|
|
Sen. Ira I. Silverstein
Filed: 3/3/2005
|
|
09400SB1479sam001 |
|
LRB094 11200 RXD 42618 a |
|
|
| 1 |
| AMENDMENT TO SENATE BILL 1479
|
| 2 |
| AMENDMENT NO. ______. Amend Senate Bill 1479 by replacing |
| 3 |
| everything after the enacting clause with the following:
|
| 4 |
| "Section 1. Short title. This Act may be cited as the |
| 5 |
| Personal Information Protection Act.
|
| 6 |
| Section 5. Definitions. In this Act: |
| 7 |
| "Data Collector" may include, but is not limited to, |
| 8 |
| government agencies, public and private universities, |
| 9 |
| privately and publicly held corporations, financial |
| 10 |
| institutions, retail operators, and any other entity that, for |
| 11 |
| any purpose, whether by automated collection or otherwise, |
| 12 |
| handles, collects, disseminates, or otherwise deals with |
| 13 |
| nonpublic personal information. |
| 14 |
| "Breach of the security of the system data" means |
| 15 |
| unauthorized acquisition of computerized data that compromises |
| 16 |
| the security, confidentiality, or integrity of personal |
| 17 |
| information maintained by the data collector. "Breach of the |
| 18 |
| security of the system data" does not include good faith |
| 19 |
| acquisition of personal information by an employee or agent of |
| 20 |
| the data collector for a legitimate purpose of the data |
| 21 |
| collector, provided that the personal information is not used |
| 22 |
| for a purpose unrelated to the data collector's business or |
| 23 |
| subject to further unauthorized disclosure. |
| 24 |
| "Breach of the security of non-computerized data" may |
|
|
|
09400SB1479sam001 |
- 2 - |
LRB094 11200 RXD 42618 a |
|
|
| 1 |
| include, but is not limited to, unauthorized photocopying, |
| 2 |
| facsimiles, or other paper-based methods of transmitting |
| 3 |
| documents. |
| 4 |
| "Personal information" means an individual's first name or |
| 5 |
| first initial and last name in combination with any one or more |
| 6 |
| of the following data elements, when either the name or the |
| 7 |
| data elements are not encrypted or redacted: |
| 8 |
| (1) Social Security number. |
| 9 |
| (2) Driver's license number or State identification |
| 10 |
| card number. |
| 11 |
| (3) Account number or credit or debit card number, if |
| 12 |
| circumstances exist where the number could be used without |
| 13 |
| additional identifying information, access codes, or |
| 14 |
| passwords. |
| 15 |
| (4) Account passwords or personal identification |
| 16 |
| numbers or other access codes. |
| 17 |
| (5) Any item provided in paragraphs (1) through (4) |
| 18 |
| when not in connection with the individual's first name or |
| 19 |
| first initial and last name, if the information compromised |
| 20 |
| would be sufficient to perform or attempt to perform |
| 21 |
| identity theft against the person whose information was |
| 22 |
| compromised. |
| 23 |
| "Personal information" does not include publicly available |
| 24 |
| information that is lawfully made available to the general |
| 25 |
| public from federal, State, or local government records.
|
| 26 |
| Section 10. Notice of Breach. |
| 27 |
| (a) Except as provided in subsection (b) of this Section, |
| 28 |
| any data collector that owns or uses personal information in |
| 29 |
| any form, whether computerized, paper, or otherwise, that |
| 30 |
| includes personal information concerning an Illinois resident |
| 31 |
| shall notify the resident that there has been a breach of the |
| 32 |
| security of the system data following discovery or notification |
| 33 |
| of the breach, without regard for whether the data has been |
|
|
|
09400SB1479sam001 |
- 3 - |
LRB094 11200 RXD 42618 a |
|
|
| 1 |
| accessed by an unauthorized third party for legal or illegal |
| 2 |
| purposes. The disclosure notification shall be made in the most |
| 3 |
| expedient time possible and without unreasonable delay, |
| 4 |
| consistent with the legitimate needs of the law enforcement |
| 5 |
| agency, as provided in subsection (b) of this Section, or with |
| 6 |
| any measures necessary to determine the scope of the breach and |
| 7 |
| restore the reasonable integrity, security, and |
| 8 |
| confidentiality of the data system. |
| 9 |
| (b) The notification required by this Section may be |
| 10 |
| delayed if a law enforcement agency determines that the |
| 11 |
| notification may impede a criminal investigation. The |
| 12 |
| notification required by this Section shall be made after the |
| 13 |
| law enforcement agency determines that it will not compromise |
| 14 |
| the investigation. |
| 15 |
| (c) For purposes of this Section, notice to consumers may |
| 16 |
| be provided by one of the following methods: |
| 17 |
| (1) written notice; |
| 18 |
| (2) electronic notice, if the notice provided is |
| 19 |
| consistent with the provisions regarding electronic |
| 20 |
| records and signatures for notices legally required to be |
| 21 |
| in writing as set forth in Section 7001 of Title 15 of the |
| 22 |
| United States Code; or |
| 23 |
| (3) substitute notice, if the data collector |
| 24 |
| demonstrates that the cost of providing notice would exceed |
| 25 |
| $250,000 or that the affected class of subject persons to |
| 26 |
| be notified exceeds 500,000, or the data collector does not |
| 27 |
| have sufficient contact information. Substitute notice |
| 28 |
| shall consist of all of the following: (i) e-mail notice if |
| 29 |
| the data collector has an email address for the subject |
| 30 |
| persons; (ii) conspicuous posting of the notice on the data |
| 31 |
| collector's web site page if the data collector maintains |
| 32 |
| one; and (iii) notification to major statewide media.
|
| 33 |
| Section 15. Waiver. Any waiver of the provisions of this |
|
|
|
09400SB1479sam001 |
- 4 - |
LRB094 11200 RXD 42618 a |
|
|
| 1 |
| Act is contrary to public policy and is void and unenforceable.
|
| 2 |
| Section 20. Violation. A violation of this Act constitutes |
| 3 |
| an unlawful practice under the Consumer Fraud and Deceptive |
| 4 |
| Business Practices Act.
|
| 5 |
| Section 900. The Consumer Fraud and Deceptive Business |
| 6 |
| Practices Act is amended by changing Section 2Z as follows:
|
| 7 |
| (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
|
| 8 |
| Sec. 2Z. Violations of other Acts. Any person who knowingly |
| 9 |
| violates
the Automotive Repair Act,
the Home Repair and |
| 10 |
| Remodeling Act,
the Dance Studio Act,
the Physical Fitness |
| 11 |
| Services Act,
the Hearing Instrument Consumer Protection Act,
|
| 12 |
| the Illinois Union Label Act,
the Job Referral and Job Listing |
| 13 |
| Services Consumer Protection Act,
the Travel Promotion |
| 14 |
| Consumer Protection Act,
the Credit Services Organizations |
| 15 |
| Act,
the Automatic Telephone Dialers Act,
the Pay-Per-Call |
| 16 |
| Services Consumer Protection Act,
the Telephone Solicitations |
| 17 |
| Act,
the Illinois Funeral or Burial Funds Act,
the Cemetery |
| 18 |
| Care Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery |
| 19 |
| Sales Act,
the High Risk Home Loan Act, subsection (a) or (b) |
| 20 |
| of Section 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) |
| 21 |
| of Section 3-10 of the Cigarette Use Tax Act, the Electronic
|
| 22 |
| Mail Act, paragraph (6)
of
subsection (k) of Section 6-305 of |
| 23 |
| the Illinois Vehicle Code, or the Automatic Contract Renewal |
| 24 |
| Act, or the Personal Information Protection Act commits an |
| 25 |
| unlawful practice within the meaning of this Act.
|
| 26 |
| (Source: P.A. 92-426, eff. 1-1-02; 93-561, eff. 1-1-04; 93-950, |
| 27 |
| eff. 1-1-05.)".
|