| ||||
| Public Act 103-0142 | ||||
| ||||
| ||||
AN ACT concerning regulation.
| ||||
Be it enacted by the People of the State of Illinois,
| ||||
represented in the General Assembly:
| ||||
Section 1. Short title. This Act may be cited as the | ||||
Insurance Data Security Law. | ||||
Section 2. Purpose and intent.
| ||||
(a) The purpose and intent of this Act is to establish | ||||
standards for data security and standards for the | ||||
investigation of and notification to the Director of a | ||||
cybersecurity event applicable to licensees.
| ||||
(b) This Act shall not be construed to create or imply a | ||||
private cause of action for a violation of its provisions nor | ||||
shall it be construed to curtail a private cause of action | ||||
which would otherwise exist in the absence of this Act.
| ||||
Section 5. Definitions. As used in this Act:
| ||||
"Authorized individual" means an individual known to and | ||||
screened by the licensee and determined to be necessary and | ||||
appropriate to have access to the nonpublic information held | ||||
by the licensee and its information systems.
| ||||
"Consumer" means an individual, including, but not limited | ||||
to, an applicant, policyholder, insured, beneficiary, | ||||
claimant, or certificate holder who is a resident of this | ||||
State and whose nonpublic information is in a licensee's | ||
possession, custody, or control.
| ||
"Cybersecurity event" means an event resulting in | ||
unauthorized access to, disruption, or misuse of an | ||
information system or information stored on such information | ||
system. "Cybersecurity event" does not include the | ||
unauthorized acquisition of encrypted nonpublic information if | ||
the encryption, process, or key is not also acquired, | ||
released, or used without authorization. "Cybersecurity event" | ||
does not include an event with regard to which the licensee has | ||
determined that the nonpublic information accessed by an | ||
unauthorized person has not been used or released and has been | ||
returned or destroyed.
| ||
"Department" means the Department of Insurance.
| ||
"Director" means the Director of Insurance.
| ||
"Encrypted" means the transformation of data into a form | ||
which results in a low probability of assigning meaning | ||
without the use of a protective process or key.
| ||
"Information security program" means the administrative, | ||
technical, and physical safeguards that a licensee uses to | ||
access, collect, distribute, process, protect, store, use, | ||
transmit, dispose of, or otherwise handle nonpublic | ||
information.
| ||
"Information system" means a discrete set of electronic | ||
information resources organized for the collection, | ||
processing, maintenance, use, sharing, dissemination, or | ||
disposition of electronic information, as well as any | ||
specialized system such as industrial and process controls | ||
systems, telephone switching and private branch exchange | ||
systems, and environmental control systems.
| ||
"Licensee" means any person licensed, authorized to | ||
operate, or registered, or required to be licensed, | ||
authorized, or registered pursuant to the insurance laws of | ||
this State. "Licensee" does not include a purchasing group or | ||
a risk retention group chartered and licensed in a state other | ||
than this State or a licensee that is acting as an assuming | ||
insurer that is domiciled in another state or jurisdiction.
| ||
"Multi-factor authentication" means authentication | ||
through verification of at least 2 of the following types of | ||
authentication factors:
| ||
(1) knowledge factors, including a password;
| ||
(2) possession factors, including a token or text | ||
message on a mobile phone; or
| ||
(3) inherence factors, including a biometric | ||
characteristic.
| ||
"Nonpublic information" means information that is not | ||
publicly available information and that is:
| ||
(1) business-related information of a licensee the | ||
tampering with which, or unauthorized disclosure, access, | ||
or use of which, would cause a material adverse impact to | ||
the business, operations, or security of the licensee;
| ||
(2) any information concerning a consumer which | ||
because of name, number, personal mark, or other | ||
identifier can be used to identify such consumer, in | ||
combination with any one or more of the following data | ||
elements:
| ||
(A) social security number;
| ||
(B) driver's license number or nondriver | ||
identification card number;
| ||
(C) financial account number, credit card number, | ||
or debit card number;
| ||
(D) any security code, access code, or password | ||
that would permit access to a consumer's financial | ||
account; or
| ||
(E) biometric records;
or | ||
(3) any information or data, except age or gender, in | ||
any form or medium created by or derived from a health care | ||
provider or a consumer and that relates to:
| ||
(A) the past, present, or future physical, mental, | ||
or behavioral health or condition of any consumer or a | ||
member of the consumer's family; | ||
(B) the provision of health care to any consumer; | ||
or
| ||
(C) payment for the provision of health care to | ||
any consumer.
| ||
"Person" means any individual or any nongovernmental | ||
entity, including, but not limited to, any nongovernmental | ||
partnership, corporation, branch, agency, or association.
| ||
"Publicly available information" means any information | ||
that a licensee has a reasonable basis to believe is lawfully | ||
made available to the general public from federal, State, or | ||
local government records; widely distributed media; or | ||
disclosures to the general public that are required to be made | ||
by federal, State, or local law. "Publicly available | ||
information" includes information that a consumer may direct | ||
not to be made available to the general public, but that the | ||
consumer has not directed not be made available.
| ||
"Risk assessment" means the risk assessment that each | ||
licensee is required to conduct under subsection (c) of | ||
Section 10.
| ||
"Third-party service provider" means a person, not | ||
otherwise defined as a licensee, that contracts with a | ||
licensee to maintain, process, store, or otherwise is | ||
permitted access to nonpublic information through its | ||
provision of services to the licensee.
| ||
Section 10. Information security program.
| ||
(a) Commensurate with the size and complexity of the | ||
licensee, the nature and scope of the licensee's activities, | ||
including its use of third-party service providers, and the | ||
sensitivity of the nonpublic information used by the licensee | ||
or in the licensee's possession, custody, or control, each | ||
licensee shall develop, implement, and maintain a | ||
comprehensive written information security program based on | ||
the licensee's risk assessment and that contains | ||
administrative, technical, and physical safeguards for the | ||
protection of nonpublic information and the licensee's | ||
information system.
| ||
(b) A licensee's information security program shall be | ||
designed to:
| ||
(1) protect the security and confidentiality of | ||
nonpublic information and the security of the information | ||
system;
| ||
(2) protect against any threats or hazards to the | ||
security or integrity of nonpublic information and the | ||
information system;
| ||
(3) protect against unauthorized access to or use of | ||
nonpublic information;
| ||
(4) minimize the likelihood of harm
to any consumer; | ||
and
| ||
(5) define and periodically reevaluate a schedule for | ||
retention of nonpublic information and a mechanism for its | ||
destruction when no longer needed, except if the | ||
information is otherwise required to be retained by law or | ||
rule or if targeted disposal is not reasonably feasible | ||
due to the manner in which the information is maintained. | ||
(c) A licensee shall:
| ||
(1) designate one or more employees, an affiliate, or | ||
an outside vendor designated to act on behalf of the | ||
licensee who is responsible for the information security | ||
program;
| ||
(2) identify reasonably foreseeable internal or | ||
external threats that could result in unauthorized access, | ||
transmission, disclosure, misuse, alteration, or | ||
destruction of nonpublic information, including the | ||
security of information systems and nonpublic information | ||
that are accessible to or held by third-party service | ||
providers;
| ||
(3) assess the likelihood and potential damage of | ||
these threats, taking into consideration the sensitivity | ||
of the nonpublic information;
| ||
(4) assess the sufficiency of policies, procedures, | ||
information systems, and other safeguards in place to | ||
manage these threats, including consideration of threats | ||
in each relevant area of the licensee's operations, | ||
including:
| ||
(A) employee training and management;
| ||
(B) information systems, including network and | ||
software design, as well as information | ||
classification, governance, processing, storage, | ||
transmission, and disposal; and
| ||
(C) detecting, preventing, and responding to | ||
attacks, intrusions, or other systems failures; and
| ||
(5) implement information safeguards to manage the | ||
threats identified in its ongoing assessment, and, no less | ||
than annually, assess the effectiveness of the safeguards' | ||
key controls, systems, and procedures.
| ||
(d) Based on its risk assessment, the licensee shall:
| ||
(1) design its information security program to | ||
mitigate the identified risks, commensurate with the size | ||
and complexity of the licensee, the nature and scope of | ||
the licensee's activities, including its use of | ||
third-party service providers, and the sensitivity of the | ||
nonpublic information used by the licensee or in the | ||
licensee's possession, custody, or control;
| ||
(2) select and implement appropriate security measures | ||
from the following:
| ||
(A) place access controls on information systems, | ||
including controls to authenticate and permit access | ||
only to authorized individuals to protect against the | ||
unauthorized acquisition of nonpublic information;
| ||
(B) identify and manage the data, personnel, | ||
devices, systems, and facilities that enable the | ||
organization to achieve business purposes in | ||
accordance with their relative importance to business | ||
objectives and the organization's risk strategy;
| ||
(C) restrict access at physical locations | ||
containing nonpublic information only to authorized | ||
individuals;
| ||
(D) protect, by encryption or other appropriate | ||
means, all nonpublic information while being | ||
transmitted over an external network and all nonpublic | ||
information stored on a laptop computer or other | ||
portable computing or storage device or media;
| ||
(E) adopt secure development practices for | ||
in-house-developed applications utilized by the | ||
licensee and procedures for evaluating, assessing, or | ||
testing the security of externally developed | ||
applications utilized by the licensee;
| ||
(F) modify the information system in accordance | ||
with the licensee's information security program;
| ||
(G) utilize effective controls, including | ||
multifactor authentication procedures for any | ||
individual accessing nonpublic information;
| ||
(H) regularly test and monitor systems and | ||
procedures to detect actual and attempted attacks on | ||
or intrusions into information systems; | ||
(I) include audit trails within the information | ||
security program designed to detect and respond to | ||
cybersecurity events and designed to reconstruct | ||
material financial transactions sufficient to support | ||
normal operations and obligations of the licensee;
| ||
(J) implement measures to protect against | ||
destruction, loss, or damage of nonpublic information | ||
due to environmental hazards, including fire and water | ||
damage, other catastrophes, or technological failures; | ||
and
| ||
(K) develop, implement, and maintain procedures | ||
for the secure disposal of nonpublic information in | ||
any format;
| ||
(3) include cybersecurity risks in the licensee's | ||
enterprise risk management process;
| ||
(4) stay informed regarding emerging threats or | ||
vulnerabilities and utilize reasonable security measures | ||
when sharing information relative to the character of the | ||
sharing and the type of information shared; and
| ||
(5) provide its personnel with cybersecurity awareness | ||
training that is updated as necessary to reflect risks | ||
identified by the licensee in the risk assessment.
| ||
(e) If the licensee has a board of directors, the board or | ||
an appropriate committee of the board shall, at a minimum:
| ||
(1) require the licensee's executive management or its | ||
delegates to develop, implement, and maintain the | ||
licensee's information security program;
| ||
(2) require the licensee's executive management or its | ||
delegates to report in writing, at least annually, the | ||
following information:
| ||
(A) the overall status of the information security | ||
program and the licensee's compliance with this Act; | ||
and
| ||
(B) material matters related to the information | ||
security program, addressing issues such as risk | ||
assessment, risk management and control decisions, | ||
third-party service provider arrangements, results of | ||
testing, cybersecurity events or violations and | ||
management's responses thereto, and recommendations | ||
for changes in the information security program; and
| ||
(3) if executive management delegates any of its | ||
responsibilities under this Section, it shall oversee the | ||
development, implementation, and maintenance of the | ||
licensee's information security program prepared by the | ||
delegate and shall receive a report from the delegate | ||
complying with the requirements of the report to the board | ||
of directors.
| ||
(f) A licensee shall exercise due diligence in selecting | ||
its third-party service provider and a licensee shall require | ||
a third-party service provider to implement appropriate | ||
administrative, technical, and physical measures to protect | ||
and secure the information systems and nonpublic information | ||
that are accessible to or held by the third-party service | ||
provider.
| ||
(g) The licensee shall monitor, evaluate, and adjust, as | ||
appropriate, the information security program consistent with | ||
any relevant changes in technology, the sensitivity of its | ||
nonpublic information, internal or external threats to | ||
information, and the licensee's own changing business | ||
arrangements, including mergers and acquisitions, alliances | ||
and joint ventures, outsourcing arrangements, and changes to | ||
information systems.
| ||
(h) As part of its information security program, a | ||
licensee shall establish a written incident response plan | ||
designed to promptly respond to and recover from any | ||
cybersecurity event that compromises the confidentiality, | ||
integrity, or availability of nonpublic information in its | ||
possession, the licensee's information systems, or the | ||
continuing functionality of any aspect of the licensee's | ||
business or operations. The incident response plan shall | ||
address the following areas:
| ||
(1) the internal process for responding to a | ||
cybersecurity event;
| ||
(2) the goals of the incident response plan;
| ||
(3) the definition of clear roles, responsibilities, | ||
and levels of decision-making authority;
| ||
(4) external and internal communications and | ||
information sharing;
| ||
(5) identification of requirements for the remediation | ||
of any identified weaknesses in information systems and | ||
associated controls;
| ||
(6) documentation and reporting regarding | ||
cybersecurity events and related incident response | ||
activities; and
| ||
(7) the evaluation and revision of the incident | ||
response plan following a cybersecurity event, as | ||
necessary.
| ||
(i) Annually, an insurer domiciled in this State shall | ||
submit to the Director a written statement by April 15 | ||
certifying that the insurer is in compliance with the | ||
requirements set forth in this Section. Each insurer shall | ||
maintain for examination by the Department all records, | ||
schedules, and data supporting this certificate for a period | ||
of 5 years. To the extent an insurer has identified areas, | ||
systems, or processes that require material improvement, | ||
updating, or redesign, the insurer shall document the | ||
identification and the remedial efforts planned and underway | ||
to address such areas, systems, or processes. The | ||
documentation of identified areas, systems, or processes must | ||
be available for inspection by the Director.
| ||
(j) Licensees shall comply with subsection (f) 2 years | ||
after the effective date of this Act, and shall comply with all | ||
other subsections of this Section one year after the effective | ||
date of this Act. | ||
Section 15. Investigation of a cybersecurity event.
| ||
(a) If the licensee learns that a cybersecurity event has | ||
occurred or may have occurred, the licensee, or an outside | ||
vendor or service provider designated to act on behalf of the | ||
licensee, shall conduct a prompt investigation.
| ||
(b) During the investigation the licensee, or an outside | ||
vendor or service provider designated to act on behalf of the | ||
licensee, shall, at a minimum, comply with as many of the | ||
following as possible:
| ||
(1) determine whether a cybersecurity event has | ||
occurred;
| ||
(2) assess the nature and scope of the cybersecurity | ||
event;
| ||
(3) identify any nonpublic information that may have | ||
been involved in the cybersecurity event; and
| ||
(4) perform or oversee reasonable measures to restore | ||
the security of the information systems compromised in the | ||
cybersecurity event in order to prevent further | ||
unauthorized acquisition, release, or use of nonpublic | ||
information in the licensee's possession, custody, or | ||
control.
| ||
(c) If the licensee learns that a cybersecurity event has | ||
occurred or may have occurred in a system maintained by a | ||
third-party service provider, the licensee will complete the | ||
steps listed in subsection (b) or confirm and document that | ||
the third-party service provider has completed those steps.
| ||
(d) The licensee shall maintain records concerning all | ||
cybersecurity events for a period of at least 5 years from the | ||
date of the cybersecurity event and shall produce those | ||
records upon demand of the Director.
| ||
Section 20. Notification of a cybersecurity event.
| ||
(a) A licensee shall notify the Director as promptly as | ||
possible but no later than 3 business days after a | ||
determination that a cybersecurity event has occurred when | ||
either of the following criteria has been met:
| ||
(1) this State is the licensee's state of domicile, in | ||
the case of an insurer, or this State is the licensee's | ||
home state, in the case of an insurance producer, as those | ||
terms are defined in Article XXXI of the Illinois | ||
Insurance Code, and the cybersecurity event has a | ||
reasonable likelihood of materially harming any consumer | ||
residing in this State or any material part of the normal | ||
operations of the licensee; or
| ||
(2) the licensee reasonably believes that the | ||
nonpublic information involved is of 250 or more consumers | ||
residing in this State and that is either of the | ||
following:
| ||
(A) a cybersecurity event impacting the licensee | ||
of which notice is required to be provided to any | ||
government body, self-regulatory agency, or any other | ||
supervisory body pursuant to any State or federal law; | ||
or
| ||
(B) a cybersecurity event that has a reasonable | ||
likelihood of materially harming:
| ||
(i) any consumer residing in this State; or
| ||
(ii) any material part of the normal | ||
operations of the licensee.
| ||
(b) A licensee shall provide as much of the following | ||
information as possible:
| ||
(1) the date of the cybersecurity event;
| ||
(2) a description of how the information was exposed, | ||
lost, stolen, or breached, including the specific roles | ||
and responsibilities of third-party service providers, if | ||
any;
| ||
(3) how the cybersecurity event was discovered;
| ||
(4) whether any lost, stolen, or breached information | ||
has been recovered and if so, how it was recovered;
| ||
(5) the identity of the source of the cybersecurity | ||
event;
| ||
(6) whether the licensee has filed a police report or | ||
has notified any regulatory, government, or law | ||
enforcement agencies and, if so, when such notification | ||
was provided;
| ||
(7) a description of the specific types of information | ||
acquired without authorization, including types of medical | ||
information, types of financial information, or types of | ||
information allowing identification of the consumer;
| ||
(8) the period during which the information system was | ||
compromised by the cybersecurity event;
| ||
(9) the number of total consumers in this State | ||
affected by the cybersecurity event; the licensee shall | ||
provide the best estimate in the initial report to the | ||
Director and update this estimate with each subsequent | ||
report to the Director pursuant to this Section;
| ||
(10) the results of any internal review identifying a | ||
lapse in either automated controls or internal procedures, | ||
or confirming that all automated controls or internal | ||
procedures were followed;
| ||
(11) a description of efforts being undertaken to | ||
remediate the situation which permitted the cybersecurity | ||
event to occur;
| ||
(12) a copy of the licensee's privacy policy and a | ||
statement outlining the steps the licensee will take to | ||
investigate and notify consumers affected by the | ||
cybersecurity event; and
| ||
(13) the name of a contact person who is both familiar | ||
with the cybersecurity event and authorized to act for the | ||
licensee.
| ||
The licensee shall provide the information in electronic | ||
form as directed by the Director. The licensee shall have a | ||
continuing obligation to update and supplement initial and | ||
subsequent notifications to the Director regarding material | ||
changes to previously provided information relating to the | ||
cybersecurity event.
| ||
(c) Licensees shall comply with the Personal Information | ||
Protection Act, as applicable, and provide a copy of the | ||
notice sent to consumers under that statute to the Director | ||
when a licensee is required to notify the Director under | ||
subsection (a).
| ||
(d) If a licensee becomes aware of a cybersecurity event | ||
in a system maintained by a third-party service provider, the | ||
licensee shall treat the event as it would under subsection | ||
(a) unless the third-party service provider provides the | ||
notice required under subsection (a) to the Director. The | ||
computation of licensee's deadlines shall begin on the day | ||
after the third-party service provider notifies the licensee | ||
of the cybersecurity event or the licensee otherwise has | ||
actual knowledge of the cybersecurity event, whichever is | ||
sooner.
| ||
(e) Nothing in this Act shall prevent or abrogate an | ||
agreement between a licensee and another licensee, a | ||
third-party service provider, or any other party to fulfill | ||
any of the investigation requirements imposed under Section 15 | ||
or notice requirements imposed under this Section.
| ||
(f) In the case of a cybersecurity event involving | ||
nonpublic information that is used by the licensee that is | ||
acting as an assuming insurer or in the possession, custody, | ||
or control of a licensee that is acting as an assuming insurer | ||
and that does not have a direct contractual relationship with | ||
the affected consumers, the assuming insurer shall notify its | ||
affected ceding insurers and the Director of its state of | ||
domicile within 3 business days after making the determination | ||
that a cybersecurity event has occurred.
| ||
In the case of a cybersecurity event involving nonpublic | ||
information that is in the possession, custody, or control of | ||
a third-party service provider of a licensee that is an | ||
assuming insurer, the assuming insurer shall notify its | ||
affected ceding insurers and the Director of its state of | ||
domicile within 3 business days after receiving notice from | ||
its third-party service provider that a cybersecurity event | ||
has occurred.
| ||
The ceding insurers that have a direct contractual | ||
relationship with affected consumers shall fulfill the | ||
consumer notification requirements imposed under the Personal | ||
Information Protection Act and any other notification | ||
requirements relating to a cybersecurity event imposed under | ||
this Section.
| ||
(g) In the case of a cybersecurity event involving | ||
nonpublic information that is in the possession, custody, or | ||
control of a licensee that is an insurer or its third-party | ||
service provider and for which a consumer accessed the | ||
insurer's services through an independent insurance producer, | ||
the insurer shall notify the producers of record of all | ||
affected consumers as soon as practicable as directed by the | ||
Director. The insurer is excused from this obligation for | ||
those instances in which it does not have the current producer | ||
of record information for any individual consumer.
| ||
Section 25. Power of Director.
| ||
(a) The Director shall have power to examine and | ||
investigate the affairs of any licensee to determine whether | ||
the licensee has been or is engaged in any conduct in violation | ||
of this Act. This power is in addition to the powers which the | ||
Director has under the Illinois Insurance Code, including | ||
Sections 132, 132.3, 132.4, 133, 401, 402, 403, and 425 of the | ||
Illinois Insurance Code. Any investigation or examination | ||
shall be conducted pursuant to the Illinois Insurance Code, | ||
including Sections 132, 132.3, 132.4, 133, 401, 402, 403, and | ||
425 of the Illinois Insurance Code.
| ||
(b) Whenever the Director has reason to believe that a | ||
licensee has been or is engaged in conduct in this State which | ||
violates this Act, the Director may take action that is | ||
necessary or appropriate to enforce the provisions of this | ||
Act.
| ||
Section 30. Confidentiality.
| ||
(a) Any documents, materials, or other information in the | ||
control or possession of the Department that are furnished by | ||
a licensee or an employee or agent thereof acting on behalf of | ||
licensee pursuant to subsection (i) of Section 10, subsection | ||
(b) of Section 20, or that are obtained by the Director in an | ||
investigation or examination pursuant to Section 25 shall be | ||
confidential by law and privileged, shall not be subject to | ||
the Freedom of Information Act, shall not be subject to | ||
subpoena, and shall not be subject to discovery or admissible | ||
in evidence in any private civil action. However, the Director | ||
is authorized to use the documents, materials, or other | ||
information in the furtherance of any regulatory or legal | ||
action brought as a part of the Director's duties.
| ||
(b) Neither the Director nor any person who received | ||
documents, materials, or other information while acting under | ||
the authority of the Director shall be permitted or required | ||
to testify in any private civil action concerning any | ||
confidential documents, materials, or information subject to | ||
subsection (a).
| ||
(c) In order to assist in the performance of the | ||
Director's duties under this Act, the Director:
| ||
(1) may share documents, materials, or other | ||
information, including the confidential and privileged | ||
documents, materials, or information subject to subsection | ||
(a), with other State, federal, and international | ||
regulatory agencies, with the National Association of | ||
Insurance Commissioners and its affiliates or | ||
subsidiaries, and with State, federal, and international | ||
law enforcement authorities, if the recipient agrees in | ||
writing to maintain the confidentiality and privileged | ||
status of the document, material, or other information;
| ||
(2) may receive documents, materials, or information, | ||
including otherwise confidential and privileged documents, | ||
materials, or information, from the National Association | ||
of Insurance Commissioners and its affiliates or | ||
subsidiaries and from regulatory and law enforcement | ||
officials of other foreign or domestic jurisdictions, and | ||
shall maintain as confidential or privileged any document, | ||
material, or information received with notice or the | ||
understanding that it is confidential or privileged under | ||
the laws of the jurisdiction that is the source of the | ||
document, material, or information;
| ||
(3) may share documents, materials, or other | ||
information subject to subsection (a), with a third-party | ||
consultant or vendor if the consultant agrees in writing | ||
to maintain the confidentiality and privileged status of | ||
the document, material, or other information; and
| ||
(4) may enter into agreements governing sharing and | ||
use of information consistent with this subsection.
| ||
(d) No waiver of any applicable privilege or claim of | ||
confidentiality in the documents, materials, or information | ||
shall occur as a result of disclosure to the Director under | ||
this Section or as a result of sharing as authorized in | ||
subsection (c).
| ||
(e) Nothing in this Act shall prohibit the Director from | ||
releasing final, adjudicated actions that are open to public | ||
inspection pursuant to the Illinois Insurance Code to a | ||
database or other clearinghouse service maintained by the | ||
National Association of Insurance Commissioners and its | ||
affiliates or subsidiaries.
| ||
Section 35. Exceptions.
| ||
(a) The following exceptions shall apply to this Act:
| ||
(1) A licensee with fewer than 50 employees, including | ||
any independent contractors, is exempt from Section 10.
| ||
(2) A licensee that is subject to, governed by, and | ||
compliant with the privacy, security, and breach | ||
notification rules issued by the United States Department | ||
of Health and Human Services, Parts 160 and 164 of Title 45 | ||
of the Code of Federal Regulations, established pursuant | ||
to the Health Insurance Portability and Accountability Act | ||
of 1996, Public Law 104-191, and the Health Information | ||
Technology for Economic and Clinical Health Act, Public | ||
Law 111-5, HITECH, and that maintains nonpublic | ||
information in the same manner as protected health | ||
information pursuant to an information security program | ||
shall be considered to meet the requirements of Section 10 | ||
and Section 15 of this Act. To claim this exemption, the | ||
licensee must submit an annual statement by April 15 | ||
certifying its compliance with the applicable provisions | ||
of federal law referenced in this paragraph. | ||
(3) An employee, agent, representative, or designee of | ||
a licensee that is also a licensee is exempt from Section | ||
10 and need not develop its own information security | ||
program to the extent that the employee, agent, | ||
representative, or designee is covered by the information | ||
security program of the other licensee.
| ||
(b) If a licensee ceases to qualify for an exception, the | ||
licensee shall demonstrate a good faith effort to comply with | ||
this Act within 180 days and shall certify compliance in | ||
accordance with subsection (i) of Section 10 no sooner than | ||
one year after ceasing to qualify for an exception.
| ||
Section 40. Penalties. In the case of a violation of this | ||
Act, a licensee may be penalized in accordance with the | ||
provisions of the Illinois Insurance Code, including Section | ||
403A of the Illinois Insurance Code. | ||
Section 45. Rules. The Department may, in accordance with | ||
the Illinois Administrative Procedure Act and Section 401 of | ||
the Illinois Insurance Code, adopt such rules as shall be | ||
necessary to carry out the provisions of this Act. | ||
Section 50. Severability. If any provision of this Act or | ||
its application to any person or circumstance is held invalid, | ||
the invalidity of that provision or application does not | ||
affect other provisions or applications of this Act that can | ||
be given effect without the invalid provision or application. | ||
Section 105. The Freedom of Information Act is amended by | ||
changing Section 7.5 as follows:
| ||
(5 ILCS 140/7.5)
| ||
Sec. 7.5. Statutory exemptions. To the extent provided for | ||
by the statutes referenced below, the following shall be | ||
exempt from inspection and copying: | ||
(a) All information determined to be confidential | ||
under Section 4002 of the Technology Advancement and | ||
Development Act. | ||
(b) Library circulation and order records identifying | ||
library users with specific materials under the Library | ||
Records Confidentiality Act. | ||
(c) Applications, related documents, and medical | ||
records received by the Experimental Organ Transplantation | ||
Procedures Board and any and all documents or other | ||
records prepared by the Experimental Organ Transplantation | ||
Procedures Board or its staff relating to applications it | ||
has received. | ||
(d) Information and records held by the Department of | ||
Public Health and its authorized representatives relating | ||
to known or suspected cases of sexually transmissible | ||
disease or any information the disclosure of which is | ||
restricted under the Illinois Sexually Transmissible | ||
Disease Control Act. | ||
(e) Information the disclosure of which is exempted | ||
under Section 30 of the Radon Industry Licensing Act. | ||
(f) Firm performance evaluations under Section 55 of | ||
the Architectural, Engineering, and Land Surveying | ||
Qualifications Based Selection Act. | ||
(g) Information the disclosure of which is restricted | ||
and exempted under Section 50 of the Illinois Prepaid | ||
Tuition Act. | ||
(h) Information the disclosure of which is exempted | ||
under the State Officials and Employees Ethics Act, and | ||
records of any lawfully created State or local inspector | ||
general's office that would be exempt if created or | ||
obtained by an Executive Inspector General's office under | ||
that Act. | ||
(i) Information contained in a local emergency energy | ||
plan submitted to a municipality in accordance with a | ||
local emergency energy plan ordinance that is adopted | ||
under Section 11-21.5-5 of the Illinois Municipal Code. | ||
(j) Information and data concerning the distribution | ||
of surcharge moneys collected and remitted by carriers | ||
under the Emergency Telephone System Act. | ||
(k) Law enforcement officer identification information | ||
or driver identification information compiled by a law | ||
enforcement agency or the Department of Transportation | ||
under Section 11-212 of the Illinois Vehicle Code. | ||
(l) Records and information provided to a residential | ||
health care facility resident sexual assault and death | ||
review team or the Executive Council under the Abuse | ||
Prevention Review Team Act. | ||
(m) Information provided to the predatory lending | ||
database created pursuant to Article 3 of the Residential | ||
Real Property Disclosure Act, except to the extent | ||
authorized under that Article. | ||
(n) Defense budgets and petitions for certification of | ||
compensation and expenses for court appointed trial | ||
counsel as provided under Sections 10 and 15 of the | ||
Capital Crimes Litigation Act. This subsection (n) shall | ||
apply until the conclusion of the trial of the case, even | ||
if the prosecution chooses not to pursue the death penalty | ||
prior to trial or sentencing. | ||
(o) Information that is prohibited from being | ||
disclosed under Section 4 of the Illinois Health and | ||
Hazardous Substances Registry Act. | ||
(p) Security portions of system safety program plans, | ||
investigation reports, surveys, schedules, lists, data, or | ||
information compiled, collected, or prepared by or for the | ||
Department of Transportation under Sections 2705-300 and | ||
2705-616 of the Department of Transportation Law of the | ||
Civil Administrative Code of Illinois, the Regional | ||
Transportation Authority under Section 2.11 of the | ||
Regional Transportation Authority Act, or the St. Clair | ||
County Transit District under the Bi-State Transit Safety | ||
Act. | ||
(q) Information prohibited from being disclosed by the | ||
Personnel Record Review Act. | ||
(r) Information prohibited from being disclosed by the | ||
Illinois School Student Records Act. | ||
(s) Information the disclosure of which is restricted | ||
under Section 5-108 of the Public Utilities Act.
| ||
(t) All identified or deidentified health information | ||
in the form of health data or medical records contained | ||
in, stored in, submitted to, transferred by, or released | ||
from the Illinois Health Information Exchange, and | ||
identified or deidentified health information in the form | ||
of health data and medical records of the Illinois Health | ||
Information Exchange in the possession of the Illinois | ||
Health Information Exchange Office due to its | ||
administration of the Illinois Health Information | ||
Exchange. The terms "identified" and "deidentified" shall | ||
be given the same meaning as in the Health Insurance | ||
Portability and Accountability Act of 1996, Public Law | ||
104-191, or any subsequent amendments thereto, and any | ||
regulations promulgated thereunder. | ||
(u) Records and information provided to an independent | ||
team of experts under the Developmental Disability and | ||
Mental Health Safety Act (also known as Brian's Law). | ||
(v) Names and information of people who have applied | ||
for or received Firearm Owner's Identification Cards under | ||
the Firearm Owners Identification Card Act or applied for | ||
or received a concealed carry license under the Firearm | ||
Concealed Carry Act, unless otherwise authorized by the | ||
Firearm Concealed Carry Act; and databases under the | ||
Firearm Concealed Carry Act, records of the Concealed | ||
Carry Licensing Review Board under the Firearm Concealed | ||
Carry Act, and law enforcement agency objections under the | ||
Firearm Concealed Carry Act. | ||
(v-5) Records of the Firearm Owner's Identification | ||
Card Review Board that are exempted from disclosure under | ||
Section 10 of the Firearm Owners Identification Card Act. | ||
(w) Personally identifiable information which is | ||
exempted from disclosure under subsection (g) of Section | ||
19.1 of the Toll Highway Act. | ||
(x) Information which is exempted from disclosure | ||
under Section 5-1014.3 of the Counties Code or Section | ||
8-11-21 of the Illinois Municipal Code. | ||
(y) Confidential information under the Adult | ||
Protective Services Act and its predecessor enabling | ||
statute, the Elder Abuse and Neglect Act, including | ||
information about the identity and administrative finding | ||
against any caregiver of a verified and substantiated | ||
decision of abuse, neglect, or financial exploitation of | ||
an eligible adult maintained in the Registry established | ||
under Section 7.5 of the Adult Protective Services Act. | ||
(z) Records and information provided to a fatality | ||
review team or the Illinois Fatality Review Team Advisory | ||
Council under Section 15 of the Adult Protective Services | ||
Act. | ||
(aa) Information which is exempted from disclosure | ||
under Section 2.37 of the Wildlife Code. | ||
(bb) Information which is or was prohibited from | ||
disclosure by the Juvenile Court Act of 1987. | ||
(cc) Recordings made under the Law Enforcement | ||
Officer-Worn Body Camera Act, except to the extent | ||
authorized under that Act. | ||
(dd) Information that is prohibited from being | ||
disclosed under Section 45 of the Condominium and Common | ||
Interest Community Ombudsperson Act. | ||
(ee) Information that is exempted from disclosure | ||
under Section 30.1 of the Pharmacy Practice Act. | ||
(ff) Information that is exempted from disclosure | ||
under the Revised Uniform Unclaimed Property Act. | ||
(gg) Information that is prohibited from being | ||
disclosed under Section 7-603.5 of the Illinois Vehicle | ||
Code. | ||
(hh) Records that are exempt from disclosure under | ||
Section 1A-16.7 of the Election Code. | ||
(ii) Information which is exempted from disclosure | ||
under Section 2505-800 of the Department of Revenue Law of | ||
the Civil Administrative Code of Illinois. | ||
(jj) Information and reports that are required to be | ||
submitted to the Department of Labor by registering day | ||
and temporary labor service agencies but are exempt from | ||
disclosure under subsection (a-1) of Section 45 of the Day | ||
and Temporary Labor Services Act. | ||
(kk) Information prohibited from disclosure under the | ||
Seizure and Forfeiture Reporting Act. | ||
(ll) Information the disclosure of which is restricted | ||
and exempted under Section 5-30.8 of the Illinois Public | ||
Aid Code. | ||
(mm) Records that are exempt from disclosure under | ||
Section 4.2 of the Crime Victims Compensation Act. | ||
(nn) Information that is exempt from disclosure under | ||
Section 70 of the Higher Education Student Assistance Act. | ||
(oo) Communications, notes, records, and reports | ||
arising out of a peer support counseling session | ||
prohibited from disclosure under the First Responders | ||
Suicide Prevention Act. | ||
(pp) Names and all identifying information relating to | ||
an employee of an emergency services provider or law | ||
enforcement agency under the First Responders Suicide | ||
Prevention Act. | ||
(qq) Information and records held by the Department of | ||
Public Health and its authorized representatives collected | ||
under the Reproductive Health Act. | ||
(rr) Information that is exempt from disclosure under | ||
the Cannabis Regulation and Tax Act. | ||
(ss) Data reported by an employer to the Department of | ||
Human Rights pursuant to Section 2-108 of the Illinois | ||
Human Rights Act. | ||
(tt) Recordings made under the Children's Advocacy | ||
Center Act, except to the extent authorized under that | ||
Act. | ||
(uu) Information that is exempt from disclosure under | ||
Section 50 of the Sexual Assault Evidence Submission Act. | ||
(vv) Information that is exempt from disclosure under | ||
subsections (f) and (j) of Section 5-36 of the Illinois | ||
Public Aid Code. | ||
(ww) Information that is exempt from disclosure under | ||
Section 16.8 of the State Treasurer Act. | ||
(xx) Information that is exempt from disclosure or | ||
information that shall not be made public under the | ||
Illinois Insurance Code. | ||
(yy) Information prohibited from being disclosed under | ||
the Illinois Educational Labor Relations Act. | ||
(zz) Information prohibited from being disclosed under | ||
the Illinois Public Labor Relations Act. | ||
(aaa) Information prohibited from being disclosed | ||
under Section 1-167 of the Illinois Pension Code. | ||
(bbb) Information that is prohibited from disclosure | ||
by the Illinois Police Training Act and the Illinois State | ||
Police Act. | ||
(ccc) Records exempt from disclosure under Section
| ||
2605-304 of the Illinois State Police Law of the Civil
| ||
Administrative Code of Illinois. | ||
(ddd) Information prohibited from being disclosed | ||
under Section 35 of the Address Confidentiality for | ||
Victims of Domestic Violence, Sexual Assault, Human | ||
Trafficking, or Stalking Act. | ||
(eee) Information prohibited from being disclosed | ||
under subsection (b) of Section 75 of the Domestic | ||
Violence Fatality Review Act. | ||
(fff) Images from cameras under the Expressway Camera | ||
Act. This subsection (fff) is inoperative on and after | ||
July 1, 2023. | ||
(ggg) (fff) Information prohibited from disclosure | ||
under paragraph (3) of subsection (a) of Section 14 of the | ||
Nurse Agency Licensing Act. | ||
(hhh) Information exempt from disclosure under Section | ||
30 of the Insurance Data Security Law. | ||
(Source: P.A. 101-13, eff. 6-12-19; 101-27, eff. 6-25-19; | ||
101-81, eff. 7-12-19; 101-221, eff. 1-1-20; 101-236, eff. | ||
1-1-20; 101-375, eff. 8-16-19; 101-377, eff. 8-16-19; 101-452, | ||
eff. 1-1-20; 101-466, eff. 1-1-20; 101-600, eff. 12-6-19; | ||
101-620, eff 12-20-19; 101-649, eff. 7-7-20; 101-652, eff. | ||
1-1-22; 101-656, eff. 3-23-21; 102-36, eff. 6-25-21; 102-237, | ||
eff. 1-1-22; 102-292, eff. 1-1-22; 102-520, eff. 8-20-21; | ||
102-559, eff. 8-20-21; 102-813, eff. 5-13-22; 102-946, eff. | ||
7-1-22; 102-1042, eff. 6-3-22; revised 8-1-22.)
| ||
Section 999. Effective date. This Act takes effect January | ||
1, 2024. | ||