Rep. Ann Williams
Filed: 11/9/2015
 
 

 

 

 
09900HB1260ham001LRB099 05116 KTG 39629 a



1
AMENDMENT TO HOUSE BILL 1260




2    AMENDMENT NO. ______. Amend House Bill 1260 by replacing 
3everything after the enacting clause with the following:



 
 
4    "Section 5. The Personal Information Protection Act is 
5amended  by changing Sections 5, 10, and 12 and  adding Sections 
645 and 50 as follows:
 
7    (815 ILCS 530/5)

8    Sec. 5. Definitions. In this Act: 
9    "Data Collector" may include, but is not limited to,
  
10government agencies, public and private universities,

11privately and publicly held corporations, financial

12institutions, retail operators, and any other entity that, for  
13any purpose,  handles, collects, disseminates, or otherwise

14deals with nonpublic personal information.

15    "Breach of the security of the system data" or "breach" 
16means
unauthorized acquisition of computerized data that 
 
 
09900HB1260ham001- 2 -LRB099 05116 KTG 39629 a

1compromises  the security, confidentiality, or integrity of 
2personal  information maintained by the data collector. "Breach 
3of the security of the system data" does not include good faith

4acquisition of personal information by an employee or agent of

5the data collector for a legitimate purpose of the data

6collector, provided that the personal information is not used

7for a purpose unrelated to the data collector's business or

8subject to further unauthorized disclosure.

9    "Health insurance information" means an individual's 
10health insurance policy number or subscriber identification 
11number, any unique identifier used by a health insurer to 
12identify the individual, or any medical information in an 
13individual's health insurance application and claims history, 
14including any appeals records.
15    "Medical information" means any information regarding an 
16individual's medical history, mental or physical condition, or 
17medical treatment or diagnosis by a healthcare professional, 
18including such information provided to a website or mobile 
19application. 
20    "Personal information" means either of the following:
21        (1) an individual's first name or first initial and 
22    last name in combination with any one or more
  of the 
23    following data elements, when either the name or the  data 
24    elements are not encrypted or redacted or are encrypted or 
25    redacted but the keys to unencrypt or unredact or otherwise 
26    read the name or data elements have been acquired without 
 
 
09900HB1260ham001- 3 -LRB099 05116 KTG 39629 a

1    authorization through the breach of security:

2            (A) (1) Social Security number. 
3            (B) (2) Driver's license number or State 
4        identification
      card number.

5            (C) (3) Account number or credit or debit card 
6        number, or an
account number or credit card number in 
7        combination with
any required security code, access 
8        code, or password that



would permit access to an 
9        individual's financial account.

10            (D) Medical information.
11            (E) Health insurance information.
12            (F) Unique biometric data generated from 
13        measurements or technical analysis of human body 
14        characteristics used by the owner or licensee to 
15        authenticate an individual, such as a fingerprint, 
16        retina or iris image, or other unique physical 
17        representation or digital representation of biometric 
18        data.
19        (2) user name or email address, in combination with a 
20    password or security question and answer that would permit 
21    access to an online account, when either the user name or 
22    email address or password or security question and answer 
23    are not encrypted or redacted or are encrypted or redacted 
24    but the keys to unencrypt or unredact or otherwise read the 
25    data elements have been obtained through the breach of 
26    security. 
 
 
09900HB1260ham001- 4 -LRB099 05116 KTG 39629 a

1    "Personal information" does not include publicly available

2information that is lawfully made available to the general
  
3public from federal, State, or local government records.


4(Source: P.A. 97-483, eff. 1-1-12.)
 
5    (815 ILCS 530/10)

6    Sec. 10. Notice of Breach.   
7    (a) Any data collector that owns or licenses personal 
8information concerning an Illinois resident shall notify the

9resident at no charge that there has been a breach of the 
10security of the
system data following discovery or notification 
11of the breach.
The disclosure notification shall be made in the 
12most
expedient time possible and without unreasonable delay,

13consistent with any measures necessary to determine the
scope 
14of the breach and restore the reasonable integrity,
security, 
15and confidentiality of the data system. The disclosure 
16notification to an Illinois resident shall include, but need 
17not be limited to, information as follows: 
18        (1) With respect to personal information as defined in 
19    Section 5 in paragraph (1) of the definition of "personal 
20    information":
21            (A) (i) the toll-free numbers and addresses for 
22        consumer reporting agencies; ,
23            (B) (ii) the toll-free number, address, and 
24        website address for the Federal Trade Commission; , and
25            (C) (iii) a statement that the individual can 
 
 
09900HB1260ham001- 5 -LRB099 05116 KTG 39629 a

1        obtain information from these sources about fraud 
2        alerts and security freezes.
3    The notification shall not, however, include information 
4concerning the number of Illinois residents affected by the 
5breach.
6        (2) With respect to personal information defined in 
7    Section 5 in paragraph (2) of the definition of "personal 
8    information", notice may be provided in electronic or other 
9    form directing the Illinois resident whose personal 
10    information has been breached to promptly change his or her 
11    user name or password and security question or answer, as 
12    applicable, or to take other steps appropriate to protect 
13    all online accounts for which the resident uses the same 
14    user name or email address and password or security 
15    question and answer. 
16    (b) Any data collector that maintains or stores, but does 
17not own or license, computerized data that
includes personal 
18information that the data collector does not own or license 
19shall notify the owner or licensee of the information of any 
20breach of the security of the data immediately following 
21discovery, if the personal information was, or is reasonably 
22believed to have been, acquired by
an unauthorized person. In 
23addition to providing such notification to the owner or 
24licensee, the data collector shall cooperate with the owner or 
25licensee in matters relating to the breach. That cooperation 
26shall include, but need not be limited to, (i) informing the 
 
 
09900HB1260ham001- 6 -LRB099 05116 KTG 39629 a

1owner or licensee of the breach, including giving notice of the 
2date or approximate date of the breach and the nature of the 
3breach, and (ii) informing the owner or licensee of any steps 
4the data collector has taken or plans to take relating to the 
5breach. The data collector's cooperation shall not, however, be 
6deemed to require either the disclosure of confidential 
7business information or trade secrets or the notification of an 
8Illinois resident who may have been affected by the breach.

9    (b-5) The notification to an Illinois resident required by 
10subsection (a) of this Section may be delayed if an appropriate 
11law enforcement agency determines that notification will 
12interfere with a criminal investigation and provides the data 
13collector with a written request for the delay. However, the 
14data collector must notify the Illinois resident as soon as 
15notification will no longer interfere with the investigation.

16    (c) For purposes of this Section, notice to consumers may  
17be provided by one of the following methods:

18        (1) written notice; 
19        (2) electronic notice, if the notice provided is
      
20    consistent with the provisions regarding electronic

21    records and signatures for notices legally required to be
      
22    in writing as set forth in Section 7001 of Title 15 of the      
23    United States Code;
or 
24        (3) substitute notice, if the data collector
      
25    demonstrates that the cost of providing notice would exceed

26    $250,000 or that the affected class of subject persons to      
 
 
09900HB1260ham001- 7 -LRB099 05116 KTG 39629 a

1    be notified exceeds 500,000, or the data collector does not

2    have sufficient contact information. Substitute notice      
3    shall consist of all of the following: (i) email notice if      
4    the data collector has an email address for the subject      
5    persons; (ii) conspicuous posting of the notice on the data
      
6    collector's web site page if the data collector maintains
     
7    one; and (iii) notification to major statewide media or, if 
8    the breach impacts residents in one geographic area, to 
9    prominent local media in areas where affected individuals 
10    are likely to reside if such notice is reasonably 
11    calculated to give actual notice to persons whom notice is 
12    required.  
13    (d) Notwithstanding any other subsection in this Section, a 
14data collector
that maintains its own notification procedures 
15as part of an
information security policy for the treatment of 
16personal
information and is otherwise consistent with the 
17timing requirements of this Act, shall be deemed in compliance

18with the notification requirements of this Section if the
data 
19collector notifies subject persons in accordance with its 
20policies in the event of a breach of the security of the system 
21data.


22    (e) Notice to Attorney General. Any data collector that 
23owns or licenses personal information and suffers a single 
24breach of the security of the data concerning the personal 
25information of more than 250 Illinois residents shall provide 
26notice to the Attorney General  of the breach, including:
 
 
09900HB1260ham001- 8 -LRB099 05116 KTG 39629 a

1        (A) The types of personal information compromised in 
2    the breach.
3        (B) The number of Illinois residents affected by such 
4    incident at the time of notification.
5        (C) Any steps the data collector has taken or plans to 
6    take relating to notification of the breach to consumers.
7        (D) The date and timeframe of the breach, if known at 
8    the time notification is provided. 
9    Such notification must be made within 45 days of the data 
10collector's discovery of the security breach or when the data 
11collector provides any notice to consumers required by this 
12Section, whichever is sooner, unless the data collector has 
13good cause for reasonable delay to determine the scope of the 
14breach and restore the integrity, security, and 
15confidentiality of the data system, or when law enforcement 
16requests in writing to withhold disclosure of some or all of 
17the information required in the notification under this 
18Section.  If the date or timeframe of the breach is unknown at 
19the time the notice is sent to the Attorney General, the data 
20collector shall send the Attorney General the date or timeframe 
21of the breach as soon as possible.
22(Source: P.A. 97-483, eff. 1-1-12.)
 
23    (815 ILCS 530/12)

24    Sec. 12. Notice of breach; State agency.
25    (a) Any State agency that collects personal information 
 
 
09900HB1260ham001- 9 -LRB099 05116 KTG 39629 a

1concerning an Illinois resident shall notify the
resident at no 
2charge that there has been a breach of the security of the

3system data or written material following discovery or 
4notification of the breach.
The disclosure notification shall 
5be made in the most
expedient time possible and without 
6unreasonable delay,
consistent with any measures necessary to 
7determine the
scope of the breach and restore the reasonable 
8integrity,
security, and confidentiality of the data system. 
9The disclosure notification to an Illinois resident shall 
10include, but need not be limited to information as follows:
11        (1) With respect to personal information defined in 
12    Section 5 in paragraph (1) of the definition of "personal 
13    information": ,
14            (i) the toll-free numbers and addresses for 
15        consumer reporting agencies; ,
16            (ii) the toll-free number, address, and website 
17        address for the Federal Trade Commission; , and
18            (iii) a statement that the individual can obtain 
19        information from these sources about fraud alerts and 
20        security freezes.
21        (2) With respect to personal information as defined in 
22    Section 5 in paragraph (2) of the definition of "personal 
23    information", notice may be provided in electronic or other 
24    form directing the Illinois resident whose personal 
25    information has been breached to promptly change his or her 
26    user name or password and security question or answer, as 
 
 
09900HB1260ham001- 10 -LRB099 05116 KTG 39629 a

1    applicable, or to take other steps appropriate to protect 
2    all online accounts for which the resident uses the same 
3    user name or email address and password or security 
4    question and answer. 
5    The notification shall not, however, include information 
6concerning the number of Illinois residents affected by the 
7breach. 
8    (a-5) The notification to an Illinois resident required by 
9subsection (a) of this Section may be delayed if an appropriate 
10law enforcement agency determines that notification will 
11interfere with a criminal investigation and provides the State 
12agency with a written request for the delay. However, the State 
13agency must notify the Illinois resident as soon as 
14notification will no longer interfere with the investigation. 
15    (b) For purposes of this Section, notice to residents may  
16be provided by one of the following methods:

17        (1) written notice;

18        (2) electronic notice, if the notice provided is
      
19    consistent with the provisions regarding electronic

20    records and signatures for notices legally required to be
      
21    in writing as set forth in Section 7001 of Title 15 of the      
22    United States Code;
or

23        (3) substitute notice, if the State agency
      
24    demonstrates that the cost of providing notice would exceed

25    $250,000 or that the affected class of subject persons to      
26    be notified exceeds 500,000, or the State agency does not

 
 
09900HB1260ham001- 11 -LRB099 05116 KTG 39629 a

1    have sufficient contact information. Substitute notice      
2    shall consist of all of the following: (i) email notice if      
3    the State agency has an email address for the subject      
4    persons; (ii) conspicuous posting of the notice on the 
5    State agency's web site page if the State agency maintains
     
6    one; and (iii) notification to major statewide media.

7    (c) Notwithstanding subsection (b), a State agency
that 
8maintains its own notification procedures as part of an

9information security policy for the treatment of personal

10information and is otherwise consistent with the timing 
11requirements of this Act shall be deemed in compliance
with the 
12notification requirements of this Section if the
State agency 
13notifies subject persons in accordance with its policies in the 
14event of a breach of the security of the system data or written 
15material.

16    (d) If a State agency is required to notify more than 1,000 
17persons of a breach of security pursuant to this Section, the 
18State agency shall also notify, without unreasonable delay, all 
19consumer reporting agencies that compile and maintain files on 
20consumers on a nationwide basis, as defined by 15 U.S.C. 
21Section 1681a(p), of the timing, distribution, and content of 
22the notices.  Nothing in this subsection (d) shall be construed 
23to require the State agency to provide to the consumer 
24reporting agency the names or other personal identifying 
25information of breach notice recipients.


26    (e) Notice to Attorney General. Any State agency that 
 
 
09900HB1260ham001- 12 -LRB099 05116 KTG 39629 a

1suffers a single breach of the security of the data concerning 
2the personal information of more than 250 Illinois residents 
3shall provide notice to the Attorney General  of the breach, 
4including:
5        (A) The types of personal information compromised in 
6    the breach.
7        (B) The number of Illinois residents affected by such 
8    incident at the time of notification.
9        (C) Any steps the State agency has taken or plans to 
10    take relating to notification of the breach to consumers.
11        (D) The date and timeframe of the breach, if known at 
12    the time notification is provided. 
13    Such notification must be made within 45 days of the State 
14agency's discovery of the security breach or when the State 
15agency provides any notice to consumers required by this 
16Section, whichever is sooner, unless the State agency has good 
17cause for reasonable delay to determine the scope of the breach 
18and restore the integrity, security, and confidentiality of the 
19data system, or when law enforcement requests in writing to 
20withhold disclosure of some or all of the information required 
21in the notification under this Section.  If the date or 
22timeframe of the breach is unknown at the time the notice is 
23sent to the Attorney General, the State agency shall send the 
24Attorney General the date or timeframe of the breach as soon as 
25possible.
26(Source: P.A. 97-483, eff. 1-1-12.)
 
 
 
09900HB1260ham001- 13 -LRB099 05116 KTG 39629 a

1    (815 ILCS 530/45 new)
2    Sec. 45. Data security.
3    (a) A data collector that owns or licenses, or maintains or 
4stores but does not own or license, records that contain 
5personal information concerning an Illinois resident shall 
6implement and maintain reasonable security measures to protect 
7those records from unauthorized access, acquisition, 
8destruction, use, modification, or disclosure.
9    (b) A contract for the disclosure of personal information 
10concerning an Illinois resident that is maintained by a data 
11collector must include a provision requiring the person to whom 
12the information is disclosed to implement and maintain 
13reasonable security measures to protect those records from 
14unauthorized access, acquisition, destruction, use, 
15modification, or disclosure.
16    (c) If a state or federal law requires a data collector to 
17provide greater protection to records that contain personal 
18information concerning an Illinois resident that are 
19maintained by the data collector and the data collector is in 
20compliance with the provisions of that state or federal law, 
21the data collector shall be deemed to be in compliance with the 
22provisions of this Section.
23    (d) A data collector that is subject to and in compliance 
24with the standards established pursuant to Section 501(b) of 
25the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, 
 
 
09900HB1260ham001- 14 -LRB099 05116 KTG 39629 a

1shall be deemed to be in compliance with the provisions of this 
2Section. 
 
3    (815 ILCS 530/50 new)
4    Sec. 50. Entities subject to the federal Health Insurance 
5Portability and Accountability Act of 1996. Any covered entity 
6or business associate that is subject to and in compliance with 
7the privacy and security standards for the protection of 
8electronic health information established pursuant to the 
9federal Health Insurance Portability and Accountability Act of 
101996 and the Health Information Technology for Economic and 
11Clinical Health Act shall be deemed to be in compliance with 
12the provisions of this Act, provided that any covered entity or 
13business associate required to provide notification of a breach 
14to the Secretary of Health and Human Services pursuant to the 
15Health Information Technology for Economic and Clinical Health 
16Act also provides such notification to the Attorney General 
17within 5 business days of notifying the Secretary.".