| ||||||||||||||||||||||||
| ||||||||||||||||||||||||
| ||||||||||||||||||||||||
| 1 | AN ACT concerning civil actions. | |||||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||||
| 3 | represented in the General Assembly: | |||||||||||||||||||||||
| 4 | Section 5. The Personal Information Protection Act is | |||||||||||||||||||||||
| 5 | amended by changing Sections 5 and 10 and by adding Section 60 | |||||||||||||||||||||||
| 6 | as follows: | |||||||||||||||||||||||
| 7 | (815 ILCS 530/5) | |||||||||||||||||||||||
| 8 | Sec. 5. Definitions. In this Act: | |||||||||||||||||||||||
| 9 | "Data collector" may include, but is not limited to, | |||||||||||||||||||||||
| 10 | government agencies, public and private universities, | |||||||||||||||||||||||
| 11 | privately and publicly held corporations, financial | |||||||||||||||||||||||
| 12 | institutions, retail operators, and any other entity that, for | |||||||||||||||||||||||
| 13 | any purpose, handles, collects, disseminates, or otherwise | |||||||||||||||||||||||
| 14 | deals with nonpublic personal information. | |||||||||||||||||||||||
| 15 | "Breach of the security of the system data" or "breach" | |||||||||||||||||||||||
| 16 | means unauthorized acquisition of computerized data that | |||||||||||||||||||||||
| 17 | compromises the security, confidentiality, or integrity of | |||||||||||||||||||||||
| 18 | personal information maintained by the data collector. "Breach | |||||||||||||||||||||||
| 19 | of the security of the system data" does not include good faith | |||||||||||||||||||||||
| 20 | acquisition of personal information by an employee or agent of | |||||||||||||||||||||||
| 21 | the data collector for a legitimate purpose of the data | |||||||||||||||||||||||
| 22 | collector, provided that the personal information is not used | |||||||||||||||||||||||
| 23 | for a purpose unrelated to the data collector's business or | |||||||||||||||||||||||
| |||||||
| |||||||
| 1 | subject to further unauthorized disclosure. | ||||||
| 2 | "Health insurance information" means an individual's | ||||||
| 3 | health insurance policy number or subscriber identification | ||||||
| 4 | number, any unique identifier used by a health insurer to | ||||||
| 5 | identify the individual, or any medical information in an | ||||||
| 6 | individual's health insurance application and claims history, | ||||||
| 7 | including any appeals records. | ||||||
| 8 | "Medical information" means any information regarding an | ||||||
| 9 | individual's medical history, mental or physical condition, or | ||||||
| 10 | medical treatment or diagnosis by a healthcare professional, | ||||||
| 11 | including such information provided to a website or mobile | ||||||
| 12 | application. | ||||||
| 13 | "Personal information" means either of the following: | ||||||
| 14 | (1) An individual's first name or first initial and | ||||||
| 15 | last name in combination with any one or more of the | ||||||
| 16 | following data elements, when either the name or the data | ||||||
| 17 | elements are not encrypted or redacted or are encrypted or | ||||||
| 18 | redacted but the keys to unencrypt or unredact or | ||||||
| 19 | otherwise read the name or data elements have been | ||||||
| 20 | acquired without authorization through the breach of | ||||||
| 21 | security: | ||||||
| 22 | (A) Social Security number. | ||||||
| 23 | (B) Driver's license number or State | ||||||
| 24 | identification card number. | ||||||
| 25 | (C) Account number or credit or debit card number, | ||||||
| 26 | or an account number or credit card number in | ||||||
| |||||||
| |||||||
| 1 | combination with any required security code, access | ||||||
| 2 | code, or password that would permit access to an | ||||||
| 3 | individual's financial account. | ||||||
| 4 | (D) Medical information. | ||||||
| 5 | (E) Health insurance information. | ||||||
| 6 | (F) Unique biometric data generated from | ||||||
| 7 | measurements or technical analysis of human body | ||||||
| 8 | characteristics used by the owner or licensee to | ||||||
| 9 | authenticate an individual, such as a fingerprint, | ||||||
| 10 | retina or iris image, or other unique physical | ||||||
| 11 | representation or digital representation of biometric | ||||||
| 12 | data. | ||||||
| 13 | (2) User name or email address, in combination with a | ||||||
| 14 | password or security question and answer that would permit | ||||||
| 15 | access to an online account, when either the user name or | ||||||
| 16 | email address or password or security question and answer | ||||||
| 17 | are not encrypted or redacted or are encrypted or redacted | ||||||
| 18 | but the keys to unencrypt or unredact or otherwise read | ||||||
| 19 | the data elements have been obtained through the breach of | ||||||
| 20 | security. | ||||||
| 21 | "Personal information" does not include publicly available | ||||||
| 22 | information that is lawfully made available to the general | ||||||
| 23 | public from federal, State, or local government records. | ||||||
| 24 | "Social media website" means an Internet website or mobile | ||||||
| 25 | application that enables users to communicate with each other | ||||||
| 26 | by posting information, comments, messages, or images, and | ||||||
| |||||||
| |||||||
| 1 | that meets the following criteria: is open to the public; has | ||||||
| 2 | more than 75,000,000 subscribers; and has never been | ||||||
| 3 | specifically affiliated with any religion or political party. | ||||||
| 4 | (Source: P.A. 99-503, eff. 1-1-17.) | ||||||
| 5 | (815 ILCS 530/10) | ||||||
| 6 | Sec. 10. Notice of breach; notice to Attorney General. | ||||||
| 7 | (a) Any data collector that owns or licenses personal | ||||||
| 8 | information concerning an Illinois resident shall notify the | ||||||
| 9 | resident at no charge that there has been a breach of the | ||||||
| 10 | security of the system data following discovery or | ||||||
| 11 | notification of the breach. The disclosure notification shall | ||||||
| 12 | be made in the most expedient time possible and without | ||||||
| 13 | unreasonable delay, consistent with any measures necessary to | ||||||
| 14 | determine the scope of the breach and restore the reasonable | ||||||
| 15 | integrity, security, and confidentiality of the data system. | ||||||
| 16 | The disclosure notification to an Illinois resident shall | ||||||
| 17 | include, but need not be limited to, information as follows: | ||||||
| 18 | (1) With respect to personal information as defined in | ||||||
| 19 | Section 5 in paragraph (1) of the definition of "personal | ||||||
| 20 | information": | ||||||
| 21 | (A) the toll-free numbers and addresses for | ||||||
| 22 | consumer reporting agencies; | ||||||
| 23 | (B) the toll-free number, address, and website | ||||||
| 24 | address for the Federal Trade Commission; and | ||||||
| 25 | (C) a statement that the individual can obtain | ||||||
| |||||||
| |||||||
| 1 | information from these sources about fraud alerts and | ||||||
| 2 | security freezes. | ||||||
| 3 | (2) With respect to personal information defined in | ||||||
| 4 | Section 5 in paragraph (2) of the definition of "personal | ||||||
| 5 | information", notice may be provided in electronic or | ||||||
| 6 | other form directing the Illinois resident whose personal | ||||||
| 7 | information has been breached to promptly change his or | ||||||
| 8 | her user name or password and security question or answer, | ||||||
| 9 | as applicable, or to take other steps appropriate to | ||||||
| 10 | protect all online accounts for which the resident uses | ||||||
| 11 | the same user name or email address and password or | ||||||
| 12 | security question and answer. | ||||||
| 13 | The notification shall not, however, include information | ||||||
| 14 | concerning the number of Illinois residents affected by the | ||||||
| 15 | breach. | ||||||
| 16 | (b) Any data collector that maintains or stores, but does | ||||||
| 17 | not own or license, computerized data that includes personal | ||||||
| 18 | information that the data collector does not own or license | ||||||
| 19 | shall notify the owner or licensee of the information of any | ||||||
| 20 | breach of the security of the data immediately following | ||||||
| 21 | discovery, if the personal information was, or is reasonably | ||||||
| 22 | believed to have been, acquired by an unauthorized person. In | ||||||
| 23 | addition to providing such notification to the owner or | ||||||
| 24 | licensee, the data collector shall cooperate with the owner or | ||||||
| 25 | licensee in matters relating to the breach. That cooperation | ||||||
| 26 | shall include, but need not be limited to, (i) informing the | ||||||
| |||||||
| |||||||
| 1 | owner or licensee of the breach, including giving notice of | ||||||
| 2 | the date or approximate date of the breach and the nature of | ||||||
| 3 | the breach, and (ii) informing the owner or licensee of any | ||||||
| 4 | steps the data collector has taken or plans to take relating to | ||||||
| 5 | the breach. The data collector's cooperation shall not, | ||||||
| 6 | however, be deemed to require either the disclosure of | ||||||
| 7 | confidential business information or trade secrets or the | ||||||
| 8 | notification of an Illinois resident who may have been | ||||||
| 9 | affected by the breach. | ||||||
| 10 | (b-5) The notification to an Illinois resident required by | ||||||
| 11 | subsection (a) of this Section may be delayed if an | ||||||
| 12 | appropriate law enforcement agency determines that | ||||||
| 13 | notification will interfere with a criminal investigation and | ||||||
| 14 | provides the data collector with a written request for the | ||||||
| 15 | delay. However, the data collector must notify the Illinois | ||||||
| 16 | resident as soon as notification will no longer interfere with | ||||||
| 17 | the investigation. | ||||||
| 18 | (c) For purposes of this Section, notice to consumers may | ||||||
| 19 | be provided by one of the following methods: | ||||||
| 20 | (1) written notice; | ||||||
| 21 | (2) electronic notice, if the notice provided is | ||||||
| 22 | consistent with the provisions regarding electronic | ||||||
| 23 | records and signatures for notices legally required to be | ||||||
| 24 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 25 | United States Code; or | ||||||
| 26 | (3) substitute notice, if the data collector | ||||||
| |||||||
| |||||||
| 1 | demonstrates that the cost of providing notice would | ||||||
| 2 | exceed $250,000 or that the affected class of subject | ||||||
| 3 | persons to be notified exceeds 500,000, or the data | ||||||
| 4 | collector does not have sufficient contact information. | ||||||
| 5 | Substitute notice shall consist of all of the following: | ||||||
| 6 | (i) email notice if the data collector has an email | ||||||
| 7 | address for the subject persons; (ii) conspicuous posting | ||||||
| 8 | of the notice on the data collector's web site page if the | ||||||
| 9 | data collector maintains one; and (iii) notification to | ||||||
| 10 | major statewide media or, if the breach impacts residents | ||||||
| 11 | in one geographic area, to prominent local media in areas | ||||||
| 12 | where affected individuals are likely to reside if such | ||||||
| 13 | notice is reasonably calculated to give actual notice to | ||||||
| 14 | persons whom notice is required. | ||||||
| 15 | (d) Notwithstanding any other subsection in this Section, | ||||||
| 16 | a data collector that maintains its own notification | ||||||
| 17 | procedures as part of an information security policy for the | ||||||
| 18 | treatment of personal information and is otherwise consistent | ||||||
| 19 | with the timing requirements of this Act, shall be deemed in | ||||||
| 20 | compliance with the notification requirements of this Section | ||||||
| 21 | if the data collector notifies subject persons in accordance | ||||||
| 22 | with its policies in the event of a breach of the security of | ||||||
| 23 | the system data. | ||||||
| 24 | (e)(1) This subsection does not apply to data collectors | ||||||
| 25 | that are covered entities or business associates and are in | ||||||
| 26 | compliance with Section 50. | ||||||
| |||||||
| |||||||
| 1 | (2) Any data collector required to issue notice pursuant | ||||||
| 2 | to this Section to more than 500 Illinois residents as a result | ||||||
| 3 | of a single breach of the security system shall provide notice | ||||||
| 4 | to the Attorney General of the breach, including: | ||||||
| 5 | (A) A description of the nature of the breach of | ||||||
| 6 | security or unauthorized acquisition or use. | ||||||
| 7 | (B) The number of Illinois residents affected by such | ||||||
| 8 | incident at the time of notification. | ||||||
| 9 | (C) Any steps the data collector has taken or plans to | ||||||
| 10 | take relating to the incident. | ||||||
| 11 | Such notification must be made in the most expedient time | ||||||
| 12 | possible and without unreasonable delay but in no event later | ||||||
| 13 | than when the data collector provides notice to consumers | ||||||
| 14 | pursuant to this Section. If the date of the breach is unknown | ||||||
| 15 | at the time the notice is sent to the Attorney General, the | ||||||
| 16 | data collector shall send the Attorney General the date of the | ||||||
| 17 | breach as soon as possible. | ||||||
| 18 | Upon receiving notification from a data collector of a | ||||||
| 19 | breach of personal information, the Attorney General may | ||||||
| 20 | publish the name of the data collector that suffered the | ||||||
| 21 | breach, the types of personal information compromised in the | ||||||
| 22 | breach, and the date range of the breach. | ||||||
| 23 | (f) In accordance with federal law, any business that | ||||||
| 24 | operates a social media website shall, within 24 hours of | ||||||
| 25 | discovery of a breach of security to a user whose online | ||||||
| 26 | account or personal information was, or is reasonably believed | ||||||
| |||||||
| |||||||
| 1 | to have been, accessed by an unauthorized person, determine | ||||||
| 2 | the scope of the breach of security and restore the reasonable | ||||||
| 3 | integrity of, and access to, the online account to the user. | ||||||
| 4 | Any discovery of breach of security shall be documented in | ||||||
| 5 | writing by the business that operates the social media website | ||||||
| 6 | and retained for 5 years. | ||||||
| 7 | (g) Within 7 days of the discovery of the breach of | ||||||
| 8 | security to a user's account, the business that operates the | ||||||
| 9 | social media website shall provide clear and conspicuous | ||||||
| 10 | notice delivered to the user through the email and mobile | ||||||
| 11 | phone number that was associated with the online account prior | ||||||
| 12 | to the breach of security. | ||||||
| 13 | (h) The business that operates the social media website | ||||||
| 14 | shall include within the notification instructions that | ||||||
| 15 | directs the customer whose online account has been breached to | ||||||
| 16 | promptly change any password and security question or answer, | ||||||
| 17 | as applicable, and to take other appropriate steps to protect | ||||||
| 18 | and restore the integrity of the online account of the social | ||||||
| 19 | media website. | ||||||
| 20 | (i) The Department of Innovation and Technology may | ||||||
| 21 | promulgate rules and regulations necessary to effectuate this | ||||||
| 22 | subsection. | ||||||
| 23 | (Source: P.A. 100-201, eff. 8-18-17; 101-343, eff. 1-1-20.) | ||||||
| 24 | (815 ILCS 530/60 new) | ||||||
| 25 | Sec. 60. Private cause of action for violation of this Act | ||||||
| |||||||
| |||||||
| 1 | by a business operating a social media website. | ||||||
| 2 | (a) Any user of a social media website may bring an action | ||||||
| 3 | in any court of competent jurisdiction following the discovery | ||||||
| 4 | of a breach of security by the business that operates the | ||||||
| 5 | social media website, if the user: | ||||||
| 6 | (1) has not had access restored to the user's online | ||||||
| 7 | account within 24 hours of the discovery of the security | ||||||
| 8 | breach as required by this Act; | ||||||
| 9 | (2) has not been provided notice of the breach of | ||||||
| 10 | security within seven days of such discovery, as required | ||||||
| 11 | by this Act; or | ||||||
| 12 | (3) has not been provided instructions for restoring | ||||||
| 13 | the integrity of the user's online account of a social | ||||||
| 14 | media website in compliance with this Act. | ||||||
| 15 | (b) If a court of competent jurisdiction finds that a | ||||||
| 16 | social media website has violated this Section, the court may | ||||||
| 17 | award actual damages computed at a rate of $1,000 per | ||||||
| 18 | violation per day and reasonable attorney's fees and costs | ||||||
| 19 | incurred in maintaining that civil action. | ||||||
| 20 | (c) This private right of action authorized pursuant to | ||||||
| 21 | this Section does not supplant any other claim or cause of | ||||||
| 22 | action available to a customer under common law or by statute. | ||||||
| 23 | The provisions of this subsection are in addition to any other | ||||||
| 24 | common law and statutory remedies. | ||||||
| 25 | (d) Nothing in this Section may be construed as creating a | ||||||
| 26 | private right of action against the State or any political | ||||||
| |||||||
| |||||||
| 1 | subdivision. | ||||||