102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
HB3412
 
Introduced 2/22/2021, by Rep. Janet Yang Rohr
 
SYNOPSIS AS INTRODUCED:
 

 
815 ILCS 530/10

     Amends the Personal Information Protection Act. Provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the Illinois resident to whom the breach relates. Requires the notice to be provided no later than 5 days after the breach.
  


LRB102 12757 JLS 18096 b

 
 
A BILL FOR
 

  
HB3412LRB102 12757 JLS 18096 b


  
1    AN ACT concerning business.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 5. The Personal Information Protection Act is 
5amended  by changing Section 10 as follows:
 
6    (815 ILCS 530/10)
7    Sec. 10. Notice of breach; notice to Attorney General.   
8    (a) Any data collector that owns or licenses personal 
9information concerning an Illinois resident shall notify the 
10Attorney General and the
resident at no charge that there has 
11been a breach of the security of the
system data following 
12discovery or notification of the breach.
The disclosure 
13notification shall be made in the most
expedient time 
14possible, but no later than 5 days after the breach and without 
15unreasonable delay,
consistent with any measures necessary to 
16determine the
scope of the breach and restore the reasonable 
17integrity,
security, and confidentiality of the data system. 
18The disclosure notification to an Illinois resident shall 
19include, but need not be limited to, information as follows: 
20        (1) With respect to personal information as defined in 
21    Section 5 in paragraph (1) of the definition of "personal 
22    information":
23            (A) the toll-free numbers and addresses for 
 
 
HB3412- 2 -LRB102 12757 JLS 18096 b

1        consumer reporting agencies;
2            (B) the toll-free number, address, and website 
3        address for the Federal Trade Commission; and
4            (C) a statement that the individual can obtain 
5        information from these sources about fraud alerts and 
6        security freezes.
7        (2) With respect to personal information defined in 
8    Section 5 in paragraph (2) of the definition of "personal 
9    information", notice may be provided in electronic or 
10    other form directing the Illinois resident whose personal 
11    information has been breached to promptly change his or 
12    her user name or password and security question or answer, 
13    as applicable, or to take other steps appropriate to 
14    protect all online accounts for which the resident uses 
15    the same user name or email address and password or 
16    security question and answer. 
17    The notification shall not, however, include information 
18concerning the number of Illinois residents affected by the 
19breach.
20    (b) Any data collector that maintains or stores, but does 
21not own or license, computerized data that
includes personal 
22information that the data collector does not own or license 
23shall notify the Attorney General and the owner or licensee of 
24the information of any breach of the security of the data 
25immediately following discovery, if the personal information 
26was, or is reasonably believed to have been, acquired by
an 
 
 
HB3412- 3 -LRB102 12757 JLS 18096 b

1unauthorized person. In addition to providing such 
2notification to the owner or licensee, the data collector 
3shall cooperate with the owner or licensee in matters relating 
4to the breach. That cooperation shall include, but need not be 
5limited to, (i) informing the owner or licensee of the breach, 
6including giving notice of the date or approximate date of the 
7breach and the nature of the breach, and (ii) informing the 
8owner or licensee of any steps the data collector has taken or 
9plans to take relating to the breach. The data collector's 
10cooperation shall not, however, be deemed to require either 
11the disclosure of confidential business information or trade 
12secrets or the notification of an Illinois resident who may 
13have been affected by the breach.

14    (b-5) The notification to an Illinois resident required by 
15subsection (a) of this Section may be delayed if an 
16appropriate law enforcement agency determines that 
17notification will interfere with a criminal investigation and 
18provides the data collector with a written request for the 
19delay. However, the data collector must notify the Illinois 
20resident as soon as notification will no longer interfere with 
21the investigation.

22    (c) For purposes of this Section, notice to consumers may  
23be provided by one of the following methods:

24        (1) written notice; 
25        (2) electronic notice, if the notice provided is
      
26    consistent with the provisions regarding electronic

 
 
HB3412- 4 -LRB102 12757 JLS 18096 b

1    records and signatures for notices legally required to be
      
2    in writing as set forth in Section 7001 of Title 15 of the      
3    United States Code;
or 
4        (3) substitute notice, if the data collector
      
5    demonstrates that the cost of providing notice would 
6    exceed
$250,000 or that the affected class of subject 
7    persons to      be notified exceeds 500,000, or the data 
8    collector does not
have sufficient contact information. 
9    Substitute notice      shall consist of all of the following: 
10    (i) email notice if      the data collector has an email 
11    address for the subject      persons; (ii) conspicuous posting 
12    of the notice on the data
      collector's web site page if the 
13    data collector maintains
     one; and (iii) notification to 
14    major statewide media or, if the breach impacts residents 
15    in one geographic area, to prominent local media in areas 
16    where affected individuals are likely to reside if such 
17    notice is reasonably calculated to give actual notice to 
18    persons whom notice is required.  
19    (d) Notwithstanding any other subsection in this Section, 
20a data collector
that maintains its own notification 
21procedures as part of an
information security policy for the 
22treatment of personal
information and is otherwise consistent 
23with the timing requirements of this Act, shall be deemed in 
24compliance
with the notification requirements of this Section 
25if the
data collector notifies subject persons in accordance 
26with its policies in the event of a breach of the security of 
 
 
HB3412- 5 -LRB102 12757 JLS 18096 b

1the system data.


2    (e)(1) This subsection does not apply to data collectors 
3that are covered entities or business associates and are in 
4compliance with Section 50.
5    (2) Any data collector required to issue notice pursuant 
6to this Section to more than 500 Illinois residents as a result 
7of a single breach of the security system shall provide notice 
8to the Attorney General  of the breach, including:
9        (A) A description of the nature of the breach of 
10    security or unauthorized acquisition
or use.
11        (B) The number of Illinois residents affected by such 
12    incident at the time of notification.
13        (C) Any steps the data collector has taken or plans to 
14    take relating to the incident.
15    Such notification must be made in the most expedient time 
16possible and without unreasonable delay but in no event later 
17than when the data collector provides notice to consumers 
18pursuant to this Section.  If the date of the breach is unknown 
19at the time the notice is sent to the Attorney General, the 
20data collector shall send the Attorney General the date of the 
21breach as soon as possible.
22    Upon receiving notification from a data collector of a 
23breach of personal information, the Attorney General may 
24publish the name of the data collector that suffered the 
25breach, the types of personal information compromised in the 
26breach, and the date range of the breach.
 
 
HB3412- 6 -LRB102 12757 JLS 18096 b

1(Source: P.A. 100-201, eff. 8-18-17; 101-343, eff. 1-1-20.)