 5,000 or more customers no
22later than 7 business days after the provider reasonably determines that a breach
23of security has occurred and at least 3 business days before notifying the affected
24customers under par. (a) 1.

AB123-SA1,11,4

---

12. Except as provided in subd. 3., a broadband Internet access service provider
2shall, without unreasonable delay, notify the department of any breach of security
3affecting fewer than 5,000 customers within 30 days after the provider reasonably
4determines that a breach of security has occurred.

AB123-SA1,11,75 3. A broadband Internet access service provider is not required to notify the
6department under subd. 1. or 2. if it reasonably determines that no harm to
7customers is reasonably likely to occur as a result of the breach of security.

AB123-SA1,11,118 (c) Record keeping. 1. Except as provided in subd. 3., a broadband Internet
9access service provider shall maintain a record, electronically or in some other
10manner, of each breach of security and the notifications made to customers under
11par. (a) 1. regarding that breach. The record shall include all of the following:

AB123-SA1,11,1312 a. The date that the provider first determines that the breach of security
13occurred.

AB123-SA1,11,1414 b. The date that customers were notified.

AB123-SA1,11,1515 c. A written copy of all customer notifications.

AB123-SA1,11,1816 2. A broadband Internet access service provider shall retain the record required
17under subd. 1. for at least 2 years from the date on which the provider first
18determines that the breach of security occurred.

AB123-SA1,11,2119 3. A broadband Internet access service provider is not required to maintain a
20record under subd. 1. if it reasonably determines that no harm to customers is
21reasonably likely to occur as a result of the breach of security.

AB123-SA1,11,25 22(6) Internet access service offers conditioned on waiver of privacy. (a) A
23broadband Internet access service provider may not refuse to provide broadband
24Internet access service because a customer or prospective customer does not provide
25approval required under sub. (3) (a) or (b).

AB123-SA1,12,4

---

1(b) A broadband Internet access service provider that offers a financial
2incentive program, such as lower rates, in exchange for a customer's approval to use,
3disclose, or permit access to the customer's proprietary information shall do all of the
4following:

AB123-SA1,12,65 1. Provide a notice explaining the terms of the financial incentive program that
6includes all of the following:

AB123-SA1,12,87 a. An explanation that the program requires opt-in approval from the
8customer to use, disclose, or permit access to the customer's proprietary information.

AB123-SA1,12,119 b. Information about what customer proprietary information the provider will
10collect, how it will be used, and the categories of entities with which it will be shared
11and for what purposes.

AB123-SA1,12,1412 c. Information, prominently displayed, about the equivalent service plan that
13does not necessitate the use, disclosure, or access to customer proprietary
14information beyond that required or permitted under sub. (3) (c).

AB123-SA1,12,1615 2. Obtain opt-in approval from the customer for consent to participate in the
16financial incentive program.

AB123-SA1,12,1817 3. Provide the notice required under subd. 1. at the time the program is offered
18to a customer and at the time that a customer elects to participate in the program.

AB123-SA1,12,2119 4. Make the notice required under subd. 1. easily accessible and available
20separate from any other privacy notifications, including the notifications required
21under sub. (2) (a) or (c).

AB123-SA1,12,2422 5. If the provider transacts business with a customer in a language other than
23English, translate the contents required under subd. 1. into the language through
24which the provider transacts business with the customer.

AB123-SA1,13,4

---

16. If the customer grants the opt-in approval required under subd. 2., a
2broadband Internet access service provider shall make available a mechanism for
3the customer to withdraw approval for participation in the financial incentive
4program under this paragraph at any time.

AB123-SA1,13,9 5(7) Remedies and penalties. (a) 1. A person or class of persons adversely
6affected by a broadband Internet access service provider's violation of this section
7has a claim for appropriate relief, including damages, injunctive relief, and
8rescission and may bring an action in circuit court against the broadband Internet
9access service provider.

AB123-SA1,13,1110 2. Notwithstanding s. 814.04 (1), a person or class of persons entitled to relief
11under subd. 1. may recover costs, disbursements, and reasonable attorney fees.

AB123-SA1,13,1412 (b) 1. Any of the following may bring an action in circuit court in the name of
13the state to restrain by temporary or permanent injunction any violation of this
14section:

AB123-SA1,13,1515 a. The department.

AB123-SA1,13,1616 b. The department of justice, after consulting with the department.

AB123-SA1,13,1717 c. Any district attorney, upon informing the department.

AB123-SA1,13,2118 2. Before entry of final judgment, the court may make any order or judgment
19necessary to restore to any person any pecuniary loss suffered because of a violation
20that is the subject of the action under subd. 1., if proof of the violation is submitted
21to the satisfaction of the court.

AB123-SA1,14,222 (c) For any violation of this section, the department of justice, after consulting
23with the department, or the district attorney of the county where the violation occurs,
24upon informing the department, may commence an action in the name of the state

---

1to recover a forfeiture of not more than $50,000 for the first violation and not more
2than $100,000 for each subsequent violation.

AB123-SA1,14,53 (d) A person who intentionally, as defined in s. 939.23 (3), violates this section
4shall be fined not more than $1,000, or imprisoned in the county jail for not more than
590 days or both.”.