|
|
|||||||
| |||||||
| |||||||
| 1 | AN ACT concerning business.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 1. Short title. This Act may be cited as the | ||||||
| 5 | Personal Information Protection Act. | ||||||
| 6 | Section 5. Definitions. In this Act: | ||||||
| 7 | "Data Collector" may include, but is not limited to, | ||||||
| 8 | government agencies, public and private universities, | ||||||
| 9 | privately and publicly held corporations, financial | ||||||
| 10 | institutions, retail operators, and any other entity that, for | ||||||
| 11 | any purpose, whether by automated collection or otherwise, | ||||||
| 12 | handles, collects, disseminates, or otherwise deals with | ||||||
| 13 | nonpublic personal information. | ||||||
| 14 | "Breach of the security of the system data" means | ||||||
| 15 | unauthorized acquisition of computerized data that compromises | ||||||
| 16 | the security, confidentiality, or integrity of personal | ||||||
| 17 | information maintained by the data collector. "Breach of the | ||||||
| 18 | security of the system data" does not include good faith | ||||||
| 19 | acquisition of personal information by an employee or agent of | ||||||
| 20 | the data collector for a legitimate purpose of the data | ||||||
| 21 | collector, provided that the personal information is not used | ||||||
| 22 | for a purpose unrelated to the data collector's business or | ||||||
| 23 | subject to further unauthorized disclosure. | ||||||
| 24 | "Breach of the security of non-computerized data" may | ||||||
| 25 | include, but is not limited to, unauthorized photocopying, | ||||||
| 26 | facsimiles, or other paper-based methods of transmitting | ||||||
| 27 | documents. | ||||||
| 28 | "Personal information" means an individual's first name or | ||||||
| 29 | first initial and last name in combination with any one or more | ||||||
| 30 | of the following data elements, when either the name or the | ||||||
| 31 | data elements are not encrypted or redacted: | ||||||
| 32 | (1) Social Security number. | ||||||
| |||||||
| |||||||
| 1 | (2) Driver's license number or State identification | ||||||
| 2 | card number. | ||||||
| 3 | (3) Account number or credit or debit card number, if | ||||||
| 4 | circumstances exist where the number could be used without | ||||||
| 5 | additional identifying information, access codes, or | ||||||
| 6 | passwords. | ||||||
| 7 | (4) Account passwords or personal identification | ||||||
| 8 | numbers or other access codes. | ||||||
| 9 | (5) Any item provided in paragraphs (1) through (4) | ||||||
| 10 | when not in connection with the individual's first name or | ||||||
| 11 | first initial and last name, if the information compromised | ||||||
| 12 | would be sufficient to perform or attempt to perform | ||||||
| 13 | identity theft against the person whose information was | ||||||
| 14 | compromised. | ||||||
| 15 | "Personal information" does not include publicly available | ||||||
| 16 | information that is lawfully made available to the general | ||||||
| 17 | public from federal, State, or local government records. | ||||||
| 18 | Section 10. Notice of Breach. | ||||||
| 19 | (a) Except as provided in subsection (b) of this Section, | ||||||
| 20 | any data collector that owns or uses personal information in | ||||||
| 21 | any form, whether computerized, paper, or otherwise, that | ||||||
| 22 | includes personal information concerning an Illinois resident | ||||||
| 23 | shall notify the resident that there has been a breach of the | ||||||
| 24 | security of the system data following discovery or notification | ||||||
| 25 | of the breach, without regard for whether the data has been | ||||||
| 26 | accessed by an unauthorized third party for legal or illegal | ||||||
| 27 | purposes. The disclosure notification shall be made in the most | ||||||
| 28 | expedient time possible and without unreasonable delay, | ||||||
| 29 | consistent with the legitimate needs of the law enforcement | ||||||
| 30 | agency, as provided in subsection (b) of this Section, or with | ||||||
| 31 | any measures necessary to determine the scope of the breach and | ||||||
| 32 | restore the reasonable integrity, security, and | ||||||
| 33 | confidentiality of the data system. | ||||||
| 34 | (b) The notification required by this Section may be | ||||||
| 35 | delayed if a law enforcement agency determines that the | ||||||
| |||||||
| |||||||
| 1 | notification may impede a criminal investigation. The | ||||||
| 2 | notification required by this Section shall be made after the | ||||||
| 3 | law enforcement agency determines that it will not compromise | ||||||
| 4 | the investigation. | ||||||
| 5 | (c) For purposes of this Section, notice to consumers may | ||||||
| 6 | be provided by one of the following methods: | ||||||
| 7 | (1) written notice; | ||||||
| 8 | (2) electronic notice, if the notice provided is | ||||||
| 9 | consistent with the provisions regarding electronic | ||||||
| 10 | records and signatures for notices legally required to be | ||||||
| 11 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 12 | United States Code; or | ||||||
| 13 | (3) substitute notice, if the data collector | ||||||
| 14 | demonstrates that the cost of providing notice would exceed | ||||||
| 15 | $250,000 or that the affected class of subject persons to | ||||||
| 16 | be notified exceeds 500,000, or the data collector does not | ||||||
| 17 | have sufficient contact information. Substitute notice | ||||||
| 18 | shall consist of all of the following: (i) e-mail notice if | ||||||
| 19 | the data collector has an email address for the subject | ||||||
| 20 | persons; (ii) conspicuous posting of the notice on the data | ||||||
| 21 | collector's web site page if the data collector maintains | ||||||
| 22 | one; and (iii) notification to major statewide media. | ||||||
| 23 | Section 15. Waiver. Any waiver of the provisions of this | ||||||
| 24 | Act is contrary to public policy and is void and unenforceable. | ||||||
| 25 | Section 20. Violation. A violation of this Act constitutes | ||||||
| 26 | an unlawful practice under the Consumer Fraud and Deceptive | ||||||
| 27 | Business Practices Act. | ||||||
| 28 | Section 900. The Consumer Fraud and Deceptive Business | ||||||
| 29 | Practices Act is amended by changing Section 2Z as follows:
| ||||||
| 30 | (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| ||||||
| 31 | Sec. 2Z. Violations of other Acts. Any person who knowingly | ||||||
| 32 | violates
the Automotive Repair Act,
the Home Repair and | ||||||
| |||||||
| |||||||
| 1 | Remodeling Act,
the Dance Studio Act,
the Physical Fitness | ||||||
| 2 | Services Act,
the Hearing Instrument Consumer Protection Act,
| ||||||
| 3 | the Illinois Union Label Act,
the Job Referral and Job Listing | ||||||
| 4 | Services Consumer Protection Act,
the Travel Promotion | ||||||
| 5 | Consumer Protection Act,
the Credit Services Organizations | ||||||
| 6 | Act,
the Automatic Telephone Dialers Act,
the Pay-Per-Call | ||||||
| 7 | Services Consumer Protection Act,
the Telephone Solicitations | ||||||
| 8 | Act,
the Illinois Funeral or Burial Funds Act,
the Cemetery | ||||||
| 9 | Care Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery | ||||||
| 10 | Sales Act,
the High Risk Home Loan Act, subsection (a) or (b) | ||||||
| 11 | of Section 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) | ||||||
| 12 | of Section 3-10 of the Cigarette Use Tax Act, the Electronic
| ||||||
| 13 | Mail Act, paragraph (6)
of
subsection (k) of Section 6-305 of | ||||||
| 14 | the Illinois Vehicle Code, or the Automatic Contract Renewal | ||||||
| 15 | Act, or the Personal Information Protection Act commits an | ||||||
| 16 | unlawful practice within the meaning of this Act.
| ||||||
| 17 | (Source: P.A. 92-426, eff. 1-1-02; 93-561, eff. 1-1-04; 93-950, | ||||||
| 18 | eff. 1-1-05.)
| ||||||