|
Public Act 097-0483
|
| HB3025 Enrolled | LRB097 06857 AEK 46950 b |
|
|
AN ACT concerning business.
|
Be it enacted by the People of the State of Illinois,
|
represented in the General Assembly:
|
Section 5. The Personal Information Protection Act is |
amended by changing Sections 5, 10, and 12 and by adding |
Section 40 as follows:
|
(815 ILCS 530/5)
|
Sec. 5. Definitions. In this Act: |
"Data Collector" may include, but is not limited to,
|
government agencies, public and private universities,
|
privately and publicly held corporations, financial
|
institutions, retail operators, and any other entity that, for |
any purpose, handles, collects, disseminates, or otherwise
|
deals with nonpublic personal information.
|
"Breach of the security of the system data" or "breach" |
means
unauthorized acquisition of computerized data that |
compromises the security, confidentiality, or integrity of |
personal information maintained by the data collector. "Breach |
of the security of the system data" does not include good faith
|
acquisition of personal information by an employee or agent of
|
the data collector for a legitimate purpose of the data
|
collector, provided that the personal information is not used
|
for a purpose unrelated to the data collector's business or
|
|
subject to further unauthorized disclosure.
|
"Personal information" means an individual's first name or |
first initial and last name in combination with any one or more
|
of the following data elements, when either the name or the |
data elements are not encrypted or redacted:
|
(1) Social Security number. |
(2) Driver's license number or State identification
|
card number.
|
(3) Account number or credit or debit card number, or |
an
account number or credit card number in combination with
|
any required security code, access code, or password that
|
would permit access to an individual's financial account.
|
"Personal information" does not include publicly available
|
information that is lawfully made available to the general
|
public from federal, State, or local government records.
|
(Source: P.A. 94-36, eff. 1-1-06.)
|
(815 ILCS 530/10)
|
Sec. 10. Notice of Breach. |
(a) Any data collector that owns or licenses personal |
information concerning an Illinois resident shall notify the
|
resident at no charge that there has been a breach of the |
security of the
system data following discovery or notification |
of the breach.
The disclosure notification shall be made in the |
most
expedient time possible and without unreasonable delay,
|
consistent with any measures necessary to determine the
scope |
|
of the breach and restore the reasonable integrity,
security, |
and confidentiality of the data system. The disclosure |
notification to an Illinois resident shall include, but need |
not be limited to, (i) the toll-free numbers and addresses for |
consumer reporting agencies, (ii) the toll-free number, |
address, and website address for the Federal Trade Commission, |
and (iii) a statement that the individual can obtain |
information from these sources about fraud alerts and security |
freezes. The notification shall not, however, include |
information concerning the number of Illinois residents |
affected by the breach. |
(b) Any data collector that maintains or stores, but does |
not own or license, computerized data that
includes personal |
information that the data collector does not own or license |
shall notify the owner or licensee of the information of any |
breach of the security of the data immediately following |
discovery, if the personal information was, or is reasonably |
believed to have been, acquired by
an unauthorized person. In |
addition to providing such notification to the owner or |
licensee, the data collector shall cooperate with the owner or |
licensee in matters relating to the breach. That cooperation |
shall include, but need not be limited to, (i) informing the |
owner or licensee of the breach, including giving notice of the |
date or approximate date of the breach and the nature of the |
breach, and (ii) informing the owner or licensee of any steps |
the data collector has taken or plans to take relating to the |
|
breach. The data collector's cooperation shall not, however, be |
deemed to require either the disclosure of confidential |
business information or trade secrets or the notification of an |
Illinois resident who may have been affected by the breach.
|
(b-5) The notification to an Illinois resident required by |
subsection (a) of this Section may be delayed if an appropriate |
law enforcement agency determines that notification will |
interfere with a criminal investigation and provides the data |
collector with a written request for the delay. However, the |
data collector must notify the Illinois resident as soon as |
notification will no longer interfere with the investigation.
|
(c) For purposes of this Section, notice to consumers may |
be provided by one of the following methods:
|
(1) written notice; |
(2) electronic notice, if the notice provided is
|
consistent with the provisions regarding electronic
|
records and signatures for notices legally required to be
|
in writing as set forth in Section 7001 of Title 15 of the |
United States Code;
or |
(3) substitute notice, if the data collector
|
demonstrates that the cost of providing notice would exceed
|
$250,000 or that the affected class of subject persons to |
be notified exceeds 500,000, or the data collector does not
|
have sufficient contact information. Substitute notice |
shall consist of all of the following: (i) email notice if |
the data collector has an email address for the subject |
|
persons; (ii) conspicuous posting of the notice on the data
|
collector's web site page if the data collector maintains
|
one; and (iii) notification to major statewide media. |
(d) Notwithstanding any other subsection in this Section |
(c), a data collector
that maintains its own notification |
procedures as part of an
information security policy for the |
treatment of personal
information and is otherwise consistent |
with the timing requirements of this Act, shall be deemed in |
compliance
with the notification requirements of this Section |
if the
data collector notifies subject persons in accordance |
with its policies in the event of a breach of the security of |
the system data.
|
(Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.)
|
(815 ILCS 530/12)
|
Sec. 12. Notice of breach; State agency. |
(a) Any State agency that collects personal information |
concerning an Illinois resident shall notify the
resident at no |
charge that there has been a breach of the security of the
|
system data or written material following discovery or |
notification of the breach.
The disclosure notification shall |
be made in the most
expedient time possible and without |
unreasonable delay,
consistent with any measures necessary to |
determine the
scope of the breach and restore the reasonable |
integrity,
security, and confidentiality of the data system. |
The disclosure notification to an Illinois resident shall |
|
include, but need not be limited to, (i) the toll-free numbers |
and addresses for consumer reporting agencies, (ii) the |
toll-free number, address, and website address for the Federal |
Trade Commission, and (iii) a statement that the individual can |
obtain information from these sources about fraud alerts and |
security freezes. The notification shall not, however, include |
information concerning the number of Illinois residents |
affected by the breach. |
(a-5) The notification to an Illinois resident required by |
subsection (a) of this Section may be delayed if an appropriate |
law enforcement agency determines that notification will |
interfere with a criminal investigation and provides the State |
agency with a written request for the delay. However, the State |
agency must notify the Illinois resident as soon as |
notification will no longer interfere with the investigation. |
(b) For purposes of this Section, notice to residents may |
be provided by one of the following methods:
|
(1) written notice;
|
(2) electronic notice, if the notice provided is
|
consistent with the provisions regarding electronic
|
records and signatures for notices legally required to be
|
in writing as set forth in Section 7001 of Title 15 of the |
United States Code;
or
|
(3) substitute notice, if the State agency
|
demonstrates that the cost of providing notice would exceed
|
$250,000 or that the affected class of subject persons to |
|
be notified exceeds 500,000, or the State agency does not
|
have sufficient contact information. Substitute notice |
shall consist of all of the following: (i) email notice if |
the State agency has an email address for the subject |
persons; (ii) conspicuous posting of the notice on the |
State agency's web site page if the State agency maintains
|
one; and (iii) notification to major statewide media.
|
(c) Notwithstanding subsection (b), a State agency
that |
maintains its own notification procedures as part of an
|
information security policy for the treatment of personal
|
information and is otherwise consistent with the timing |
requirements of this Act shall be deemed in compliance
with the |
notification requirements of this Section if the
State agency |
notifies subject persons in accordance with its policies in the |
event of a breach of the security of the system data or written |
material.
|
(d) If a State agency is required to notify more than 1,000 |
persons of a breach of security pursuant to this Section, the |
State agency shall also notify, without unreasonable delay, all |
consumer reporting agencies that compile and maintain files on |
consumers on a nationwide basis, as defined by 15 U.S.C. |
Section 1681a(p), of the timing, distribution, and content of |
the notices. Nothing in this subsection (d) shall be construed |
to require the State agency to provide to the consumer |
reporting agency the names or other personal identifying |
information of breach notice recipients.
|
|
(Source: P.A. 94-947, eff. 6-27-06.)
|
(815 ILCS 530/40 new) |
Sec. 40. Disposal of materials containing personal |
information; Attorney General. |
(a) In this Section, "person" means: a natural person; a |
corporation, partnership, association, or other legal entity; |
a unit of local government or any agency, department, division, |
bureau, board, commission, or committee thereof; or the State |
of Illinois or any constitutional officer, agency, department, |
division, bureau, board, commission, or committee thereof. |
(b) A person must dispose of the materials containing |
personal information in a manner that renders the personal |
information unreadable, unusable, and undecipherable. Proper |
disposal methods include, but are not limited to, the |
following: |
(1) Paper documents containing personal information |
may be either redacted, burned, pulverized, or shredded so |
that personal information cannot practicably be read or |
reconstructed. |
(2) Electronic media and other non-paper media |
containing personal information may be destroyed or erased |
so that personal information cannot practicably be read or |
reconstructed. |
(c) Any person disposing of materials containing personal |
information may contract with a third party to dispose of such |
|
materials in accordance with this Section. Any third party that |
contracts with a person to dispose of materials containing |
personal information must implement and monitor compliance |
with policies and procedures that prohibit unauthorized access |
to or acquisition of or use of personal information during the |
collection, transportation, and disposal of materials |
containing personal information. |
(d) Any person, including but not limited to a third party |
referenced in subsection (c), who violates this Section is |
subject to a civil penalty of not more than $100 for each |
individual with respect to whom personal information is |
disposed of in violation of this Section. A civil penalty may |
not, however, exceed $50,000 for each instance of improper |
disposal of materials containing personal information. The |
Attorney General may impose a civil penalty after notice to the |
person accused of violating this Section and an opportunity for |
that person to be heard in the matter. The Attorney General may |
file a civil action in the circuit court to recover any penalty |
imposed under this Section. |
(e) In addition to the authority to impose a civil penalty |
under subsection (d), the Attorney General may bring an action |
in the circuit court to remedy a violation of this Section, |
seeking any appropriate relief. |
(f) A financial institution under 15 U.S.C. 6801 et. seq. |
or any person subject to 15 U.S.C. 1681w is exempt from this |
Section.
|