|
|
|||||||
| |||||||
| |||||||
| 1 | AN ACT concerning business.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois, | ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 1. Short title. This Act may be cited as the | ||||||
| 5 | Personal Information Protection Act. | ||||||
| 6 | Section 5. Definitions. In this Act: | ||||||
| 7 | "Data Collector" may include, but is not limited to,
| ||||||
| 8 | government agencies, public and private universities,
| ||||||
| 9 | privately and publicly held corporations, financial
| ||||||
| 10 | institutions, retail operators, and any other entity that, for | ||||||
| 11 | any purpose, handles, collects, disseminates, or otherwise
| ||||||
| 12 | deals with nonpublic personal information.
| ||||||
| 13 | "Breach of the security of the system data" means
| ||||||
| 14 | unauthorized acquisition of computerized data that compromises | ||||||
| 15 | the security, confidentiality, or integrity of personal | ||||||
| 16 | information maintained by the data collector. "Breach of the | ||||||
| 17 | security of the system data" does not include good faith
| ||||||
| 18 | acquisition of personal information by an employee or agent of
| ||||||
| 19 | the data collector for a legitimate purpose of the data
| ||||||
| 20 | collector, provided that the personal information is not used
| ||||||
| 21 | for a purpose unrelated to the data collector's business or
| ||||||
| 22 | subject to further unauthorized disclosure.
| ||||||
| 23 | "Personal information" means an individual's first name or | ||||||
| 24 | first initial and last name in combination with any one or more
| ||||||
| 25 | of the following data elements, when either the name or the | ||||||
| 26 | data elements are not encrypted or redacted:
| ||||||
| 27 | (1) Social Security number. | ||||||
| 28 | (2) Driver's license number or State identification
| ||||||
| 29 | card number.
| ||||||
| 30 | (3) Account number or credit or debit card number, or | ||||||
| 31 | an
account number or credit card number in combination with
| ||||||
| 32 | any required security code, access code, or password that
| ||||||
| |||||||
| |||||||
| 1 | would permit access to an individual's financial account.
| ||||||
| 2 | "Personal information" does not include publicly available
| ||||||
| 3 | information that is lawfully made available to the general
| ||||||
| 4 | public from federal, State, or local government records.
| ||||||
| 5 | Section 10. Notice of Breach. | ||||||
| 6 | (a) Any data collector that owns or licenses personal | ||||||
| 7 | information concerning an Illinois resident shall notify the
| ||||||
| 8 | resident that there has been a breach of the security of the
| ||||||
| 9 | system data following discovery or notification of the breach.
| ||||||
| 10 | The disclosure notification shall be made in the most
expedient | ||||||
| 11 | time possible and without unreasonable delay,
consistent with | ||||||
| 12 | any measures necessary to determine the
scope of the breach and | ||||||
| 13 | restore the reasonable integrity,
security, and | ||||||
| 14 | confidentiality of the data system.
| ||||||
| 15 | (b) Any data collector that maintains computerized data | ||||||
| 16 | that
includes personal information that the data collector does | ||||||
| 17 | not own or license shall notify the owner or licensee of the | ||||||
| 18 | information of any breach of the security of the data | ||||||
| 19 | immediately following discovery, if the personal information | ||||||
| 20 | was, or is reasonably believed to have been, acquired by
an | ||||||
| 21 | unauthorized person.
| ||||||
| 22 | (c) For purposes of this Section, notice to consumers may | ||||||
| 23 | be provided by one of the following methods:
| ||||||
| 24 | (1) written notice; | ||||||
| 25 | (2) electronic notice, if the notice provided is
| ||||||
| 26 | consistent with the provisions regarding electronic
| ||||||
| 27 | records and signatures for notices legally required to be
| ||||||
| 28 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 29 | United States Code;
or | ||||||
| 30 | (3) substitute notice, if the data collector
| ||||||
| 31 | demonstrates that the cost of providing notice would exceed
| ||||||
| 32 | $250,000 or that the affected class of subject persons to | ||||||
| 33 | be notified exceeds 500,000, or the data collector does not
| ||||||
| 34 | have sufficient contact information. Substitute notice | ||||||
| 35 | shall consist of all of the following: (i) email notice if | ||||||
| |||||||
| |||||||
| 1 | the data collector has an email address for the subject | ||||||
| 2 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
| 3 | collector's web site page if the data collector maintains
| ||||||
| 4 | one; and (iii) notification to major statewide media. | ||||||
| 5 | (d) Notwithstanding subsection (c), a data collector
that | ||||||
| 6 | maintains its own notification procedures as part of an
| ||||||
| 7 | information security policy for the treatment of personal
| ||||||
| 8 | information and is otherwise consistent with the timing | ||||||
| 9 | requirements of this Act, shall be deemed in compliance
with | ||||||
| 10 | the notification requirements of this Section if the
data | ||||||
| 11 | collector notifies subject persons in accordance with its | ||||||
| 12 | policies in the event of a breach of the security of the system | ||||||
| 13 | data.
| ||||||
| 14 | Section 15. Waiver. Any waiver of the provisions of this | ||||||
| 15 | Act is
contrary to public policy and is void and unenforceable.
| ||||||
| 16 | Section 20. Violation. A violation of this Act constitutes
| ||||||
| 17 | an unlawful practice under the Consumer Fraud and Deceptive | ||||||
| 18 | Business Practices Act.
| ||||||
| 19 | Section 900. The Consumer Fraud and Deceptive Business | ||||||
| 20 | Practices Act is amended by changing Section 2Z as follows:
| ||||||
| 21 | (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| ||||||
| 22 | Sec. 2Z. Violations of other Acts. Any person who knowingly | ||||||
| 23 | violates
the Automotive Repair Act,
the Home Repair and | ||||||
| 24 | Remodeling Act,
the Dance Studio Act,
the Physical Fitness | ||||||
| 25 | Services Act,
the Hearing Instrument Consumer Protection Act,
| ||||||
| 26 | the Illinois Union Label Act,
the Job Referral and Job Listing | ||||||
| 27 | Services Consumer Protection Act,
the Travel Promotion | ||||||
| 28 | Consumer Protection Act,
the Credit Services Organizations | ||||||
| 29 | Act,
the Automatic Telephone Dialers Act,
the Pay-Per-Call | ||||||
| 30 | Services Consumer Protection Act,
the Telephone Solicitations | ||||||
| 31 | Act,
the Illinois Funeral or Burial Funds Act,
the Cemetery | ||||||
| 32 | Care Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery | ||||||
| |||||||
| |||||||
| 1 | Sales Act,
the High Risk Home Loan Act, subsection (a) or (b) | ||||||
| 2 | of Section 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) | ||||||
| 3 | of Section 3-10 of the Cigarette Use Tax Act, the Electronic
| ||||||
| 4 | Mail Act, paragraph (6)
of
subsection (k) of Section 6-305 of | ||||||
| 5 | the Illinois Vehicle Code, or the Automatic Contract Renewal | ||||||
| 6 | Act, or the Personal Information Protection Act commits an | ||||||
| 7 | unlawful practice within the meaning of this Act.
| ||||||
| 8 | (Source: P.A. 92-426, eff. 1-1-02; 93-561, eff. 1-1-04; 93-950, | ||||||
| 9 | eff. 1-1-05.)
| ||||||