MADISON - If a hacker breaks into confidential data kept by the state Department of Revenue, a designated privacy officer stands ready to implement the agency's emergency response plan.

No other state agency is as prepared.

While others have plans in case secret information is compromised, internal audits reviewed by The Associated Press show that many others do not. And because the information was redacted on several responses - as a security measure against hackers - it's not known whether some agencies have plans or not.

The Revenue Department is the only one with a designated privacy office, according to a report done by privacy protection company Metavante.

The state's ability to protect confidential data, including taxpayers' Social Security numbers, has come into focus since two high-profile breaches earlier this year.

It was another error in 2006, when a printer hired by the state incorrectly printed Social Security numbers on the mailing labels of 171,000 tax forms, that the Revenue Department created its privacy office.

The office started in March 2007 and is run by the department's deputy administrator Lili Best Crane. She spends about 20 percent of her time on privacy issues and is the lead contact person in the case of an emergency, said department spokeswoman Jessica Iverson.

The Revenue Department also has a plan for dealing with security breaches. But many other agencies do not.

The Metavante report released Tuesday doesn't go into detail about the lack of security response plans, other than targeting their absence as a potential risk.

"Not having formal incident response plans in place to timely address security breaches if they occur could lead to inconsistent actions being taken by staff hindering resolution efforts," the report said.

The fact that some agencies don't have security plans is troubling, said Chris Ahmuty, executive director of the American Civil Liberties Union of Wisconsin.

"This stuff is not new," he said. "Some portions of the private sector are way ahead. ... The state has not put a lot of effort into it."

The Department of Natural Resources and Capitol Police were among those reporting that they do not have a plan. The Department of Insurance said it was reviewing options for a plan. But a suggestion it offered, which began, "It would be better for ..." ended there before being blacked out.

One division of the Insurance Department said it did have a policy, but the name of the division was blacked out.

Those responses weren't the only ones deleted.

Also redacted were details about who filled out the audits, details about private information collected by the state and how it's handled, and any concerns agencies may have about shortcomings in their procedures.

The information was withheld because it could "provide a 'key to the lockbox' to potential hackers and identity thieves," said Department of Administration chief legal counsel Cari Anne Renlund.

Even with the redactions, the audits submitted by 15 state agencies show numerous inconsistencies across government when it comes to collecting, handling, and protecting private information.

On Tuesday, Gov. Jim Doyle ordered that a plan be developed to implement all the recommendations of the Metavante report, which includes bolstering training for state employees in handling private information, no longer using Social Security numbers as identifiers unless absolutely necessary, and developing formal response plans when there is a breach.

There is no time line yet, or cost estimate, for implementing all of the report's recommendations.