| ||||
| Public Act 099-0503 | ||||
| ||||
| ||||
AN ACT concerning business.
| ||||
Be it enacted by the People of the State of Illinois, | ||||
represented in the General Assembly:
| ||||
Section 5. The Personal Information Protection Act is | ||||
amended by changing Sections 5, 10, and 12 and adding Sections | ||||
45 and 50 as follows: | ||||
(815 ILCS 530/5)
| ||||
Sec. 5. Definitions. In this Act: | ||||
"Data Collector" may include, but is not limited to,
| ||||
government agencies, public and private universities,
| ||||
privately and publicly held corporations, financial
| ||||
institutions, retail operators, and any other entity that, for | ||||
any purpose, handles, collects, disseminates, or otherwise
| ||||
deals with nonpublic personal information.
| ||||
"Breach of the security of the system data" or "breach" | ||||
means
unauthorized acquisition of computerized data that | ||||
compromises the security, confidentiality, or integrity of | ||||
personal information maintained by the data collector. "Breach | ||||
of the security of the system data" does not include good faith
| ||||
acquisition of personal information by an employee or agent of
| ||||
the data collector for a legitimate purpose of the data
| ||||
collector, provided that the personal information is not used
| ||||
for a purpose unrelated to the data collector's business or
| ||||
subject to further unauthorized disclosure.
| ||
"Health insurance information" means an individual's | ||
health insurance policy number or subscriber identification | ||
number, any unique identifier used by a health insurer to | ||
identify the individual, or any medical information in an | ||
individual's health insurance application and claims history, | ||
including any appeals records. | ||
"Medical information" means any information regarding an | ||
individual's medical history, mental or physical condition, or | ||
medical treatment or diagnosis by a healthcare professional, | ||
including such information provided to a website or mobile | ||
application. | ||
"Personal information" means either of the following: | ||
(1) an individual's first name or first initial and | ||
last name in combination with any one or more
of the | ||
following data elements, when either the name or the data | ||
elements are not encrypted or redacted or are encrypted or | ||
redacted but the keys to unencrypt or unredact or otherwise | ||
read the name or data elements have been acquired without | ||
authorization through the breach of security:
| ||
(A) (1) Social Security number. | ||
(B) (2) Driver's license number or State | ||
identification
card number.
| ||
(C) (3) Account number or credit or debit card | ||
number, or an
account number or credit card number in | ||
combination with
any required security code, access | ||
code, or password that
would permit access to an | ||
individual's financial account.
| ||
(D) Medical information. | ||
(E) Health insurance information. | ||
(F) Unique biometric data generated from | ||
measurements or technical analysis of human body | ||
characteristics used by the owner or licensee to | ||
authenticate an individual, such as a fingerprint, | ||
retina or iris image, or other unique physical | ||
representation or digital representation of biometric | ||
data. | ||
(2) user name or email address, in combination with a | ||
password or security question and answer that would permit | ||
access to an online account, when either the user name or | ||
email address or password or security question and answer | ||
are not encrypted or redacted or are encrypted or redacted | ||
but the keys to unencrypt or unredact or otherwise read the | ||
data elements have been obtained through the breach of | ||
security. | ||
"Personal information" does not include publicly available
| ||
information that is lawfully made available to the general
| ||
public from federal, State, or local government records.
| ||
(Source: P.A. 97-483, eff. 1-1-12.) | ||
(815 ILCS 530/10)
| ||
Sec. 10. Notice of Breach. | ||
(a) Any data collector that owns or licenses personal | ||
information concerning an Illinois resident shall notify the
| ||
resident at no charge that there has been a breach of the | ||
security of the
system data following discovery or notification | ||
of the breach.
The disclosure notification shall be made in the | ||
most
expedient time possible and without unreasonable delay,
| ||
consistent with any measures necessary to determine the
scope | ||
of the breach and restore the reasonable integrity,
security, | ||
and confidentiality of the data system. The disclosure | ||
notification to an Illinois resident shall include, but need | ||
not be limited to, information as follows: | ||
(1) With respect to personal information as defined in | ||
Section 5 in paragraph (1) of the definition of "personal | ||
information": | ||
(A) (i) the toll-free numbers and addresses for | ||
consumer reporting agencies; , | ||
(B) (ii) the toll-free number, address, and | ||
website address for the Federal Trade Commission; , and | ||
(C) (iii) a statement that the individual can | ||
obtain information from these sources about fraud | ||
alerts and security freezes. | ||
The notification shall not, however, include information | ||
concerning the number of Illinois residents affected by the | ||
breach. | ||
(2) With respect to personal information defined in | ||
Section 5 in paragraph (2) of the definition of "personal | ||
information", notice may be provided in electronic or other | ||
form directing the Illinois resident whose personal | ||
information has been breached to promptly change his or her | ||
user name or password and security question or answer, as | ||
applicable, or to take other steps appropriate to protect | ||
all online accounts for which the resident uses the same | ||
user name or email address and password or security | ||
question and answer. | ||
(b) Any data collector that maintains or stores, but does | ||
not own or license, computerized data that
includes personal | ||
information that the data collector does not own or license | ||
shall notify the owner or licensee of the information of any | ||
breach of the security of the data immediately following | ||
discovery, if the personal information was, or is reasonably | ||
believed to have been, acquired by
an unauthorized person. In | ||
addition to providing such notification to the owner or | ||
licensee, the data collector shall cooperate with the owner or | ||
licensee in matters relating to the breach. That cooperation | ||
shall include, but need not be limited to, (i) informing the | ||
owner or licensee of the breach, including giving notice of the | ||
date or approximate date of the breach and the nature of the | ||
breach, and (ii) informing the owner or licensee of any steps | ||
the data collector has taken or plans to take relating to the | ||
breach. The data collector's cooperation shall not, however, be | ||
deemed to require either the disclosure of confidential | ||
business information or trade secrets or the notification of an | ||
Illinois resident who may have been affected by the breach.
| ||
(b-5) The notification to an Illinois resident required by | ||
subsection (a) of this Section may be delayed if an appropriate | ||
law enforcement agency determines that notification will | ||
interfere with a criminal investigation and provides the data | ||
collector with a written request for the delay. However, the | ||
data collector must notify the Illinois resident as soon as | ||
notification will no longer interfere with the investigation.
| ||
(c) For purposes of this Section, notice to consumers may | ||
be provided by one of the following methods:
| ||
(1) written notice; | ||
(2) electronic notice, if the notice provided is
| ||
consistent with the provisions regarding electronic
| ||
records and signatures for notices legally required to be
| ||
in writing as set forth in Section 7001 of Title 15 of the | ||
United States Code;
or | ||
(3) substitute notice, if the data collector
| ||
demonstrates that the cost of providing notice would exceed
| ||
$250,000 or that the affected class of subject persons to | ||
be notified exceeds 500,000, or the data collector does not
| ||
have sufficient contact information. Substitute notice | ||
shall consist of all of the following: (i) email notice if | ||
the data collector has an email address for the subject | ||
persons; (ii) conspicuous posting of the notice on the data
| ||
collector's web site page if the data collector maintains
| ||
one; and (iii) notification to major statewide media or, if | ||
the breach impacts residents in one geographic area, to | ||
prominent local media in areas where affected individuals | ||
are likely to reside if such notice is reasonably | ||
calculated to give actual notice to persons whom notice is | ||
required. | ||
(d) Notwithstanding any other subsection in this Section, a | ||
data collector
that maintains its own notification procedures | ||
as part of an
information security policy for the treatment of | ||
personal
information and is otherwise consistent with the | ||
timing requirements of this Act, shall be deemed in compliance
| ||
with the notification requirements of this Section if the
data | ||
collector notifies subject persons in accordance with its | ||
policies in the event of a breach of the security of the system | ||
data.
| ||
(Source: P.A. 97-483, eff. 1-1-12.) | ||
(815 ILCS 530/12)
| ||
Sec. 12. Notice of breach; State agency. | ||
(a) Any State agency that collects personal information | ||
concerning an Illinois resident shall notify the
resident at no | ||
charge that there has been a breach of the security of the
| ||
system data or written material following discovery or | ||
notification of the breach.
The disclosure notification shall | ||
be made in the most
expedient time possible and without | ||
unreasonable delay,
consistent with any measures necessary to | ||
determine the
scope of the breach and restore the reasonable | ||
integrity,
security, and confidentiality of the data system. | ||
The disclosure notification to an Illinois resident shall | ||
include, but need not be limited to information as follows: | ||
(1) With respect to personal information defined in | ||
Section 5 in paragraph (1) of the definition of "personal | ||
information": , | ||
(i) the toll-free numbers and addresses for | ||
consumer reporting agencies; , | ||
(ii) the toll-free number, address, and website | ||
address for the Federal Trade Commission; , and | ||
(iii) a statement that the individual can obtain | ||
information from these sources about fraud alerts and | ||
security freezes. | ||
(2) With respect to personal information as defined in | ||
Section 5 in paragraph (2) of the definition of "personal | ||
information", notice may be provided in electronic or other | ||
form directing the Illinois resident whose personal | ||
information has been breached to promptly change his or her | ||
user name or password and security question or answer, as | ||
applicable, or to take other steps appropriate to protect | ||
all online accounts for which the resident uses the same | ||
user name or email address and password or security | ||
question and answer. | ||
The notification shall not, however, include information | ||
concerning the number of Illinois residents affected by the | ||
breach. | ||
(a-5) The notification to an Illinois resident required by | ||
subsection (a) of this Section may be delayed if an appropriate | ||
law enforcement agency determines that notification will | ||
interfere with a criminal investigation and provides the State | ||
agency with a written request for the delay. However, the State | ||
agency must notify the Illinois resident as soon as | ||
notification will no longer interfere with the investigation. | ||
(b) For purposes of this Section, notice to residents may | ||
be provided by one of the following methods:
| ||
(1) written notice;
| ||
(2) electronic notice, if the notice provided is
| ||
consistent with the provisions regarding electronic
| ||
records and signatures for notices legally required to be
| ||
in writing as set forth in Section 7001 of Title 15 of the | ||
United States Code;
or
| ||
(3) substitute notice, if the State agency
| ||
demonstrates that the cost of providing notice would exceed
| ||
$250,000 or that the affected class of subject persons to | ||
be notified exceeds 500,000, or the State agency does not
| ||
have sufficient contact information. Substitute notice | ||
shall consist of all of the following: (i) email notice if | ||
the State agency has an email address for the subject | ||
persons; (ii) conspicuous posting of the notice on the | ||
State agency's web site page if the State agency maintains
| ||
one; and (iii) notification to major statewide media.
| ||
(c) Notwithstanding subsection (b), a State agency
that | ||
maintains its own notification procedures as part of an
| ||
information security policy for the treatment of personal
| ||
information and is otherwise consistent with the timing | ||
requirements of this Act shall be deemed in compliance
with the | ||
notification requirements of this Section if the
State agency | ||
notifies subject persons in accordance with its policies in the | ||
event of a breach of the security of the system data or written | ||
material.
| ||
(d) If a State agency is required to notify more than 1,000 | ||
persons of a breach of security pursuant to this Section, the | ||
State agency shall also notify, without unreasonable delay, all | ||
consumer reporting agencies that compile and maintain files on | ||
consumers on a nationwide basis, as defined by 15 U.S.C. | ||
Section 1681a(p), of the timing, distribution, and content of | ||
the notices. Nothing in this subsection (d) shall be construed | ||
to require the State agency to provide to the consumer | ||
reporting agency the names or other personal identifying | ||
information of breach notice recipients.
| ||
(e) Notice to Attorney General. Any State agency that | ||
suffers a single breach of the security of the data concerning | ||
the personal information of more than 250 Illinois residents | ||
shall provide notice to the Attorney General of the breach, | ||
including: | ||
(A) The types of personal information compromised in | ||
the breach. | ||
(B) The number of Illinois residents affected by such | ||
incident at the time of notification. | ||
(C) Any steps the State agency has taken or plans to | ||
take relating to notification of the breach to consumers. | ||
(D) The date and timeframe of the breach, if known at | ||
the time notification is provided. | ||
Such notification must be made within 45 days of the State | ||
agency's discovery of the security breach or when the State | ||
agency provides any notice to consumers required by this | ||
Section, whichever is sooner, unless the State agency has good | ||
cause for reasonable delay to determine the scope of the breach | ||
and restore the integrity, security, and confidentiality of the | ||
data system, or when law enforcement requests in writing to | ||
withhold disclosure of some or all of the information required | ||
in the notification under this Section. If the date or | ||
timeframe of the breach is unknown at the time the notice is | ||
sent to the Attorney General, the State agency shall send the | ||
Attorney General the date or timeframe of the breach as soon as | ||
possible. | ||
(Source: P.A. 97-483, eff. 1-1-12.) | ||
(815 ILCS 530/45 new) | ||
Sec. 45. Data security. | ||
(a) A data collector that owns or licenses, or maintains or | ||
stores but does not own or license, records that contain | ||
personal information concerning an Illinois resident shall | ||
implement and maintain reasonable security measures to protect | ||
those records from unauthorized access, acquisition, | ||
destruction, use, modification, or disclosure. | ||
(b) A contract for the disclosure of personal information | ||
concerning an Illinois resident that is maintained by a data | ||
collector must include a provision requiring the person to whom | ||
the information is disclosed to implement and maintain | ||
reasonable security measures to protect those records from | ||
unauthorized access, acquisition, destruction, use, | ||
modification, or disclosure. | ||
(c) If a state or federal law requires a data collector to | ||
provide greater protection to records that contain personal | ||
information concerning an Illinois resident that are | ||
maintained by the data collector and the data collector is in | ||
compliance with the provisions of that state or federal law, | ||
the data collector shall be deemed to be in compliance with the | ||
provisions of this Section. | ||
(d) A data collector that is subject to and in compliance | ||
with the standards established pursuant to Section 501(b) of | ||
the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, | ||
shall be deemed to be in compliance with the provisions of this | ||
Section. | ||
(815 ILCS 530/50 new) | ||
Sec. 50. Entities subject to the federal Health Insurance | ||
Portability and Accountability Act of 1996. Any covered entity | ||
or business associate that is subject to and in compliance with | ||
the privacy and security standards for the protection of | ||
electronic health information established pursuant to the | ||
federal Health Insurance Portability and Accountability Act of | ||
1996 and the Health Information Technology for Economic and | ||
Clinical Health Act shall be deemed to be in compliance with | ||
the provisions of this Act, provided that any covered entity or | ||
business associate required to provide notification of a breach | ||
to the Secretary of Health and Human Services pursuant to the | ||
Health Information Technology for Economic and Clinical Health | ||
Act also provides such notification to the Attorney General | ||
within 5 business days of notifying the Secretary.
| ||