Public Act 097-0483
 
HB3025 EnrolledLRB097 06857 AEK 46950 b

    AN ACT concerning business.
 
    Be it enacted by the People of the State of Illinois,
represented in the General Assembly:
 
    Section 5. The Personal Information Protection Act is
amended by changing Sections 5, 10, and 12 and by adding
Section 40 as follows:
 
    (815 ILCS 530/5)
    Sec. 5. Definitions. In this Act:
    "Data Collector" may include, but is not limited to,
government agencies, public and private universities,
privately and publicly held corporations, financial
institutions, retail operators, and any other entity that, for
any purpose, handles, collects, disseminates, or otherwise
deals with nonpublic personal information.
    "Breach of the security of the system data" or "breach"
means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of
personal information maintained by the data collector. "Breach
of the security of the system data" does not include good faith
acquisition of personal information by an employee or agent of
the data collector for a legitimate purpose of the data
collector, provided that the personal information is not used
for a purpose unrelated to the data collector's business or
subject to further unauthorized disclosure.
    "Personal information" means an individual's first name or
first initial and last name in combination with any one or more
of the following data elements, when either the name or the
data elements are not encrypted or redacted:
        (1) Social Security number.
        (2) Driver's license number or State identification
    card number.
        (3) Account number or credit or debit card number, or
    an account number or credit card number in combination with
    any required security code, access code, or password that
    would permit access to an individual's financial account.
"Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, State, or local government records.
(Source: P.A. 94-36, eff. 1-1-06.)
 
    (815 ILCS 530/10)
    Sec. 10. Notice of Breach.
    (a) Any data collector that owns or licenses personal
information concerning an Illinois resident shall notify the
resident at no charge that there has been a breach of the
security of the system data following discovery or notification
of the breach. The disclosure notification shall be made in the
most expedient time possible and without unreasonable delay,
consistent with any measures necessary to determine the scope
of the breach and restore the reasonable integrity, security,
and confidentiality of the data system. The disclosure
notification to an Illinois resident shall include, but need
not be limited to, (i) the toll-free numbers and addresses for
consumer reporting agencies, (ii) the toll-free number,
address, and website address for the Federal Trade Commission,
and (iii) a statement that the individual can obtain
information from these sources about fraud alerts and security
freezes. The notification shall not, however, include
information concerning the number of Illinois residents
affected by the breach.
    (b) Any data collector that maintains or stores, but does
not own or license, computerized data that includes personal
information that the data collector does not own or license
shall notify the owner or licensee of the information of any
breach of the security of the data immediately following
discovery, if the personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. In
addition to providing such notification to the owner or
licensee, the data collector shall cooperate with the owner or
licensee in matters relating to the breach. That cooperation
shall include, but need not be limited to, (i) informing the
owner or licensee of the breach, including giving notice of the
date or approximate date of the breach and the nature of the
breach, and (ii) informing the owner or licensee of any steps
the data collector has taken or plans to take relating to the
breach. The data collector's cooperation shall not, however, be
deemed to require either the disclosure of confidential
business information or trade secrets or the notification of an
Illinois resident who may have been affected by the breach.
    (b-5) The notification to an Illinois resident required by
subsection (a) of this Section may be delayed if an appropriate
law enforcement agency determines that notification will
interfere with a criminal investigation and provides the data
collector with a written request for the delay. However, the
data collector must notify the Illinois resident as soon as
notification will no longer interfere with the investigation.
    (c) For purposes of this Section, notice to consumers may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the data collector
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the data collector does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the data collector has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the data
    collector's web site page if the data collector maintains
    one; and (iii) notification to major statewide media.
    (d) Notwithstanding any other subsection in this Section
(c), a data collector that maintains its own notification
procedures as part of an information security policy for the
treatment of personal information and is otherwise consistent
with the timing requirements of this Act, shall be deemed in
compliance with the notification requirements of this Section
if the data collector notifies subject persons in accordance
with its policies in the event of a breach of the security of
the system data.
(Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.)
 
    (815 ILCS 530/12)
    Sec. 12. Notice of breach; State agency.
    (a) Any State agency that collects personal information
concerning an Illinois resident shall notify the resident at no
charge that there has been a breach of the security of the
system data or written material following discovery or
notification of the breach. The disclosure notification shall
be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to
determine the scope of the breach and restore the reasonable
integrity, security, and confidentiality of the data system.
The disclosure notification to an Illinois resident shall
include, but need not be limited to, (i) the toll-free numbers
and addresses for consumer reporting agencies, (ii) the
toll-free number, address, and website address for the Federal
Trade Commission, and (iii) a statement that the individual can
obtain information from these sources about fraud alerts and
security freezes. The notification shall not, however, include
information concerning the number of Illinois residents
affected by the breach.
    (a-5) The notification to an Illinois resident required by
subsection (a) of this Section may be delayed if an appropriate
law enforcement agency determines that notification will
interfere with a criminal investigation and provides the State
agency with a written request for the delay. However, the State
agency must notify the Illinois resident as soon as
notification will no longer interfere with the investigation.
    (b) For purposes of this Section, notice to residents may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the State agency
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the State agency does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the State agency has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the
    State agency's web site page if the State agency maintains
    one; and (iii) notification to major statewide media.
    (c) Notwithstanding subsection (b), a State agency that
maintains its own notification procedures as part of an
information security policy for the treatment of personal
information and is otherwise consistent with the timing
requirements of this Act shall be deemed in compliance with the
notification requirements of this Section if the State agency
notifies subject persons in accordance with its policies in the
event of a breach of the security of the system data or written
material.
    (d) If a State agency is required to notify more than 1,000
persons of a breach of security pursuant to this Section, the
State agency shall also notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis, as defined by 15 U.S.C.
Section 1681a(p), of the timing, distribution, and content of
the notices. Nothing in this subsection (d) shall be construed
to require the State agency to provide to the consumer
reporting agency the names or other personal identifying
information of breach notice recipients.
(Source: P.A. 94-947, eff. 6-27-06.)
 
    (815 ILCS 530/40 new)
    Sec. 40. Disposal of materials containing personal
information; Attorney General.
    (a) In this Section, "person" means: a natural person; a
corporation, partnership, association, or other legal entity;
a unit of local government or any agency, department, division,
bureau, board, commission, or committee thereof; or the State
of Illinois or any constitutional officer, agency, department,
division, bureau, board, commission, or committee thereof.
    (b) A person must dispose of the materials containing
personal information in a manner that renders the personal
information unreadable, unusable, and undecipherable. Proper
disposal methods include, but are not limited to, the
following:
        (1) Paper documents containing personal information
    may be either redacted, burned, pulverized, or shredded so
    that personal information cannot practicably be read or
    reconstructed.
        (2) Electronic media and other non-paper media
    containing personal information may be destroyed or erased
    so that personal information cannot practicably be read or
    reconstructed.
    (c) Any person disposing of materials containing personal
information may contract with a third party to dispose of such
materials in accordance with this Section. Any third party that
contracts with a person to dispose of materials containing
personal information must implement and monitor compliance
with policies and procedures that prohibit unauthorized access
to or acquisition of or use of personal information during the
collection, transportation, and disposal of materials
containing personal information.
    (d) Any person, including but not limited to a third party
referenced in subsection (c), who violates this Section is
subject to a civil penalty of not more than $100 for each
individual with respect to whom personal information is
disposed of in violation of this Section. A civil penalty may
not, however, exceed $50,000 for each instance of improper
disposal of materials containing personal information. The
Attorney General may impose a civil penalty after notice to the
person accused of violating this Section and an opportunity for
that person to be heard in the matter. The Attorney General may
file a civil action in the circuit court to recover any penalty
imposed under this Section.
    (e) In addition to the authority to impose a civil penalty
under subsection (d), the Attorney General may bring an action
in the circuit court to remedy a violation of this Section,
seeking any appropriate relief.
    (f) A financial institution under 15 U.S.C. 6801 et. seq.
or any person subject to 15 U.S.C. 1681w is exempt from this
Section.