| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
1 | AN ACT concerning business.
| |||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||
4 | Section 5. The Personal Information Protection Act is | |||||||||||||||||||
5 | amended by changing Section 10 as follows: | |||||||||||||||||||
6 | (815 ILCS 530/10) | |||||||||||||||||||
7 | Sec. 10. Notice of breach; notice to Attorney General. | |||||||||||||||||||
8 | (a) Any data collector that owns or licenses personal | |||||||||||||||||||
9 | information concerning an Illinois resident shall notify the
| |||||||||||||||||||
10 | resident at no charge that there has been a breach of the | |||||||||||||||||||
11 | security of the
system data following discovery or notification | |||||||||||||||||||
12 | of the breach.
The disclosure notification shall be made in the | |||||||||||||||||||
13 | most
expedient time possible and without unreasonable delay,
| |||||||||||||||||||
14 | consistent with any measures necessary to determine the
scope | |||||||||||||||||||
15 | of the breach and restore the reasonable integrity,
security, | |||||||||||||||||||
16 | and confidentiality of the data system. The disclosure | |||||||||||||||||||
17 | notification to an Illinois resident shall include, but need | |||||||||||||||||||
18 | not be limited to, information as follows: | |||||||||||||||||||
19 | (1) With respect to personal information as defined in | |||||||||||||||||||
20 | Section 5 in paragraph (1) of the definition of "personal | |||||||||||||||||||
21 | information": | |||||||||||||||||||
22 | (A) the toll-free numbers and addresses for | |||||||||||||||||||
23 | consumer reporting agencies; |
| |||||||
| |||||||
1 | (B) the toll-free number, address, and website | ||||||
2 | address for the Federal Trade Commission; and | ||||||
3 | (C) a statement that the individual can obtain | ||||||
4 | information from these sources about fraud alerts and | ||||||
5 | security freezes. | ||||||
6 | (2) With respect to personal information defined in | ||||||
7 | Section 5 in paragraph (2) of the definition of "personal | ||||||
8 | information", notice may be provided in electronic or other | ||||||
9 | form directing the Illinois resident whose personal | ||||||
10 | information has been breached to promptly change his or her | ||||||
11 | user name or password and security question or answer, as | ||||||
12 | applicable, or to take other steps appropriate to protect | ||||||
13 | all online accounts for which the resident uses the same | ||||||
14 | user name or email address and password or security | ||||||
15 | question and answer. | ||||||
16 | The notification shall not, however, include information | ||||||
17 | concerning the number of Illinois residents affected by the | ||||||
18 | breach. | ||||||
19 | (b) Any data collector that maintains or stores, but does | ||||||
20 | not own or license, computerized data that
includes personal | ||||||
21 | information that the data collector does not own or license | ||||||
22 | shall notify the owner or licensee of the information of any | ||||||
23 | breach of the security of the data immediately following | ||||||
24 | discovery, if the personal information was, or is reasonably | ||||||
25 | believed to have been, acquired by
an unauthorized person. In | ||||||
26 | addition to providing such notification to the owner or |
| |||||||
| |||||||
1 | licensee, the data collector shall cooperate with the owner or | ||||||
2 | licensee in matters relating to the breach. That cooperation | ||||||
3 | shall include, but need not be limited to, (i) informing the | ||||||
4 | owner or licensee of the breach, including giving notice of the | ||||||
5 | date or approximate date of the breach and the nature of the | ||||||
6 | breach, and (ii) informing the owner or licensee of any steps | ||||||
7 | the data collector has taken or plans to take relating to the | ||||||
8 | breach. The data collector's cooperation shall not, however, be | ||||||
9 | deemed to require either the disclosure of confidential | ||||||
10 | business information or trade secrets or the notification of an | ||||||
11 | Illinois resident who may have been affected by the breach.
| ||||||
12 | (b-5) The notification to an Illinois resident required by | ||||||
13 | subsection (a) of this Section may be delayed if an appropriate | ||||||
14 | law enforcement agency determines that notification will | ||||||
15 | interfere with a criminal investigation and provides the data | ||||||
16 | collector with a written request for the delay. However, the | ||||||
17 | data collector must notify the Illinois resident as soon as | ||||||
18 | notification will no longer interfere with the investigation.
| ||||||
19 | (c) For purposes of this Section, notice to consumers may | ||||||
20 | be provided by one of the following methods:
| ||||||
21 | (1) written notice; | ||||||
22 | (2) electronic notice, if the notice provided is
| ||||||
23 | consistent with the provisions regarding electronic
| ||||||
24 | records and signatures for notices legally required to be
| ||||||
25 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
26 | United States Code;
or |
| |||||||
| |||||||
1 | (3) substitute notice, if the data collector
| ||||||
2 | demonstrates that the cost of providing notice would exceed
| ||||||
3 | $250,000 or that the affected class of subject persons to | ||||||
4 | be notified exceeds 500,000, or the data collector does not
| ||||||
5 | have sufficient contact information. Substitute notice | ||||||
6 | shall consist of all of the following: (i) email notice if | ||||||
7 | the data collector has an email address for the subject | ||||||
8 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
9 | collector's web site page if the data collector maintains
| ||||||
10 | one; and (iii) notification to major statewide media or, if | ||||||
11 | the breach impacts residents in one geographic area, to | ||||||
12 | prominent local media in areas where affected individuals | ||||||
13 | are likely to reside if such notice is reasonably | ||||||
14 | calculated to give actual notice to persons whom notice is | ||||||
15 | required. | ||||||
16 | (d) Notwithstanding any other subsection in this Section, a | ||||||
17 | data collector
that maintains its own notification procedures | ||||||
18 | as part of an
information security policy for the treatment of | ||||||
19 | personal
information and is otherwise consistent with the | ||||||
20 | timing requirements of this Act, shall be deemed in compliance
| ||||||
21 | with the notification requirements of this Section if the
data | ||||||
22 | collector notifies subject persons in accordance with its | ||||||
23 | policies in the event of a breach of the security of the system | ||||||
24 | data.
| ||||||
25 | (e)(1) This subsection does not apply to data collectors | ||||||
26 | that are covered entities or business associates and are in |
| |||||||
| |||||||
1 | compliance with Section 50. | ||||||
2 | (2) Any data collector required to issue notice pursuant to | ||||||
3 | this Section to more than 500 Illinois residents as a result of | ||||||
4 | a single breach of the security system shall provide notice to | ||||||
5 | the Attorney General of the breach, including: | ||||||
6 | (A) A description of the nature of the breach of | ||||||
7 | security or unauthorized acquisition
or use. | ||||||
8 | (B) The number of Illinois residents affected by such | ||||||
9 | incident at the time of notification. | ||||||
10 | (C) Any steps the data collector has taken or plans to | ||||||
11 | take relating to the incident. | ||||||
12 | (3) Any data collector that maintains or stores, but does | ||||||
13 | not own or license, computerized data that includes personal | ||||||
14 | information and that is required to issue notice pursuant to | ||||||
15 | this Section to the owner or licensee of the information that | ||||||
16 | there has been a breach of the security of the data shall | ||||||
17 | notify the Attorney General of the following: | ||||||
18 | (A) A description of the nature of the breach of | ||||||
19 | security or unauthorized acquisition or use. | ||||||
20 | (B) The number of Illinois residents affected by such | ||||||
21 | incident at the time of notification. | ||||||
22 | (C) Any steps the data collector has taken or plans to | ||||||
23 | take relating to the incident. | ||||||
24 | (4) Notifications required under paragraphs (2) and (3) of | ||||||
25 | this subsection Such notification must be made in the most | ||||||
26 | expedient time possible and without unreasonable delay but in |
| |||||||
| |||||||
1 | no event later than when the data collector provides notice to | ||||||
2 | consumers pursuant to this Section. If the date of the breach | ||||||
3 | is unknown at the time the notice is sent to the Attorney | ||||||
4 | General, the data collector shall send the Attorney General the | ||||||
5 | date of the breach as soon as possible. | ||||||
6 | Upon receiving notification pursuant to paragraph (2) or | ||||||
7 | (3) of this subsection from a data collector of a breach of | ||||||
8 | personal information, the Attorney General may publish the name | ||||||
9 | of the data collector that suffered the breach, the types of | ||||||
10 | personal information compromised in the breach, and the date | ||||||
11 | range of the breach. | ||||||
12 | (Source: P.A. 100-201, eff. 8-18-17; 101-343, eff. 1-1-20.)
| ||||||
13 | Section 99. Effective date. This Act takes effect upon | ||||||
14 | becoming law.
|