94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB1798


 
Introduced 2/25/2005, by Sen. Peter J. Roskam
 
SYNOPSIS AS INTRODUCED:
 		













New Act










    Creates the Personal Information Protection Act.  Requires any person, business, or State agency conducting business in the State, and that owns or licenses computerized data that includes vulnerable personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person.  Requires any person, business, or State agency that maintains computerized data that includes vulnerable personal information that the person, business, or State agency does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the vulnerable personal information was, or is reasonably believed to have been acquired by an unauthorized person.  Provides that notice may be provided to a customer in one of the following ways: (1) written notice; or (2) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.
















LRB094 11157 RXD 41798 b

















 


 


A BILL FOR









 











SB1798

LRB094 11157 RXD 41798 b






1
    AN ACT concerning business.

 
2
    Be it enacted by the People of the State of Illinois,
 
3
represented in the General Assembly:


 
4
    Section 1. Short title. This Act may be cited as the 
5
Personal Information Protection Act.
 
6
    Section 5. Definitions. In this Act:
7
    "Breach of the security of the system" means unauthorized 
8
acquisition of computerized data that comprises the security, 
9
confidentiality, or integrity of personal information 
10
maintained by a person, business, or State agency.  "Breach of 
11
the security of the system" does not include good faith 
12
acquisition of personal information by an employee or agent of 
13
the person, business, or State agency, provided that the 
14
personal information is not used or subject to further 
15
unauthorized disclosure.
16
    "Personal information" shall mean any information 
17
concerning a natural person which, because of name, number, 
18
personal mark, or other identifier can be used to identify the 
19
natural person.
20
    "Vulnerable personal information" means personal 
21
information consisting of any information in combination with 
22
any one or more of the following data elements, when either the 
23
personal information or the data element is not encrypted:
24
        (1) Social security number.
25
        (2) Driver's license number. 
26
        (3) Account number, credit or debit card number, in 
27
    combination with any required security code, access code, 
28
    or password that would permit access to an individual's 
29
    financial account.
30
"Vulnerable personal information" does not include publicly 
31
available information that is lawfully made available to the 
32
general public from federal, State, or local government 
 


 






SB1798
- 2 -
LRB094 11157 RXD 41798 b




1
records.  
 
2
    Section 10. Security breach. 
3
    (a) Any person, business, or State agency that conducts 
4
business in the State and owns or licenses computerized data 
5
that includes vulnerable personal information shall disclose 
6
any breach of the security of the system following discovery or 
7
notification of the breach in the security of the data to any 
8
resident of the State whose unencrypted personal information 
9
was, or is reasonably believed to have been acquired by an 
10
unauthorized person.  Disclosure shall be made in the most 
11
expedient time possible and without unreasonable delay, 
12
consistent with the legitimate needs of the law enforcement 
13
agency, as provided in subsection (b), or any measures 
14
necessary to determine the scope of the breach and restore the 
15
reasonable integrity of the data system. 
16
    (b) Any person, business, or State agency that maintains 
17
computerized data that includes vulnerable personal 
18
information that the person, business, or State agency does not 
19
own, shall notify the owner or licensee of the information of 
20
any breach of the security of the data immediately following 
21
discovery, if the vulnerable personal information was, or is 
22
reasonably believed to have been acquired by an unauthorized 
23
person.  
24
        (1) Notice may be provided by one of the following 
25
    methods:
26
            (A) written notice; or 
27
            (B) substitute notice, if a person, business, or 
28
        State agency demonstrates that the cost of the 
29
        providing notice would exceed $250,000, or the 
30
        affected class of persons to be notified exceeds 
31
        500,000, or the person, business, or State agency  does 
32
        not have sufficient contact information.  Substitute 
33
        notice shall consist of all of the following: (i) email 
34
        notification if the person, business, or  State agency 
35
        has an email address for the person to be notified; 
 


 






SB1798
- 3 -
LRB094 11157 RXD 41798 b




1
        (ii) conspicuous posting of the notice on a web  site if 
2
        the person, business, or State agency maintains a web 
3
        site page; and (iii) notification to major statewide 
4
        media outlets. 
5
        (2) The notification required under this subsection 
6
    (b) may be delayed if a law enforcement agency determines 
7
    that the notification will impede a criminal 
8
    investigation.  Notification shall be made after the law 
9
    enforcement agency determines that it will not compromise 
10
    its investigation.  
 
11
    Section 15. Violation; person or business. 
12
    (a) Any person or business found to have violated this Act, 
13
knowingly or recklessly, shall be liable to the aggrieved user 
14
for all actual damages sustained by the user as a direct result 
15
of the violation, provided that any subscriber that prevails or 
16
substantially prevails in any action brought under this 
17
subsection (a) shall receive not less than $500,000 in damages, 
18
regardless of the amount of actual damage proved, plus costs, 
19
disbursements, and reasonable attorney's fees.  An action 
20
brought under this subsection (a) may be maintained as a class 
21
action.  
22
    (b)  Civil penalties under this Act are recoverable in an 
23
action brought by the Attorney General on behalf of the State 
24
in the circuit court.  A circuit court may issue an injunction 
25
to restrain any person or business  from violating or continuing 
26
to violate any provision of this Act.   
27
    (c) If the court determines that a grossly negligent 
28
violation of this Act has occurred, the court may impose a 
29
civil penalty of not more than $1,000 for the violation.  
30
    (d) The rights and remedies available under this Section 
31
are cumulative to each other and to any other rights and 
32
remedies available under law.