| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| 1 | AN ACT concerning business. | |||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||
| 3 | represented in the General Assembly: | |||||||||||||||||||||
| 4 | Section 5. The Personal Information Protection Act is | |||||||||||||||||||||
| 5 | amended by changing Sections 5 and 45 as follows: | |||||||||||||||||||||
| 6 | (815 ILCS 530/5) | |||||||||||||||||||||
| 7 | Sec. 5. Definitions. In this Act: | |||||||||||||||||||||
| 8 | "Data collector" may include, but is not limited to, | |||||||||||||||||||||
| 9 | government agencies, public and private universities, | |||||||||||||||||||||
| 10 | privately and publicly held corporations, financial | |||||||||||||||||||||
| 11 | institutions, retail operators, and any other entity that, for | |||||||||||||||||||||
| 12 | any purpose, handles, collects, disseminates, or otherwise | |||||||||||||||||||||
| 13 | deals with nonpublic personal information. | |||||||||||||||||||||
| 14 | "Breach of the security of the system data" or "breach" | |||||||||||||||||||||
| 15 | means unauthorized acquisition of computerized data that | |||||||||||||||||||||
| 16 | compromises the security, confidentiality, or integrity of | |||||||||||||||||||||
| 17 | personal information maintained by the data collector. "Breach | |||||||||||||||||||||
| 18 | of the security of the system data" does not include good faith | |||||||||||||||||||||
| 19 | acquisition of personal information by an employee or agent of | |||||||||||||||||||||
| 20 | the data collector for a legitimate purpose of the data | |||||||||||||||||||||
| 21 | collector, provided that the personal information is not used | |||||||||||||||||||||
| 22 | for a purpose unrelated to the data collector's business or | |||||||||||||||||||||
| 23 | subject to further unauthorized disclosure. | |||||||||||||||||||||
| |||||||
| |||||||
| 1 | "Health insurance information" means an individual's | ||||||
| 2 | health insurance policy number or subscriber identification | ||||||
| 3 | number, any unique identifier used by a health insurer to | ||||||
| 4 | identify the individual, or any medical information in an | ||||||
| 5 | individual's health insurance application and claims history, | ||||||
| 6 | including any appeals records. | ||||||
| 7 | "Immigration or citizenship status information" means any | ||||||
| 8 | information concerning: (i) the status of an individual's | ||||||
| 9 | citizenship of the United States or any other country; or (ii) | ||||||
| 10 | the legal right, or lack thereof, of an individual to reside in | ||||||
| 11 | or otherwise to be present in the United States. "Immigration | ||||||
| 12 | or citizenship status information" includes an individual's | ||||||
| 13 | nationality and country of origin. | ||||||
| 14 | "Medical information" means any information regarding an | ||||||
| 15 | individual's medical history, mental or physical condition, or | ||||||
| 16 | medical treatment or diagnosis by a healthcare professional, | ||||||
| 17 | including such information provided to a website or mobile | ||||||
| 18 | application. | ||||||
| 19 | "Personal information" means either of the following: | ||||||
| 20 | (1) An individual's first name or first initial and | ||||||
| 21 | last name in combination with any one or more of the | ||||||
| 22 | following data elements, when either the name or the data | ||||||
| 23 | elements are not encrypted or redacted or are encrypted or | ||||||
| 24 | redacted but the keys to unencrypt or unredact or | ||||||
| 25 | otherwise read the name or data elements have been | ||||||
| 26 | acquired without authorization through the breach of | ||||||
| |||||||
| |||||||
| 1 | security: | ||||||
| 2 | (A) Social Security number. | ||||||
| 3 | (B) Driver's license number or State | ||||||
| 4 | identification card number. | ||||||
| 5 | (C) Account number or credit or debit card number, | ||||||
| 6 | or an account number or credit card number in | ||||||
| 7 | combination with any required security code, access | ||||||
| 8 | code, or password that would permit access to an | ||||||
| 9 | individual's financial account. | ||||||
| 10 | (D) Medical information. | ||||||
| 11 | (E) Health insurance information. | ||||||
| 12 | (F) Unique biometric data generated from | ||||||
| 13 | measurements or technical analysis of human body | ||||||
| 14 | characteristics used by the owner or licensee to | ||||||
| 15 | authenticate an individual, such as a fingerprint, | ||||||
| 16 | retina or iris image, or other unique physical | ||||||
| 17 | representation or digital representation of biometric | ||||||
| 18 | data. | ||||||
| 19 | (G) Immigration or citizenship status information. | ||||||
| 20 | (2) User name or email address, in combination with a | ||||||
| 21 | password or security question and answer that would permit | ||||||
| 22 | access to an online account, when either the user name or | ||||||
| 23 | email address or password or security question and answer | ||||||
| 24 | are not encrypted or redacted or are encrypted or redacted | ||||||
| 25 | but the keys to unencrypt or unredact or otherwise read | ||||||
| 26 | the data elements have been obtained through the breach of | ||||||
| |||||||
| |||||||
| 1 | security. | ||||||
| 2 | "Personal information" does not include publicly available | ||||||
| 3 | information that is lawfully made available to the general | ||||||
| 4 | public from federal, State, or local government records. | ||||||
| 5 | (Source: P.A. 99-503, eff. 1-1-17.) | ||||||
| 6 | (815 ILCS 530/45) | ||||||
| 7 | Sec. 45. Data security. | ||||||
| 8 | (a) A data collector that owns or licenses, or maintains | ||||||
| 9 | or stores but does not own or license, records that contain | ||||||
| 10 | personal information concerning an Illinois resident shall | ||||||
| 11 | implement and maintain reasonable security measures to protect | ||||||
| 12 | those records from unauthorized access, acquisition, | ||||||
| 13 | destruction, use, modification, or disclosure. | ||||||
| 14 | (a-5) A data collector shall not own, maintain, license, | ||||||
| 15 | store, or disclose records that contain immigration or | ||||||
| 16 | citizenship status information concerning an Illinois | ||||||
| 17 | resident. This subsection shall not apply to government | ||||||
| 18 | agencies, public and private universities, or financial | ||||||
| 19 | institutions. | ||||||
| 20 | (b) A contract for the disclosure of personal information | ||||||
| 21 | concerning an Illinois resident that is maintained by a data | ||||||
| 22 | collector must include a provision requiring the person to | ||||||
| 23 | whom the information is disclosed to implement and maintain | ||||||
| 24 | reasonable security measures to protect those records from | ||||||
| 25 | unauthorized access, acquisition, destruction, use, | ||||||
| |||||||
| |||||||
| 1 | modification, or disclosure. | ||||||
| 2 | (c) If a state or federal law requires a data collector to | ||||||
| 3 | provide greater protection to records that contain personal | ||||||
| 4 | information concerning an Illinois resident that are | ||||||
| 5 | maintained by the data collector and the data collector is in | ||||||
| 6 | compliance with the provisions of that state or federal law, | ||||||
| 7 | the data collector shall be deemed to be in compliance with the | ||||||
| 8 | provisions of this Section. | ||||||
| 9 | (d) A data collector that is subject to and in compliance | ||||||
| 10 | with the standards established pursuant to Section 501(b) of | ||||||
| 11 | the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, | ||||||
| 12 | shall be deemed to be in compliance with the provisions of this | ||||||
| 13 | Section. | ||||||
| 14 | (Source: P.A. 99-503, eff. 1-1-17.) | ||||||