|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB2871 Introduced , by Rep. Celina Villanueva SYNOPSIS AS INTRODUCED:
|
| |
Creates the Data Broker Registration Act. Requires a data broker to annually register with the Secretary of State. Defines "data broker" as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Provides registration requirements, the duties a data broker has to protect personally identifiable information, and the requirements for an information security program. Effective January 1, 2020.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | |
| | A BILL FOR |
|
|
| | HB2871 | | LRB101 08512 JRG 53589 b |
|
|
| 1 | | AN ACT concerning regulation.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 1. Short title. This Act may be cited as the Data |
| 5 | | Broker Registration Act.
|
| 6 | | Section 5. Definitions. |
| 7 | | "Brokered personal information" means one or more of the |
| 8 | | following computerized data elements about a consumer, if |
| 9 | | categorized or organized for dissemination to third parties: |
| 10 | | (1) name; |
| 11 | | (2) address; |
| 12 | | (3) date of birth; |
| 13 | | (4) place of birth; |
| 14 | | (5) mother's maiden name; |
| 15 | | (6) unique biometric data generated from measurements |
| 16 | | or technical analysis of human body characteristics used by |
| 17 | | the owner or licensee of the data to identify or |
| 18 | | authenticate the consumer, such as a fingerprint, retina or |
| 19 | | iris image, or other unique physical representation or |
| 20 | | digital representation of biometric data; |
| 21 | | (7) name or address of a member of the consumer's |
| 22 | | immediate family or household; |
| 23 | | (8) social security number or other government-issued |
|
| | HB2871 | - 2 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | identification number; or |
| 2 | | (9) other information that, alone or in combination |
| 3 | | with the other information sold or licensed, would allow a |
| 4 | | reasonable person to identify the consumer with reasonable |
| 5 | | certainty. |
| 6 | | "Brokered personal information" does not include publicly |
| 7 | | available information to the extent that it is related to a |
| 8 | | consumer's business or profession. |
| 9 | | "Data broker" means a business or unit of a business, |
| 10 | | separately or together, that knowingly collects and sells or |
| 11 | | licenses to third parties the brokered personal information of |
| 12 | | a consumer with whom the business does not have a direct |
| 13 | | relationship. |
| 14 | | "Data broker security breach" means an unauthorized |
| 15 | | acquisition or a reasonable belief of an unauthorized |
| 16 | | acquisition of more than one element of brokered personal |
| 17 | | information maintained by a data broker when the brokered |
| 18 | | personal information is not encrypted, redacted, or protected |
| 19 | | by another method that renders the information unreadable or |
| 20 | | unusable by an unauthorized person. "Data broker security |
| 21 | | breach" does not include good faith but unauthorized |
| 22 | | acquisition of brokered personal information by an employee or |
| 23 | | agent of the data broker for a legitimate purpose of the data |
| 24 | | broker if the brokered personal information is not used for a |
| 25 | | purpose unrelated to the data broker's business or subject to |
| 26 | | further unauthorized disclosure.
|
|
| | HB2871 | - 3 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | Section 10. Annual registration. |
| 2 | | (a) Annually, on or before January 31 following a year in |
| 3 | | which a person meets the definition of "data broker", a data |
| 4 | | broker shall: |
| 5 | | (1) register with the Secretary of State; |
| 6 | | (2) pay a registration fee of $100; and |
| 7 | | (3) provide the following information: |
| 8 | | (A) the name and primary physical, email, and |
| 9 | | Internet addresses of the data broker; |
| 10 | | (B) if the data broker permits a consumer to opt |
| 11 | | out of the data broker's collection of brokered |
| 12 | | personal information, opt out of its databases, or opt |
| 13 | | out of certain sales of data: |
| 14 | | (i) the method for requesting an opt-out; |
| 15 | | (ii) if the opt-out applies to only certain |
| 16 | | activities or sales, which ones; and |
| 17 | | (iii) whether the data broker permits a |
| 18 | | consumer to authorize a third party to perform the |
| 19 | | opt-out on the consumer's behalf; |
| 20 | | (C) a statement specifying the data collection, |
| 21 | | databases, or sales activities from which a consumer |
| 22 | | may not opt out; |
| 23 | | (D) a statement whether the data broker implements |
| 24 | | a purchaser credentialing process; |
| 25 | | (E) the number of data broker security breaches |
|
| | HB2871 | - 4 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | that the data broker has experienced during the prior |
| 2 | | year, and if known, the total number of consumers |
| 3 | | affected by the breaches; |
| 4 | | (F) where the data broker has actual knowledge that |
| 5 | | it possesses the brokered personal information of |
| 6 | | minors, a separate statement detailing the data |
| 7 | | collection practices, databases, sales activities, and |
| 8 | | opt-out policies that are applicable to the brokered |
| 9 | | personal information of minors; and |
| 10 | | (G) any additional information or explanation the |
| 11 | | data broker chooses to provide concerning its data |
| 12 | | collection practices. |
| 13 | | (b) A data broker that fails to register under subsection |
| 14 | | (a) is liable to the State for: |
| 15 | | (1) a civil penalty of $50 for each day, not to exceed |
| 16 | | a total of $10,000 for each year, it fails to register |
| 17 | | under this Section; |
| 18 | | (2) an amount equal to the fees due under this Section |
| 19 | | during the period it failed to register under this Section; |
| 20 | | and |
| 21 | | (3) other penalties imposed by law. |
| 22 | | (c) The Attorney General may maintain an action in circuit |
| 23 | | court to collect the penalties imposed in this Section and to |
| 24 | | seek appropriate injunctive relief.
|
| 25 | | Section 15. Duty to protect personally identifiable |
|
| | HB2871 | - 5 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | information. |
| 2 | | (a) A data broker shall develop, implement, and maintain a |
| 3 | | comprehensive information security program that is written in |
| 4 | | one or more readily accessible parts and contains |
| 5 | | administrative, technical, and physical safeguards that are |
| 6 | | appropriate to: |
| 7 | | (1) the size, scope, and type of business of the data |
| 8 | | broker obligated to safeguard the personally identifiable |
| 9 | | information under such comprehensive information security |
| 10 | | program; |
| 11 | | (2) the amount of resources available to the data |
| 12 | | broker; |
| 13 | | (3) the amount of stored data; and |
| 14 | | (4) the need for security and confidentiality of |
| 15 | | personally identifiable information. |
| 16 | | (b) A data broker subject to this Section shall adopt |
| 17 | | safeguards in the comprehensive security program that are |
| 18 | | consistent with the safeguards for protection of personally |
| 19 | | identifiable information and information of a similar |
| 20 | | character set forth in other State rules or federal regulations |
| 21 | | applicable to the data broker.
|
| 22 | | Section 20. Information security program; minimum |
| 23 | | features. A comprehensive information security program shall, |
| 24 | | at minimum, have the following features: |
| 25 | | (1) designation of one or more employees to maintain |
|
| | HB2871 | - 6 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | the program; |
| 2 | | (2) identification and assessment of reasonably |
| 3 | | foreseeable internal and external risks to the security, |
| 4 | | confidentiality, and integrity of any electronic, paper, |
| 5 | | or other records containing personally identifiable |
| 6 | | information and a process for evaluating and improving, |
| 7 | | where necessary, the effectiveness of the current |
| 8 | | safeguards for limiting such risks, including: |
| 9 | | (A) ongoing employee training, including training |
| 10 | | for temporary and contract employees; |
| 11 | | (B) employee compliance with policies and |
| 12 | | procedures; and |
| 13 | | (C) means for detecting and preventing security |
| 14 | | system failures; |
| 15 | | (3) security policies for employees relating to the |
| 16 | | storage, access, and transportation of records containing |
| 17 | | personally identifiable information outside business |
| 18 | | premises; |
| 19 | | (4) disciplinary measures for violations of the |
| 20 | | comprehensive information security program rules; |
| 21 | | (5) measures that prevent terminated employees from |
| 22 | | accessing records containing personally identifiable |
| 23 | | information; |
| 24 | | (6) supervision of service providers by: |
| 25 | | (A) taking reasonable steps to select and retain |
| 26 | | third-party service providers that are capable of |
|
| | HB2871 | - 7 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | maintaining appropriate security measures to protect |
| 2 | | personally identifiable information consistent with |
| 3 | | applicable law; and |
| 4 | | (B) requiring third-party service providers by |
| 5 | | contract to implement and maintain appropriate |
| 6 | | security measures for personally identifiable |
| 7 | | information; |
| 8 | | (7) reasonable restrictions upon physical access to |
| 9 | | records containing personally identifiable information and |
| 10 | | storage of the records and data in locked facilities, |
| 11 | | storage areas, or containers; |
| 12 | | (8) regular monitoring to ensure that the |
| 13 | | comprehensive information security program is operating in |
| 14 | | a manner reasonably calculated to prevent unauthorized |
| 15 | | access to or unauthorized use of personally identifiable |
| 16 | | information; and upgrading information safeguards as |
| 17 | | necessary to limit risks; |
| 18 | | (9) regular review of the scope of the security |
| 19 | | measures: |
| 20 | | (A) at least annually; or |
| 21 | | (B) whenever there is a material change in business |
| 22 | | practices that may reasonably implicate the security |
| 23 | | or integrity of records containing personally |
| 24 | | identifiable information; and |
| 25 | | (10) documentation of responsive actions taken in |
| 26 | | connection with any incident involving a breach of |
|
| | HB2871 | - 8 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | security; and mandatory post-incident review of events and |
| 2 | | actions taken, if any, to make changes in business |
| 3 | | practices relating to protection of personally |
| 4 | | identifiable information.
|
| 5 | | Section 25. Information security program; computer system |
| 6 | | security requirements. A comprehensive information security |
| 7 | | program required by this Act shall, at minimum, and to the |
| 8 | | extent technically feasible, have the following elements: |
| 9 | | (1) secure user authentication protocols, as follows: |
| 10 | | (A) an authentication protocol that has the |
| 11 | | following features: |
| 12 | | (i) control of user IDs and other identifiers; |
| 13 | | (ii) a reasonably secure method of assigning |
| 14 | | and selecting passwords or use of unique |
| 15 | | identifier technologies, such as biometrics or |
| 16 | | token devices; |
| 17 | | (iii) control of data security passwords to |
| 18 | | ensure that such passwords are kept in a location |
| 19 | | and format that do not compromise the security of |
| 20 | | the data they protect; |
| 21 | | (iv) restricting access to only active users |
| 22 | | and active user accounts; and |
| 23 | | (v) blocking access to user identification |
| 24 | | after multiple unsuccessful attempts to gain |
| 25 | | access; or |
|
| | HB2871 | - 9 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | (B) an authentication protocol that provides a |
| 2 | | higher level of security than the features specified in |
| 3 | | subparagraph (A). |
| 4 | | (2) secure access control measures that: |
| 5 | | (A) restrict access to records and files |
| 6 | | containing personally identifiable information to |
| 7 | | those who need such information to perform their job |
| 8 | | duties; and |
| 9 | | (B) assign to each person with computer access |
| 10 | | unique identifications plus passwords, which are not |
| 11 | | vendor-supplied default passwords, that are reasonably |
| 12 | | designed to maintain the integrity of the security of |
| 13 | | the access controls or a protocol that provides a |
| 14 | | higher degree of security; |
| 15 | | (3) encryption of all transmitted records and files |
| 16 | | containing personally identifiable information that will |
| 17 | | travel across public networks and encryption of all data |
| 18 | | containing personally identifiable information to be |
| 19 | | transmitted wirelessly or a protocol that provides a higher |
| 20 | | degree of security; |
| 21 | | (4) reasonable monitoring of systems for unauthorized |
| 22 | | use of or access to personally identifiable information; |
| 23 | | (5) encryption of all personally identifiable |
| 24 | | information stored on laptops or other portable devices or |
| 25 | | a protocol that provides a higher degree of security; |
| 26 | | (6) for files containing personally identifiable |
|
| | HB2871 | - 10 - | LRB101 08512 JRG 53589 b |
|
|
| 1 | | information on a system that is connected to the Internet, |
| 2 | | reasonably up-to-date firewall protection and operating |
| 3 | | system security patches that are reasonably designed to |
| 4 | | maintain the integrity of the personally identifiable |
| 5 | | information or a protocol that provides a higher degree of |
| 6 | | security; |
| 7 | | (7) reasonably up-to-date versions of system security |
| 8 | | agent software that must include malware protection and |
| 9 | | reasonably up-to-date patches and virus definitions, or a |
| 10 | | version of such software that can still be supported with |
| 11 | | up-to-date patches and virus definitions and is set to |
| 12 | | receive the most current security updates on a regular |
| 13 | | basis or a protocol that provides a higher degree of |
| 14 | | security; and |
| 15 | | (8) education and training of employees on the proper |
| 16 | | use of the computer security system and the importance of |
| 17 | | personally identifiable information security.
|
| 18 | | Section 99. Effective date. This Act takes effect January |
| 19 | | 1, 2020.
|