|
|
||||
| Public Act 094-0947 |
||||
| ||||
| ||||
AN ACT concerning consumer fraud.
| ||||
Be it enacted by the People of the State of Illinois,
| ||||
represented in the General Assembly:
| ||||
Section 5. The Personal Information Protection Act is | ||||
amended by changing Section 10 and by adding Sections 12, 25, | ||||
and 30 as follows: | ||||
(815 ILCS 530/10)
| ||||
Sec. 10. Notice of Breach. | ||||
(a) Any data collector that owns or licenses personal | ||||
information concerning an Illinois resident shall notify the
| ||||
resident at no charge that there has been a breach of the | ||||
security of the
system data following discovery or notification | ||||
of the breach.
The disclosure notification shall be made in the | ||||
most
expedient time possible and without unreasonable delay,
| ||||
consistent with any measures necessary to determine the
scope | ||||
of the breach and restore the reasonable integrity,
security, | ||||
and confidentiality of the data system.
| ||||
(b) Any data collector that maintains computerized data | ||||
that
includes personal information that the data collector does | ||||
not own or license shall notify the owner or licensee of the | ||||
information of any breach of the security of the data | ||||
immediately following discovery, if the personal information | ||||
was, or is reasonably believed to have been, acquired by
an | ||||
unauthorized person.
| ||||
(b-5) The notification required by subsection (a) of this | ||||
Section may be delayed if an appropriate law enforcement agency | ||||
determines that notification will interfere with a criminal | ||||
investigation and provides the data collector with a written | ||||
request for the delay. However, the data collector must notify | ||||
the Illinois resident as soon as notification will no longer | ||||
interfere with the investigation.
| ||||
(c) For purposes of this Section, notice to consumers may | ||||
be provided by one of the following methods:
| ||
(1) written notice; | ||
(2) electronic notice, if the notice provided is
| ||
consistent with the provisions regarding electronic
| ||
records and signatures for notices legally required to be
| ||
in writing as set forth in Section 7001 of Title 15 of the | ||
United States Code;
or | ||
(3) substitute notice, if the data collector
| ||
demonstrates that the cost of providing notice would exceed
| ||
$250,000 or that the affected class of subject persons to | ||
be notified exceeds 500,000, or the data collector does not
| ||
have sufficient contact information. Substitute notice | ||
shall consist of all of the following: (i) email notice if | ||
the data collector has an email address for the subject | ||
persons; (ii) conspicuous posting of the notice on the data
| ||
collector's web site page if the data collector maintains
| ||
one; and (iii) notification to major statewide media. | ||
(d) Notwithstanding subsection (c), a data collector
that | ||
maintains its own notification procedures as part of an
| ||
information security policy for the treatment of personal
| ||
information and is otherwise consistent with the timing | ||
requirements of this Act, shall be deemed in compliance
with | ||
the notification requirements of this Section if the
data | ||
collector notifies subject persons in accordance with its | ||
policies in the event of a breach of the security of the system | ||
data.
| ||
(Source: P.A. 94-36, eff. 1-1-06.) | ||
(815 ILCS 530/12 new)
| ||
Sec. 12. Notice of breach; State agency. | ||
(a) Any State agency that collects personal information | ||
concerning an Illinois resident shall notify the
resident at no | ||
charge that there has been a breach of the security of the
| ||
system data or written material following discovery or | ||
notification of the breach.
The disclosure notification shall | ||
be made in the most
expedient time possible and without | ||
unreasonable delay,
consistent with any measures necessary to | ||
determine the
scope of the breach and restore the reasonable | ||
integrity,
security, and confidentiality of the data system. | ||
(b) For purposes of this Section, notice to residents may | ||
be provided by one of the following methods:
| ||
(1) written notice;
| ||
(2) electronic notice, if the notice provided is
| ||
consistent with the provisions regarding electronic
| ||
records and signatures for notices legally required to be
| ||
in writing as set forth in Section 7001 of Title 15 of the | ||
United States Code;
or
| ||
(3) substitute notice, if the State agency
| ||
demonstrates that the cost of providing notice would exceed
| ||
$250,000 or that the affected class of subject persons to | ||
be notified exceeds 500,000, or the State agency does not
| ||
have sufficient contact information. Substitute notice | ||
shall consist of all of the following: (i) email notice if | ||
the State agency has an email address for the subject | ||
persons; (ii) conspicuous posting of the notice on the | ||
State agency's web site page if the State agency maintains
| ||
one; and (iii) notification to major statewide media.
| ||
(c) Notwithstanding subsection (b), a State agency
that | ||
maintains its own notification procedures as part of an
| ||
information security policy for the treatment of personal
| ||
information and is otherwise consistent with the timing | ||
requirements of this Act shall be deemed in compliance
with the | ||
notification requirements of this Section if the
State agency | ||
notifies subject persons in accordance with its policies in the | ||
event of a breach of the security of the system data or written | ||
material.
| ||
(d) If a State agency is required to notify more than 1,000 | ||
persons of a breach of security pursuant to this Section, the | ||
State agency shall also notify, without unreasonable delay, all | ||
consumer reporting agencies that compile and maintain files on | ||
consumers on a nationwide basis, as defined by 15 U.S.C. | ||
Section 1681a(p), of the timing, distribution, and content of | ||
the notices. Nothing in this subsection (d) shall be construed | ||
to require the State agency to provide to the consumer | ||
reporting agency the names or other personal identifying | ||
information of breach notice recipients.
| ||
(815 ILCS 530/25 new)
| ||
Sec. 25. Annual reporting. Any State agency that collects | ||
personal data and has had a breach of security of the system | ||
data or written material shall submit a report within 5 | ||
business days of the discovery or notification of the breach to | ||
the General Assembly listing the breaches and outlining any | ||
corrective measures that have been taken to prevent future | ||
breaches of the security of the system data or written | ||
material. Any State agency that has submitted a report under | ||
this Section shall submit an annual report listing all breaches | ||
of security of the system data or written materials and the | ||
corrective measures that have been taken to prevent future | ||
breaches. | ||
(815 ILCS 530/30 new)
| ||
Sec. 30. Safe disposal of information. Any State agency | ||
that collects personal data that is no longer needed or stored | ||
at the agency shall dispose of the personal data or written | ||
material it has collected in such a manner as to ensure the | ||
security and confidentiality of the material.
| ||
Section 99. Effective date. This Act takes effect upon | ||
becoming law.
| ||