|  |
Public Act 097-0483
Public Act 0483 97TH GENERAL ASSEMBLY
|
Public Act 097-0483
| | HB3025 Enrolled | LRB097 06857 AEK 46950 b |
|
| AN ACT concerning business.
| Be it enacted by the People of the State of Illinois,
| represented in the General Assembly:
| Section 5. The Personal Information Protection Act is | amended by changing Sections 5, 10, and 12 and by adding | Section 40 as follows:
| (815 ILCS 530/5)
| Sec. 5. Definitions. In this Act: | "Data Collector" may include, but is not limited to,
| government agencies, public and private universities,
| privately and publicly held corporations, financial
| institutions, retail operators, and any other entity that, for | any purpose, handles, collects, disseminates, or otherwise
| deals with nonpublic personal information.
| "Breach of the security of the system data" or "breach" | means
unauthorized acquisition of computerized data that | compromises the security, confidentiality, or integrity of | personal information maintained by the data collector. "Breach | of the security of the system data" does not include good faith
| acquisition of personal information by an employee or agent of
| the data collector for a legitimate purpose of the data
| collector, provided that the personal information is not used
| for a purpose unrelated to the data collector's business or
|
| subject to further unauthorized disclosure.
| "Personal information" means an individual's first name or | first initial and last name in combination with any one or more
| of the following data elements, when either the name or the | data elements are not encrypted or redacted:
| (1) Social Security number. | (2) Driver's license number or State identification
| card number.
| (3) Account number or credit or debit card number, or | an
account number or credit card number in combination with
| any required security code, access code, or password that
| would permit access to an individual's financial account.
| "Personal information" does not include publicly available
| information that is lawfully made available to the general
| public from federal, State, or local government records.
| (Source: P.A. 94-36, eff. 1-1-06.)
| (815 ILCS 530/10)
| Sec. 10. Notice of Breach. | (a) Any data collector that owns or licenses personal | information concerning an Illinois resident shall notify the
| resident at no charge that there has been a breach of the | security of the
system data following discovery or notification | of the breach.
The disclosure notification shall be made in the | most
expedient time possible and without unreasonable delay,
| consistent with any measures necessary to determine the
scope |
| of the breach and restore the reasonable integrity,
security, | and confidentiality of the data system. The disclosure | notification to an Illinois resident shall include, but need | not be limited to, (i) the toll-free numbers and addresses for | consumer reporting agencies, (ii) the toll-free number, | address, and website address for the Federal Trade Commission, | and (iii) a statement that the individual can obtain | information from these sources about fraud alerts and security | freezes. The notification shall not, however, include | information concerning the number of Illinois residents | affected by the breach. | (b) Any data collector that maintains or stores, but does | not own or license, computerized data that
includes personal | information that the data collector does not own or license | shall notify the owner or licensee of the information of any | breach of the security of the data immediately following | discovery, if the personal information was, or is reasonably | believed to have been, acquired by
an unauthorized person. In | addition to providing such notification to the owner or | licensee, the data collector shall cooperate with the owner or | licensee in matters relating to the breach. That cooperation | shall include, but need not be limited to, (i) informing the | owner or licensee of the breach, including giving notice of the | date or approximate date of the breach and the nature of the | breach, and (ii) informing the owner or licensee of any steps | the data collector has taken or plans to take relating to the |
| breach. The data collector's cooperation shall not, however, be | deemed to require either the disclosure of confidential | business information or trade secrets or the notification of an | Illinois resident who may have been affected by the breach.
| (b-5) The notification to an Illinois resident required by | subsection (a) of this Section may be delayed if an appropriate | law enforcement agency determines that notification will | interfere with a criminal investigation and provides the data | collector with a written request for the delay. However, the | data collector must notify the Illinois resident as soon as | notification will no longer interfere with the investigation.
| (c) For purposes of this Section, notice to consumers may | be provided by one of the following methods:
| (1) written notice; | (2) electronic notice, if the notice provided is
| consistent with the provisions regarding electronic
| records and signatures for notices legally required to be
| in writing as set forth in Section 7001 of Title 15 of the | United States Code;
or | (3) substitute notice, if the data collector
| demonstrates that the cost of providing notice would exceed
| $250,000 or that the affected class of subject persons to | be notified exceeds 500,000, or the data collector does not
| have sufficient contact information. Substitute notice | shall consist of all of the following: (i) email notice if | the data collector has an email address for the subject |
| persons; (ii) conspicuous posting of the notice on the data
| collector's web site page if the data collector maintains
| one; and (iii) notification to major statewide media. | (d) Notwithstanding any other subsection in this Section | (c), a data collector
that maintains its own notification | procedures as part of an
information security policy for the | treatment of personal
information and is otherwise consistent | with the timing requirements of this Act, shall be deemed in | compliance
with the notification requirements of this Section | if the
data collector notifies subject persons in accordance | with its policies in the event of a breach of the security of | the system data.
| (Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.)
| (815 ILCS 530/12)
| Sec. 12. Notice of breach; State agency. | (a) Any State agency that collects personal information | concerning an Illinois resident shall notify the
resident at no | charge that there has been a breach of the security of the
| system data or written material following discovery or | notification of the breach.
The disclosure notification shall | be made in the most
expedient time possible and without | unreasonable delay,
consistent with any measures necessary to | determine the
scope of the breach and restore the reasonable | integrity,
security, and confidentiality of the data system. | The disclosure notification to an Illinois resident shall |
| include, but need not be limited to, (i) the toll-free numbers | and addresses for consumer reporting agencies, (ii) the | toll-free number, address, and website address for the Federal | Trade Commission, and (iii) a statement that the individual can | obtain information from these sources about fraud alerts and | security freezes. The notification shall not, however, include | information concerning the number of Illinois residents | affected by the breach. | (a-5) The notification to an Illinois resident required by | subsection (a) of this Section may be delayed if an appropriate | law enforcement agency determines that notification will | interfere with a criminal investigation and provides the State | agency with a written request for the delay. However, the State | agency must notify the Illinois resident as soon as | notification will no longer interfere with the investigation. | (b) For purposes of this Section, notice to residents may | be provided by one of the following methods:
| (1) written notice;
| (2) electronic notice, if the notice provided is
| consistent with the provisions regarding electronic
| records and signatures for notices legally required to be
| in writing as set forth in Section 7001 of Title 15 of the | United States Code;
or
| (3) substitute notice, if the State agency
| demonstrates that the cost of providing notice would exceed
| $250,000 or that the affected class of subject persons to |
| be notified exceeds 500,000, or the State agency does not
| have sufficient contact information. Substitute notice | shall consist of all of the following: (i) email notice if | the State agency has an email address for the subject | persons; (ii) conspicuous posting of the notice on the | State agency's web site page if the State agency maintains
| one; and (iii) notification to major statewide media.
| (c) Notwithstanding subsection (b), a State agency
that | maintains its own notification procedures as part of an
| information security policy for the treatment of personal
| information and is otherwise consistent with the timing | requirements of this Act shall be deemed in compliance
with the | notification requirements of this Section if the
State agency | notifies subject persons in accordance with its policies in the | event of a breach of the security of the system data or written | material.
| (d) If a State agency is required to notify more than 1,000 | persons of a breach of security pursuant to this Section, the | State agency shall also notify, without unreasonable delay, all | consumer reporting agencies that compile and maintain files on | consumers on a nationwide basis, as defined by 15 U.S.C. | Section 1681a(p), of the timing, distribution, and content of | the notices. Nothing in this subsection (d) shall be construed | to require the State agency to provide to the consumer | reporting agency the names or other personal identifying | information of breach notice recipients.
|
| (Source: P.A. 94-947, eff. 6-27-06.)
| (815 ILCS 530/40 new) | Sec. 40. Disposal of materials containing personal | information; Attorney General. | (a) In this Section, "person" means: a natural person; a | corporation, partnership, association, or other legal entity; | a unit of local government or any agency, department, division, | bureau, board, commission, or committee thereof; or the State | of Illinois or any constitutional officer, agency, department, | division, bureau, board, commission, or committee thereof. | (b) A person must dispose of the materials containing | personal information in a manner that renders the personal | information unreadable, unusable, and undecipherable. Proper | disposal methods include, but are not limited to, the | following: | (1) Paper documents containing personal information | may be either redacted, burned, pulverized, or shredded so | that personal information cannot practicably be read or | reconstructed. | (2) Electronic media and other non-paper media | containing personal information may be destroyed or erased | so that personal information cannot practicably be read or | reconstructed. | (c) Any person disposing of materials containing personal | information may contract with a third party to dispose of such |
| materials in accordance with this Section. Any third party that | contracts with a person to dispose of materials containing | personal information must implement and monitor compliance | with policies and procedures that prohibit unauthorized access | to or acquisition of or use of personal information during the | collection, transportation, and disposal of materials | containing personal information. | (d) Any person, including but not limited to a third party | referenced in subsection (c), who violates this Section is | subject to a civil penalty of not more than $100 for each | individual with respect to whom personal information is | disposed of in violation of this Section. A civil penalty may | not, however, exceed $50,000 for each instance of improper | disposal of materials containing personal information. The | Attorney General may impose a civil penalty after notice to the | person accused of violating this Section and an opportunity for | that person to be heard in the matter. The Attorney General may | file a civil action in the circuit court to recover any penalty | imposed under this Section. | (e) In addition to the authority to impose a civil penalty | under subsection (d), the Attorney General may bring an action | in the circuit court to remedy a violation of this Section, | seeking any appropriate relief. | (f) A financial institution under 15 U.S.C. 6801 et. seq. | or any person subject to 15 U.S.C. 1681w is exempt from this | Section.
|
Effective Date: 1/1/2012
|
|
|
|
Translate
