|
|
|
|
HB4449 Enrolled |
|
LRB094 17445 LCT 52740 b |
|
|
| 1 |
| AN ACT concerning consumer fraud.
|
| 2 |
| Be it enacted by the People of the State of Illinois,
|
| 3 |
| represented in the General Assembly:
|
| 4 |
| Section 5. The Personal Information Protection Act is |
| 5 |
| amended by changing Section 10 and by adding Sections 12, 25, |
| 6 |
| and 30 as follows:
|
| 7 |
| (815 ILCS 530/10)
|
| 8 |
| Sec. 10. Notice of Breach. |
| 9 |
| (a) Any data collector that owns or licenses personal |
| 10 |
| information concerning an Illinois resident shall notify the
|
| 11 |
| resident at no charge that there has been a breach of the |
| 12 |
| security of the
system data following discovery or notification |
| 13 |
| of the breach.
The disclosure notification shall be made in the |
| 14 |
| most
expedient time possible and without unreasonable delay,
|
| 15 |
| consistent with any measures necessary to determine the
scope |
| 16 |
| of the breach and restore the reasonable integrity,
security, |
| 17 |
| and confidentiality of the data system.
|
| 18 |
| (b) Any data collector that maintains computerized data |
| 19 |
| that
includes personal information that the data collector does |
| 20 |
| not own or license shall notify the owner or licensee of the |
| 21 |
| information of any breach of the security of the data |
| 22 |
| immediately following discovery, if the personal information |
| 23 |
| was, or is reasonably believed to have been, acquired by
an |
| 24 |
| unauthorized person.
|
| 25 |
| (b-5) The notification required by subsection (a) of this |
| 26 |
| Section may be delayed if an appropriate law enforcement agency |
| 27 |
| determines that notification will interfere with a criminal |
| 28 |
| investigation and provides the data collector with a written |
| 29 |
| request for the delay. However, the data collector must notify |
| 30 |
| the Illinois resident as soon as notification will no longer |
| 31 |
| interfere with the investigation.
|
| 32 |
| (c) For purposes of this Section, notice to consumers may |
|
|
|
HB4449 Enrolled |
- 2 - |
LRB094 17445 LCT 52740 b |
|
|
| 1 |
| be provided by one of the following methods:
|
| 2 |
| (1) written notice; |
| 3 |
| (2) electronic notice, if the notice provided is
|
| 4 |
| consistent with the provisions regarding electronic
|
| 5 |
| records and signatures for notices legally required to be
|
| 6 |
| in writing as set forth in Section 7001 of Title 15 of the |
| 7 |
| United States Code;
or |
| 8 |
| (3) substitute notice, if the data collector
|
| 9 |
| demonstrates that the cost of providing notice would exceed
|
| 10 |
| $250,000 or that the affected class of subject persons to |
| 11 |
| be notified exceeds 500,000, or the data collector does not
|
| 12 |
| have sufficient contact information. Substitute notice |
| 13 |
| shall consist of all of the following: (i) email notice if |
| 14 |
| the data collector has an email address for the subject |
| 15 |
| persons; (ii) conspicuous posting of the notice on the data
|
| 16 |
| collector's web site page if the data collector maintains
|
| 17 |
| one; and (iii) notification to major statewide media. |
| 18 |
| (d) Notwithstanding subsection (c), a data collector
that |
| 19 |
| maintains its own notification procedures as part of an
|
| 20 |
| information security policy for the treatment of personal
|
| 21 |
| information and is otherwise consistent with the timing |
| 22 |
| requirements of this Act, shall be deemed in compliance
with |
| 23 |
| the notification requirements of this Section if the
data |
| 24 |
| collector notifies subject persons in accordance with its |
| 25 |
| policies in the event of a breach of the security of the system |
| 26 |
| data.
|
| 27 |
| (Source: P.A. 94-36, eff. 1-1-06.)
|
| 28 |
| (815 ILCS 530/12 new)
|
| 29 |
| Sec. 12. Notice of breach; State agency. |
| 30 |
| (a) Any State agency that collects personal information |
| 31 |
| concerning an Illinois resident shall notify the
resident at no |
| 32 |
| charge that there has been a breach of the security of the
|
| 33 |
| system data or written material following discovery or |
| 34 |
| notification of the breach.
The disclosure notification shall |
| 35 |
| be made in the most
expedient time possible and without |
|
|
|
HB4449 Enrolled |
- 3 - |
LRB094 17445 LCT 52740 b |
|
|
| 1 |
| unreasonable delay,
consistent with any measures necessary to |
| 2 |
| determine the
scope of the breach and restore the reasonable |
| 3 |
| integrity,
security, and confidentiality of the data system. |
| 4 |
| (b) For purposes of this Section, notice to residents may |
| 5 |
| be provided by one of the following methods:
|
| 6 |
| (1) written notice;
|
| 7 |
| (2) electronic notice, if the notice provided is
|
| 8 |
| consistent with the provisions regarding electronic
|
| 9 |
| records and signatures for notices legally required to be
|
| 10 |
| in writing as set forth in Section 7001 of Title 15 of the |
| 11 |
| United States Code;
or
|
| 12 |
| (3) substitute notice, if the State agency
|
| 13 |
| demonstrates that the cost of providing notice would exceed
|
| 14 |
| $250,000 or that the affected class of subject persons to |
| 15 |
| be notified exceeds 500,000, or the State agency does not
|
| 16 |
| have sufficient contact information. Substitute notice |
| 17 |
| shall consist of all of the following: (i) email notice if |
| 18 |
| the State agency has an email address for the subject |
| 19 |
| persons; (ii) conspicuous posting of the notice on the |
| 20 |
| State agency's web site page if the State agency maintains
|
| 21 |
| one; and (iii) notification to major statewide media.
|
| 22 |
| (c) Notwithstanding subsection (b), a State agency
that |
| 23 |
| maintains its own notification procedures as part of an
|
| 24 |
| information security policy for the treatment of personal
|
| 25 |
| information and is otherwise consistent with the timing |
| 26 |
| requirements of this Act shall be deemed in compliance
with the |
| 27 |
| notification requirements of this Section if the
State agency |
| 28 |
| notifies subject persons in accordance with its policies in the |
| 29 |
| event of a breach of the security of the system data or written |
| 30 |
| material.
|
| 31 |
| (d) If a State agency is required to notify more than 1,000 |
| 32 |
| persons of a breach of security pursuant to this Section, the |
| 33 |
| State agency shall also notify, without unreasonable delay, all |
| 34 |
| consumer reporting agencies that compile and maintain files on |
| 35 |
| consumers on a nationwide basis, as defined by 15 U.S.C. |
| 36 |
| Section 1681a(p), of the timing, distribution, and content of |
|
|
|
HB4449 Enrolled |
- 4 - |
LRB094 17445 LCT 52740 b |
|
|
| 1 |
| the notices. Nothing in this subsection (d) shall be construed |
| 2 |
| to require the State agency to provide to the consumer |
| 3 |
| reporting agency the names or other personal identifying |
| 4 |
| information of breach notice recipients.
|
| 5 |
| (815 ILCS 530/25 new)
|
| 6 |
| Sec. 25. Annual reporting. Any State agency that collects |
| 7 |
| personal data and has had a breach of security of the system |
| 8 |
| data or written material shall submit a report within 5 |
| 9 |
| business days of the discovery or notification of the breach to |
| 10 |
| the General Assembly listing the breaches and outlining any |
| 11 |
| corrective measures that have been taken to prevent future |
| 12 |
| breaches of the security of the system data or written |
| 13 |
| material. Any State agency that has submitted a report under |
| 14 |
| this Section shall submit an annual report listing all breaches |
| 15 |
| of security of the system data or written materials and the |
| 16 |
| corrective measures that have been taken to prevent future |
| 17 |
| breaches.
|
| 18 |
| (815 ILCS 530/30 new)
|
| 19 |
| Sec. 30. Safe disposal of information. Any State agency |
| 20 |
| that collects personal data that is no longer needed or stored |
| 21 |
| at the agency shall dispose of the personal data or written |
| 22 |
| material it has collected in such a manner as to ensure the |
| 23 |
| security and confidentiality of the material.
|
| 24 |
| Section 99. Effective date. This Act takes effect upon |
| 25 |
| becoming law.
|