94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB1479


 
Introduced 2/23/2005, by Sen. Ira I. Silverstein
 
SYNOPSIS AS INTRODUCED:
 		













New Act










    Creates the Identity Theft Notification Act.  Requires any data collector that owns or uses personal information in any form that includes  personal information concerning an Illinois resident, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes.    Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.  Provides a private right of action for a violation of the Act.  
















LRB094 11200 RXD 41888 b

















 


 


A BILL FOR









 











SB1479

LRB094 11200 RXD 41888 b






1
    AN ACT concerning business.

 
2
    Be it enacted by the People of the State of Illinois,
 
3
represented in the General Assembly:


 
4
    Section 1. Short title. This Act may be cited as the 
5
Identity Theft Notification Act.
 
6
    Section 5. Definitions.  In this Act: 
7
    "Breach of the security of the system" means unauthorized 
8
acquisition of computerized data that compromises the 
9
security, confidentiality, or integrity of personal 
10
information maintained by a data collector.  "Breach of the 
11
security of the system" does not include good faith acquisition 
12
of personal information by an employee or agent of the data 
13
collector, provided that the personal information is not used 
14
for a purpose unrelated to the data collector's business or 
15
subjected to further unauthorized disclosure.
16
    "Breach of the security of non-computerized data" may 
17
include, but is not limited to, unauthorized photocopying, 
18
facsimiles, or other paper-based methods of transmitting 
19
documents.  
20
    "Data collector" may include, but is not limited to, 
21
government agencies, public and private universities, 
22
privately and publicly held corporations, financial 
23
institutions, retail operators, and any other entity which, for 
24
any purpose, whether by automated collection or otherwise, 
25
handles, collects, disseminates, or otherwise deals with 
26
personal information.  
27
    "Personal information" means an individual's first name or 
28
first initial and last name in combination with any one or more 
29
of the following data elements, when either the name or the 
30
data elements are not encrypted or redacted:
31
        (1) Social security number.
32
        (2) Driver's license number or Illinois State 
 


 






SB1479
- 2 -
LRB094 11200 RXD 41888 b




1
    Identification Card number.
2
        (3) Account number, credit or debit card number, if 
3
    circumstances exist where the number could be used without 
4
    additional identifying information, access code, or 
5
    password.

6
        (4) Account passwords or personal identification 
7
    numbers or other access codes.  
8
        (5) Any item listed under paragraphs (1) through (4) 
9
    when not in connection with the individual's first name or 
10
    first initial and last name, if the information compromised 
11
    would be sufficient to perform or attempt to perform 
12
    identity theft against the person whose information was 
13
    compromised.  
14
"Personal information" does not include publicly available 
15
information that is lawfully made available to the general 
16
public from federal, State, or local government records.

 
17
    Section 10. Security breach; notification. 
18
    (a) Any data collector that owns or uses personal 
19
information in any form that includes  personal information 
20
concerning an Illinois resident, shall disclose any breach of 
21
the security of the system following discovery or notification 
22
of the breach in the security of the data, without regard for 
23
whether the data has been accessed by an unauthorized third 
24
party for legal or illegal purposes.  The disclosure 
25
notification shall be made in the most expedient time possible 
26
and without unreasonable delay, consistent with the legitimate 
27
needs of the law enforcement agency, as provided in subsection 
28
(b), or any measures necessary to determine the scope of the 
29
breach and restore the reasonable integrity of the data system.
30
    (b) Notice may be provided by one of the following methods:  
31
        (1) written notice;
32
        (2) electronic notice, if the notice provided is 
33
    consistent with the provisions regarding electronic 
34
    records and signatures set forth in Section 7001 of Title 
35
    15 of the United States Code; or 
 


 






SB1479
- 3 -
LRB094 11200 RXD 41888 b




1
        (3) substitute notice, if the person or business 
2
    demonstrates that the cost of providing notice would exceed 
3
    $250,000, or the affected class of persons to be notified 
4
    exceeds 500,000, or the person or business does not have 
5
    sufficient contact information.  Substitute notice shall 
6
    consist of all of the following: (i) email notification if 
7
    the person or business has an email address for the person 
8
    to be notified; (ii) conspicuous posting of the notice on 
9
    the web site page of the person or business, if the person 
10
    or business maintains a web site page; and (iii) 
11
    notification to major statewide media outlets.
12
    The notification required under this subsection (b) may be 
13
delayed if a law enforcement agency determines that the 
14
notification will impede a criminal investigation.  
15
Notification shall be made after the law enforcement agency 
16
determines that it will not compromise its investigation.

 
17
    Section 15. Waiver.     Any waiver of the provisions of this 
18
Act is contrary to public policy and is void and unenforceable.  
 
19
    Section 20. Penalty.   
20
    (a) Any customer injured by a violation of this Act may 
21
institute a civil action to recover damages.
22
    (b) Any individual personally affected by repeated 
23
violations may institute, in a circuit court, an action to 
24
enjoin violations of this Act.
25
    (c) The rights and remedies available under this Section 
26
are cumulative to each other and to any other rights and 
27
remedies available under law.