|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB3200 Introduced , by Rep. Diane Pappas SYNOPSIS AS INTRODUCED:
|
| |
Amends the Personal Information Protection Act. Provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the Illinois resident to whom the breach relates. Requires the notice to be provided no later than 5 days after the breach.
|
| |
| | A BILL FOR |
|
|
| | HB3200 | | LRB101 10070 JLS 55173 b |
|
|
| 1 | | AN ACT concerning business.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Personal Information Protection Act is |
| 5 | | amended by changing Section 10 as follows:
|
| 6 | | (815 ILCS 530/10) |
| 7 | | Sec. 10. Notice of breach. |
| 8 | | (a) Any data collector that owns or licenses personal |
| 9 | | information concerning an Illinois resident shall notify the |
| 10 | | Attorney General and the
resident at no charge that there has |
| 11 | | been a breach of the security of the
system data following |
| 12 | | discovery or notification of the breach.
The disclosure |
| 13 | | notification shall be made in the most
expedient time possible, |
| 14 | | but no later than 5 days after the breach and without |
| 15 | | unreasonable delay,
consistent with any measures necessary to |
| 16 | | determine the
scope of the breach and restore the reasonable |
| 17 | | integrity,
security, and confidentiality of the data system. |
| 18 | | The disclosure notification to an Illinois resident shall |
| 19 | | include, but need not be limited to, information as follows: |
| 20 | | (1) With respect to personal information as defined in |
| 21 | | Section 5 in paragraph (1) of the definition of "personal |
| 22 | | information": |
| 23 | | (A) the toll-free numbers and addresses for |
|
| | HB3200 | - 2 - | LRB101 10070 JLS 55173 b |
|
|
| 1 | | consumer reporting agencies; |
| 2 | | (B) the toll-free number, address, and website |
| 3 | | address for the Federal Trade Commission; and |
| 4 | | (C) a statement that the individual can obtain |
| 5 | | information from these sources about fraud alerts and |
| 6 | | security freezes. |
| 7 | | (2) With respect to personal information defined in |
| 8 | | Section 5 in paragraph (2) of the definition of "personal |
| 9 | | information", notice may be provided in electronic or other |
| 10 | | form directing the Illinois resident whose personal |
| 11 | | information has been breached to promptly change his or her |
| 12 | | user name or password and security question or answer, as |
| 13 | | applicable, or to take other steps appropriate to protect |
| 14 | | all online accounts for which the resident uses the same |
| 15 | | user name or email address and password or security |
| 16 | | question and answer. |
| 17 | | The notification shall not, however, include information |
| 18 | | concerning the number of Illinois residents affected by the |
| 19 | | breach. |
| 20 | | (b) Any data collector that maintains or stores, but does |
| 21 | | not own or license, computerized data that
includes personal |
| 22 | | information that the data collector does not own or license |
| 23 | | shall notify the Attorney General and the owner or licensee of |
| 24 | | the information of any breach of the security of the data |
| 25 | | immediately following discovery, if the personal information |
| 26 | | was, or is reasonably believed to have been, acquired by
an |
|
| | HB3200 | - 3 - | LRB101 10070 JLS 55173 b |
|
|
| 1 | | unauthorized person. In addition to providing such |
| 2 | | notification to the owner or licensee, the data collector shall |
| 3 | | cooperate with the owner or licensee in matters relating to the |
| 4 | | breach. That cooperation shall include, but need not be limited |
| 5 | | to, (i) informing the owner or licensee of the breach, |
| 6 | | including giving notice of the date or approximate date of the |
| 7 | | breach and the nature of the breach, and (ii) informing the |
| 8 | | owner or licensee of any steps the data collector has taken or |
| 9 | | plans to take relating to the breach. The data collector's |
| 10 | | cooperation shall not, however, be deemed to require either the |
| 11 | | disclosure of confidential business information or trade |
| 12 | | secrets or the notification of an Illinois resident who may |
| 13 | | have been affected by the breach.
|
| 14 | | (b-5) The notification to an Illinois resident required by |
| 15 | | subsection (a) of this Section may be delayed if an appropriate |
| 16 | | law enforcement agency determines that notification will |
| 17 | | interfere with a criminal investigation and provides the data |
| 18 | | collector with a written request for the delay. However, the |
| 19 | | data collector must notify the Illinois resident as soon as |
| 20 | | notification will no longer interfere with the investigation.
|
| 21 | | (c) For purposes of this Section, notice to consumers may |
| 22 | | be provided by one of the following methods:
|
| 23 | | (1) written notice; |
| 24 | | (2) electronic notice, if the notice provided is
|
| 25 | | consistent with the provisions regarding electronic
|
| 26 | | records and signatures for notices legally required to be
|
|
| | HB3200 | - 4 - | LRB101 10070 JLS 55173 b |
|
|
| 1 | | in writing as set forth in Section 7001 of Title 15 of the |
| 2 | | United States Code;
or |
| 3 | | (3) substitute notice, if the data collector
|
| 4 | | demonstrates that the cost of providing notice would exceed
|
| 5 | | $250,000 or that the affected class of subject persons to |
| 6 | | be notified exceeds 500,000, or the data collector does not
|
| 7 | | have sufficient contact information. Substitute notice |
| 8 | | shall consist of all of the following: (i) email notice if |
| 9 | | the data collector has an email address for the subject |
| 10 | | persons; (ii) conspicuous posting of the notice on the data
|
| 11 | | collector's web site page if the data collector maintains
|
| 12 | | one; and (iii) notification to major statewide media or, if |
| 13 | | the breach impacts residents in one geographic area, to |
| 14 | | prominent local media in areas where affected individuals |
| 15 | | are likely to reside if such notice is reasonably |
| 16 | | calculated to give actual notice to persons whom notice is |
| 17 | | required. |
| 18 | | (d) Notwithstanding any other subsection in this Section, a |
| 19 | | data collector
that maintains its own notification procedures |
| 20 | | as part of an
information security policy for the treatment of |
| 21 | | personal
information and is otherwise consistent with the |
| 22 | | timing requirements of this Act, shall be deemed in compliance
|
| 23 | | with the notification requirements of this Section if the
data |
| 24 | | collector notifies subject persons in accordance with its |
| 25 | | policies in the event of a breach of the security of the system |
| 26 | | data.
|