94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
HB3743


 
Introduced 2/24/2005, by Rep. Rosemary Mulligan
 
SYNOPSIS AS INTRODUCED:
 		













New Act











    Creates the Security Breach Notification Act.  Requires any person or business conducting business in the State, and that owns or licenses computerized data that includes personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.  Requires any person or business that maintains computerized data that includes personal information that the person or business does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery of such breach, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person.  Provides that notice may be provided to a customer in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.  Provides a private right of action for a violation of the Act.
















LRB094 11457 RXD 42382 b

















 


 


A BILL FOR









 











HB3743

LRB094 11457 RXD 42382 b






1
    AN ACT concerning security.

 
2
    Be it enacted by the People of the State of Illinois,
 
3
represented in the General Assembly:


 
4
    Section 1. Short title. This Act may be cited as the 
5
Security Breach Notification Act.
 
6
    Section 5. Definitions.  In this Act: 
7
    "Breach of the security of the system" means unauthorized 
8
acquisition of computerized data that compromises the 
9
security, confidentiality, or integrity of personal 
10
information maintained by a person or business.  "Breach of the 
11
security of the system" does not include good faith acquisition 
12
of personal information by an employee or agent of the person 
13
or business, provided that the personal information is not used 
14
or subject to further unauthorized disclosure.
15
    "Personal information" means an individual's first name or 
16
first initial and last name in combination with any one or more 
17
of the following data elements, when either the name or the 
18
data elements are not encrypted:
19
        (1) Social security number.
20
        (2) Driver's license number or Illinois State 
21
    Identification Card number.
22
        (3) Account number, credit or debit card number, in 
23
    combination with any
required security code, access code, 
24
    or password that would permit access to an individual's 
25
    financial account.

26
"Personal information" does not include publicly available 
27
information that is lawfully made available to the general 
28
public from federal, State, or local government records.

 
29
    Section 10. Security breach; notification. 
30
    (a) Any person or business that conducts business in the 
31
State, and that owns or licenses computerized data that 
 


 






HB3743
- 2 -
LRB094 11457 RXD 42382 b




1
includes personal information, shall disclose any breach of the 
2
security of the system following discovery or notification of 
3
the breach in the security of the data to any person whose 
4
unencrypted personal information was, or is reasonably 
5
believed to have been acquired by an unauthorized person.  
6
Disclosure shall be made in the most expedient time possible 
7
and without unreasonable delay, consistent with the legitimate 
8
needs of the law enforcement agency, as provided in subsection 
9
(b), or any measures necessary to determine the scope of the 
10
breach and restore the reasonable integrity of the data system.
11
    (b) Any person or business that maintains computerized data 
12
that includes personal information that the person or business 
13
does not own, shall notify the owner or licensee of the 
14
information of any breach of the security of the data 
15
immediately following discovery, if the personal information 
16
was, or is reasonably believed to have been acquired by an 
17
unauthorized person.
18
        (1) Notice may be provided by one of the following 
19
    methods:
20
            (A) written notice;
21
            (B) electronic notice, if the notice provided is 
22
        consistent with the provisions regarding electronic 
23
        records and signatures set forth in Section 7001 of 
24
        Title 15 of the United States Code; or
25
            (C)   substitute notice, if the person or business 
26
        demonstrates that the cost of providing notice would 
27
        exceed $250,000, or the affected class of persons to be 
28
        notified exceeds 500,000, or the person or business 
29
        does not have sufficient contact information.  
30
        Substitute notice shall consist of all of the 
31
        following: (i) email notification if the person or 
32
        business has an email address for the person to be 
33
        notified; (ii) conspicuous posting of the notice on the 
34
        web site page of the person or business, if the person 
35
        or business maintains a web site page; and (iii) 
36
        notification to major statewide media outlets.
 


 






HB3743
- 3 -
LRB094 11457 RXD 42382 b




1
        (2) The notification required by this subsection (b) 
2
    may be delayed if a law enforcement agency determines that 
3
    the notification will impede a criminal investigation.  
4
    Notification shall be made after the law enforcement agency 
5
    determines that it will not compromise its investigation.

 
6
    Section 15. Notification; compliance.  Notwithstanding 
7
subsection (b) of Section 10, a person or business that 
8
maintains its own notification procedures as part of an 
9
information security policy for the treatment of personal 
10
information and is otherwise consistent with the timing 
11
requirements of this Act, shall be deemed to be in compliance 
12
with the notification requirements provided under Section 10 of 
13
this Act if the person or business notifies persons in 
14
accordance with its policies in the event of a breach of 
15
security of the system. 
 
16
    Section 20. Waiver.     Any waiver of the provisions of this 
17
Act is contrary to public policy and is void and unenforceable.  
 
18
    Section 25. Penalty.   
19
    (a) Any customer injured by a violation of this Act may 
20
institute a civil action to recover damages.
21
    (b) Any individual personally affected by repeated 
22
violations may institute, in a circuit court, an action to 
23
enjoin violations of this Act.
24
    (c) The rights and remedies available under this Section 
25
are cumulative to each other and to any other rights and 
26
remedies available under law.