|
|
|
95TH GENERAL ASSEMBLY
State of Illinois
2007 and 2008 HB3725
Introduced 2/28/2007, by Rep. Linda Chapa LaVia SYNOPSIS AS INTRODUCED: |
|
|
Creates the Illinois Financial Information Privacy Act. Allows a consumer to direct a financial institution to not share the nonpublic personal information with affiliated companies or with nonaffiliated financial companies with which the financial institution has contracted to provide financial products and services. Does not restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries or in certain other cases if both entities are regulated by the same functional regulator and are engaged in the same line of business, among other requirements. Requires the permission of the consumer before the financial institution may share the nonpublic personal information with other nonaffiliated companies. Provides that a financial institution shall not discriminate against or deny an otherwise qualified consumer a financial product or service because the consumer has not provided the necessary consent that would authorize the financial institution to disclose or share nonpublic personal information. Requires a financial institution to comply with the consumer's request regarding nonpublic personal information within 45 days of receipt of the request.
|
| |
|
|
| FISCAL NOTE ACT MAY APPLY | |
|
|
A BILL FOR
|
|
|
|
|
HB3725 |
|
LRB095 07553 MJR 27703 b |
|
|
1 |
| AN ACT concerning regulation.
|
2 |
| Be it enacted by the People of the State of Illinois,
|
3 |
| represented in the General Assembly:
|
4 |
| Section 1. Short title. This Act may be cited as the |
5 |
| Illinois Financial Information Privacy Act. |
6 |
| Section 5. Legislative purpose.
|
7 |
| (a) The General Assembly intends for financial |
8 |
| institutions to provide their consumers notice and meaningful |
9 |
| choice about how consumers' nonpublic personal information is |
10 |
| shared or sold by their financial institutions. |
11 |
| (b) It is the intent of the General Assembly in enacting |
12 |
| the Illinois Financial Information Privacy Act to afford |
13 |
| persons greater privacy protections than those provided in |
14 |
| Public Law 106-102, the federal Gramm-Leach-Bliley Act, and |
15 |
| that this Act be interpreted to be
consistent with that |
16 |
| purpose.
|
17 |
| Section 10. Definitions.
For the purposes of this Act: |
18 |
| (a) "Nonpublic personal information" means personally |
19 |
| identifiable financial information (1) provided by a consumer |
20 |
| to a financial institution, (2) resulting from any transaction |
21 |
| with the consumer or any service performed for the consumer, or |
22 |
| (3) otherwise obtained by the financial institution. Nonpublic |
|
|
|
HB3725 |
- 2 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| personal information does not include publicly available |
2 |
| information that the financial institution has a reasonable |
3 |
| basis to believe is lawfully made available to the general |
4 |
| public from (1) federal, state, or local government records, |
5 |
| (2) widely distributed media, or (3) disclosures to the general |
6 |
| public that are required to be made by federal, state, or local |
7 |
| law. Nonpublic personal information shall include any list, |
8 |
| description, or other grouping of consumers, and publicly |
9 |
| available information pertaining to them, that is derived using |
10 |
| any nonpublic personal information other than publicly |
11 |
| available information, but shall not include any list, |
12 |
| description, or other grouping of consumers, and publicly |
13 |
| available information pertaining to them, that is derived |
14 |
| without using any nonpublic personal information. |
15 |
| (b) "Personally identifiable financial information" means |
16 |
| information (1) that a consumer provides to a financial |
17 |
| institution to obtain a product or service from the financial |
18 |
| institution, (2) about a consumer resulting from any |
19 |
| transaction involving a product or service between the |
20 |
| financial institution and a consumer, or (3) that the financial |
21 |
| institution otherwise obtains about a consumer in
connection |
22 |
| with providing a product or service to that consumer. Any |
23 |
| personally identifiable information is financial if it was |
24 |
| obtained by a financial institution in connection with |
25 |
| providing a financial product or service to a consumer. |
26 |
| Personally identifiable financial information includes all of |
|
|
|
HB3725 |
- 3 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| the following: |
2 |
| (1) Information a consumer provides to a financial |
3 |
| institution on an application to obtain a loan, credit |
4 |
| card, or other financial product or service. |
5 |
| (2) Account balance information, payment history, |
6 |
| overdraft history, and credit or debit card purchase |
7 |
| information. |
8 |
| (3) The fact that an individual is or has been a |
9 |
| consumer of a financial institution or has obtained a |
10 |
| financial product or service from a financial institution. |
11 |
| (4) Any information about a financial institution's |
12 |
| consumer if it is disclosed in a manner that indicates that |
13 |
| the individual is or has been the financial institution's |
14 |
| consumer. |
15 |
| (5) Any information that a consumer provides to a |
16 |
| financial institution or that a financial institution or |
17 |
| its agent otherwise obtains in connection with collecting |
18 |
| on a loan or servicing a loan. |
19 |
| (6) Any personally identifiable financial information |
20 |
| collected through an Internet cookie or an information |
21 |
| collecting device from a Web server. |
22 |
| (7) Information from a consumer report. |
23 |
| (c) "Financial institution" means any institution the |
24 |
| business of which is engaging in financial activities as |
25 |
| described in Section 1843(k) of Title 12 of the United States |
26 |
| Code and doing business in this State. An institution that is |
|
|
|
HB3725 |
- 4 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| not significantly engaged in financial activities is not a |
2 |
| financial institution. The term "financial institution" does |
3 |
| not include any institution that is primarily engaged in |
4 |
| providing hardware, software, or interactive services, |
5 |
| provided that it does not act as a debt collector, as defined |
6 |
| in 15 U.S.C. Sec. 1692a, or engage in activities for which the |
7 |
| institution is required to acquire a charter, license, or |
8 |
| registration from a state or federal governmental banking, |
9 |
| insurance, or securities agency. The term "financial |
10 |
| institution" does not include the Federal Agricultural |
11 |
| Mortgage Corporation or any entity chartered and operating |
12 |
| under the Farm Credit Act of 1971 (12 U.S.C. Sec. 2001 et |
13 |
| seq.), provided that the entity does not sell or transfer |
14 |
| nonpublic personal information to an affiliate or a |
15 |
| nonaffiliated third party. The term "financial institution" |
16 |
| does not include any provider of professional services, or any |
17 |
| wholly owned affiliate thereof, that is prohibited by rules of |
18 |
| professional ethics and applicable law from voluntarily |
19 |
| disclosing confidential client information without the consent |
20 |
| of the client. The term "financial institution" does not |
21 |
| include institutions chartered by Congress specifically to |
22 |
| engage in a proposed or actual securitization, secondary market |
23 |
| sale, including sales of servicing rights, or similar |
24 |
| transactions related
to a transaction of the consumer, as long |
25 |
| as those institutions do not sell or transfer nonpublic |
26 |
| personal information to a nonaffiliated third party. Nothing in |
|
|
|
HB3725 |
- 5 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| this Act applies to the Motor Vehicle Retail Installment Sales |
2 |
| Act, the Motor Vehicle Leasing Act, or the Retail Installment |
3 |
| Sales Act. |
4 |
| (d) "Affiliate" means any entity that controls, is |
5 |
| controlled by, or is under common control with, another entity, |
6 |
| but does not include a joint employee of the entity and the |
7 |
| affiliate. A franchisor, including any affiliate thereof, |
8 |
| shall be deemed an affiliate of the franchisee for purposes of |
9 |
| this Act. |
10 |
| (e) "Nonaffiliated third party" means any entity that is |
11 |
| not an affiliate of, or related by common ownership or |
12 |
| affiliated by corporate control with, the financial |
13 |
| institution, but does not include a joint employee of that |
14 |
| institution and a third party. |
15 |
| (f) "Consumer" means an individual resident of this State, |
16 |
| or that individual's legal representative, who obtains or has |
17 |
| obtained from a financial institution a financial product or |
18 |
| service to be used primarily for personal, family, or household |
19 |
| purposes. For purposes of this Act, an individual resident of |
20 |
| this State is someone
whose last known mailing address, other |
21 |
| than an Armed Forces Post Office or Fleet Post Office address, |
22 |
| as shown in the records of the financial institution, is |
23 |
| located in this State. For purposes of this Act, an individual |
24 |
| is not a consumer of a financial institution solely because he |
25 |
| or she is (1) a participant or beneficiary of an employee |
26 |
| benefit plan that a financial institution administers or |
|
|
|
HB3725 |
- 6 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| sponsors, or for which the financial institution acts as a |
2 |
| trustee, insurer, or fiduciary, (2) covered under a group or |
3 |
| blanket insurance policy or group annuity contract issued by |
4 |
| the financial institution, (3) a beneficiary in a workers' |
5 |
| compensation plan, (4) a beneficiary of a trust for which the |
6 |
| financial institution is a trustee, or (5) a person who has |
7 |
| designated the financial institution as trustee for a trust, |
8 |
| provided that the financial institution provides all required |
9 |
| notices and rights required by this Act to the plan sponsor, |
10 |
| group or blanket
insurance policyholder, or group annuity |
11 |
| contract holder. |
12 |
| (g) "Control" means (1) ownership or power to vote 25 |
13 |
| percent or more of the outstanding shares of any class of |
14 |
| voting security of a company, acting through one or more |
15 |
| persons, (2) control in any manner over the election of a |
16 |
| majority of the directors, or of individuals exercising similar |
17 |
| functions, or (3) the power to exercise, directly or |
18 |
| indirectly, a controlling influence over the management or |
19 |
| policies of a company. However, for purposes of the
application |
20 |
| of the definition of control as it relates to credit unions, a |
21 |
| credit union has a controlling influence over the management or |
22 |
| policies of a credit union service organization (CUSO), as that |
23 |
| term is defined by state or federal law or regulation, if the |
24 |
| CUSO is at least 67 percent owned by credit unions. For |
25 |
| purposes of the application of the definition of control to a |
26 |
| financial
institution subject to regulation by the United |
|
|
|
HB3725 |
- 7 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| States Securities and Exchange Commission, a person who owns |
2 |
| beneficially, either directly or through one or more controlled |
3 |
| companies, more than 25 percent of the voting securities of a |
4 |
| company is presumed to control the company, and a person who |
5 |
| does not own more than 25 percent of the
voting securities of a |
6 |
| company is presumed not to control the company, and a |
7 |
| presumption regarding control may be rebutted by evidence, but |
8 |
| in the case of an investment company, the presumption shall |
9 |
| continue until the United States Securities and Exchange |
10 |
| Commission makes a decision to the contrary according to the |
11 |
| procedures described in Section 2(a)(9) of the federal |
12 |
| Investment Company Act of 1940. |
13 |
| (h) "Necessary to effect, administer, or enforce" means the |
14 |
| following: |
15 |
| (1) The disclosure is required, or is a usual, |
16 |
| appropriate, or acceptable method to carry out the |
17 |
| transaction or the product or service business of which the |
18 |
| transaction is a part, and record or service or maintain |
19 |
| the consumer's account in the ordinary course of providing |
20 |
| the financial service or financial product, or to |
21 |
| administer or service benefits or claims relating to the |
22 |
| transaction or the product or service business of which it |
23 |
| is a part, and includes the following:
|
24 |
| (A) Providing the consumer or the consumer's agent |
25 |
| or broker with a confirmation, statement, or other |
26 |
| record of the transaction, or information on the status |
|
|
|
HB3725 |
- 8 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| or value of the financial service or financial product.
|
2 |
| (B) The accrual or recognition of incentives, |
3 |
| discounts, or bonuses associated with the transaction |
4 |
| or communications to eligible existing consumers of |
5 |
| the financial institution regarding the availability |
6 |
| of those incentives, discounts, and bonuses that are |
7 |
| provided by the financial institution or another |
8 |
| party. |
9 |
| (C) In the case of a financial institution that has |
10 |
| issued a credit account bearing the name of a company |
11 |
| primarily engaged in retail sales or a name proprietary |
12 |
| to a company primarily engaged in retail sales, the |
13 |
| financial institution providing the retailer with |
14 |
| nonpublic personal information as follows: |
15 |
| (i) Providing the retailer, or licensees or |
16 |
| contractors of the retailer that provide products |
17 |
| or services in the name of the retailer and under a |
18 |
| contract with the retailer, with the names and |
19 |
| addresses of the consumers in whose name the |
20 |
| account is held and a record of the purchases made |
21 |
| using the credit account from a business |
22 |
| establishment, including a Web site or catalog, |
23 |
| bearing the brand name of the retailer.
|
24 |
| (ii) Where the credit account can only be used |
25 |
| for transactions with the retailer or affiliates |
26 |
| of that retailer that are also primarily engaged in |
|
|
|
HB3725 |
- 9 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| retail sales, providing the retailer, or licensees |
2 |
| or contractors of the retailer that provide |
3 |
| products or services in the name of the retailer |
4 |
| and under a contract with the retailer, with |
5 |
| nonpublic personal information concerning the |
6 |
| credit account, in connection with the offering or |
7 |
| provision of the products or services of the |
8 |
| retailer and those licensees or contractors. |
9 |
| (2) The disclosure is required or is one of the |
10 |
| lawful or appropriate methods to enforce the rights of |
11 |
| the financial institution or of other persons engaged |
12 |
| in carrying out the financial transaction or providing |
13 |
| the product or service. |
14 |
| (3) The disclosure is required, or is a usual, |
15 |
| appropriate, or acceptable method for insurance |
16 |
| underwriting or the placement of insurance products by |
17 |
| licensed agents and brokers with authorized insurance |
18 |
| companies at the consumer's request, for reinsurance, |
19 |
| stop loss insurance, or excess loss insurance |
20 |
| purposes, or for any of the following purposes as they |
21 |
| relate to a consumer's insurance: |
22 |
| (A) Account administration. |
23 |
| (B) Reporting, investigating, or preventing |
24 |
| fraud or material misrepresentation.
|
25 |
| (C) Processing premium payments.
|
26 |
| (D) Processing insurance claims.
|
|
|
|
HB3725 |
- 10 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| (E) Administering insurance benefits, |
2 |
| including utilization review activities. |
3 |
| (F) Participating in research projects. |
4 |
| (G) As otherwise required or specifically |
5 |
| permitted by federal or state law.
|
6 |
| (4) The disclosure is required, or is a usual, |
7 |
| appropriate, or acceptable method, in connection with |
8 |
| the following:
|
9 |
| (A) The authorization, settlement, billing, |
10 |
| processing, clearing, transferring, reconciling, |
11 |
| or collection of amounts charged, debited, or |
12 |
| otherwise paid using a debit, credit or other |
13 |
| payment card,
check, or account number, or by other |
14 |
| payment means. |
15 |
| (B) The transfer of receivables, accounts, or |
16 |
| interests therein. |
17 |
| (C) The audit of debit, credit, or other |
18 |
| payment information. |
19 |
| (5) The disclosure is required in a transaction |
20 |
| covered by the federal Real Estate Settlement |
21 |
| Procedures Act (12 U.S.C. Sec. 2601 et seq.) in order |
22 |
| to offer settlement services prior to the close of |
23 |
| escrow (as those services are defined in 12 U.S.C. Sec. |
24 |
| 2602), provided that (A) the nonpublic personal |
25 |
| information is disclosed for the sole purpose of |
26 |
| offering those settlement services and (B) the |
|
|
|
HB3725 |
- 11 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| nonpublic personal information disclosed is limited to |
2 |
| that necessary to enable the financial institution to |
3 |
| offer those settlement services in that transaction. |
4 |
| (i) "Financial product or service" means any product or |
5 |
| service that a financial holding company could offer by |
6 |
| engaging in an activity that is financial in nature or |
7 |
| incidental to a financial activity under subsection (k) of |
8 |
| Section 1843 of Title 12 of the United States Code (the United |
9 |
| States Bank Holding Company Act of 1956). Financial service |
10 |
| includes a financial institution's evaluation or brokerage of |
11 |
| information that the financial institution
collects in |
12 |
| connection with a request or an application from a consumer for |
13 |
| a financial product or service. |
14 |
| (j) "Clear and conspicuous" means that a notice is |
15 |
| reasonably understandable and designed to call attention to the |
16 |
| nature and significance of the information contained in the |
17 |
| notice. |
18 |
| (k) "Widely distributed media" means media available to the |
19 |
| general public and includes a telephone book, a television or |
20 |
| radio program, a newspaper, or a Web site that is available to |
21 |
| the general public on an unrestricted basis.
|
22 |
| Section 15. Prior consent.
Except as provided in Sections |
23 |
| 25, 35, and 45, a financial institution shall not sell, share, |
24 |
| transfer, or otherwise disclose nonpublic personal information |
25 |
| to or with any nonaffiliated third parties without the explicit |
|
|
|
HB3725 |
- 12 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| prior consent of the consumer to whom the nonpublic personal |
2 |
| information relates. |
3 |
| Section 20. Disclosure.
|
4 |
| (a) A financial institution shall not disclose to, or share |
5 |
| a consumer's nonpublic personal information with, any |
6 |
| nonaffiliated third party as prohibited by Section 15, unless |
7 |
| the financial institution has obtained a consent |
8 |
| acknowledgment from the consumer that authorizes the financial |
9 |
| institution to disclose or share the nonpublic personal |
10 |
| information. Nothing in this Section shall prohibit or |
11 |
| otherwise apply to the disclosure of nonpublic personal |
12 |
| information as allowed in Section 40. A financial institution |
13 |
| shall not discriminate
against or deny an otherwise qualified |
14 |
| consumer a financial product or a financial service because the |
15 |
| consumer has not provided consent pursuant to this Section and |
16 |
| Section 15 to authorize the financial institution to disclose |
17 |
| or share nonpublic personal information pertaining to him or |
18 |
| her with any nonaffiliated third party. Nothing in this Section |
19 |
| shall prohibit a financial institution from denying a consumer |
20 |
| a financial product or service if the financial institution |
21 |
| could not provide the product or service to a consumer without |
22 |
| the consent to disclose the consumer's
nonpublic personal |
23 |
| information required by this Section and Section 15, and the |
24 |
| consumer has failed to provide consent. A financial institution |
25 |
| shall not be liable for failing to offer products and services |
|
|
|
HB3725 |
- 13 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| to a consumer solely because that consumer has failed to |
2 |
| provide consent pursuant to this Section and Section 15 and the |
3 |
| financial institution could not offer the product or service |
4 |
| without the consent to disclose the consumer's nonpublic |
5 |
| personal information required by this Section and Section 15, |
6 |
| and the consumer has failed to provide consent. Nothing in this |
7 |
| Section is intended to prohibit a financial institution from |
8 |
| offering incentives or discounts to elicit a specific response |
9 |
| to the notice. |
10 |
| (b)(1) A financial institution shall not disclose to, or |
11 |
| share a consumer's nonpublic personal information with, an |
12 |
| affiliate unless the financial institution has clearly and |
13 |
| conspicuously notified the consumer annually in writing |
14 |
| pursuant to subsection (d) that the nonpublic personal |
15 |
| information may be disclosed to an affiliate of the financial |
16 |
| institution and the consumer has not directed that the |
17 |
| nonpublic personal information not be disclosed. A financial |
18 |
| institution does not disclose information to, or share |
19 |
| information with, its affiliate merely because information is |
20 |
| maintained in common information systems or databases, and |
21 |
| employees of the financial institution and its affiliate have |
22 |
| access to those common information systems or databases, or a |
23 |
| consumer accesses a Web site
jointly operated or maintained |
24 |
| under a common name by or on behalf of the financial |
25 |
| institution and its affiliate, provided that where a consumer |
26 |
| has exercised his or her right to prohibit disclosure pursuant |
|
|
|
HB3725 |
- 14 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| to this Act, nonpublic personal information is not further |
2 |
| disclosed or used by an affiliate except as permitted by this |
3 |
| Act. |
4 |
| (2) Subsection (a) of this Section shall not prohibit the |
5 |
| release of nonpublic personal information by a financial |
6 |
| institution with whom the consumer has a relationship to a |
7 |
| nonaffiliated financial institution for purposes of jointly |
8 |
| offering a financial product or financial service pursuant to a |
9 |
| written agreement with the financial institution that receives |
10 |
| the nonpublic personal information provided that all of the |
11 |
| following requirements are met: |
12 |
| (A) The financial product or service offered is a |
13 |
| product or service of, and is provided by, at least one |
14 |
| of the financial institutions that is a party to the |
15 |
| written agreement. |
16 |
| (B) The financial product or service is jointly |
17 |
| offered, endorsed, or sponsored, and clearly and |
18 |
| conspicuously identifies for the consumer the |
19 |
| financial institutions that disclose and receive the |
20 |
| disclosed nonpublic personal information. |
21 |
| (C) The written agreement provides that the |
22 |
| financial institution that receives that nonpublic |
23 |
| personal information is required to maintain the |
24 |
| confidentiality of the information and is prohibited |
25 |
| from disclosing or using the information other than to |
26 |
| carry out the joint offering or servicing of a |
|
|
|
HB3725 |
- 15 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| financial product or financial service that is the |
2 |
| subject of the written agreement. |
3 |
| (D) The financial institution that releases the |
4 |
| nonpublic personal information has complied with |
5 |
| subsection (d) and the consumer has not directed that |
6 |
| the nonpublic personal information not be disclosed. |
7 |
| (E) Notwithstanding this Section, until January 1, |
8 |
| 2006, a financial institution may disclose nonpublic |
9 |
| personal information to a nonaffiliated financial |
10 |
| institution pursuant to a preexisting contract with |
11 |
| the nonaffiliated financial institution, for purposes
|
12 |
| of offering a financial product or financial service, |
13 |
| if that contract was entered into on or before January |
14 |
| 1, 2005. Beginning on January 1, 2006, no nonpublic |
15 |
| personal information may be disclosed pursuant to that |
16 |
| contract unless all the requirements of this |
17 |
| subsection are met. |
18 |
| (3) Nothing in this subsection shall prohibit a |
19 |
| financial institution from disclosing or sharing nonpublic |
20 |
| personal information as otherwise specifically permitted |
21 |
| by this Act. |
22 |
| (4) A financial institution shall not discriminate |
23 |
| against or deny an otherwise qualified consumer a financial |
24 |
| product or a financial service because the consumer has |
25 |
| directed pursuant to this subsection that nonpublic |
26 |
| personal information pertaining to him or her not be |
|
|
|
HB3725 |
- 16 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| disclosed. A financial institution shall not be required
to |
2 |
| offer or provide products or services offered through |
3 |
| affiliated entities or jointly with nonaffiliated |
4 |
| financial institutions pursuant to paragraph (2) of this |
5 |
| subsection where the consumer has directed that nonpublic |
6 |
| personal information not be disclosed pursuant to this |
7 |
| subsection and the financial institution could not offer or |
8 |
| provide the products or services to the consumer without |
9 |
| disclosure of the
consumer's nonpublic personal |
10 |
| information that the consumer has directed not be disclosed |
11 |
| pursuant to this subsection. A financial institution shall |
12 |
| not be liable for failing to offer or provide products or |
13 |
| services offered through affiliated entities or jointly |
14 |
| with nonaffiliated financial institutions pursuant to |
15 |
| paragraph (2) of this subsection solely because the |
16 |
| consumer has directed that nonpublic personal information |
17 |
| not be disclosed pursuant to this subsection and the
|
18 |
| financial institution could not offer or provide the |
19 |
| products or services to the consumer without disclosure of |
20 |
| the consumer's nonpublic personal information that the |
21 |
| consumer has directed not be disclosed to affiliates |
22 |
| pursuant to this subsection. Nothing in this Section is |
23 |
| intended to prohibit a financial institution from offering |
24 |
| incentives or discounts to elicit a specific response to |
25 |
| the notice set forth in this Act. Nothing in this Section |
26 |
| shall prohibit the disclosure of nonpublic personal |
|
|
|
HB3725 |
- 17 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| information allowed by Section 40. |
2 |
| (5) The financial institution may, at its option, |
3 |
| choose instead to comply with the requirements of |
4 |
| subsection (a). |
5 |
| (c) Nothing in this Act shall restrict or prohibit the
|
6 |
| sharing of nonpublic personal information between a financial |
7 |
| institution and its wholly owned financial institution |
8 |
| subsidiaries; among financial institutions that are each |
9 |
| wholly owned by the same financial institution; among financial |
10 |
| institutions that are wholly owned by the same holding company; |
11 |
| or among the insurance and management entities of a single |
12 |
| insurance holding company system
consisting of one or more |
13 |
| reciprocal insurance exchanges which has a single corporation |
14 |
| or its wholly owned subsidiaries providing management services |
15 |
| to the reciprocal insurance exchanges, provided that in each |
16 |
| case all of the following requirements are met: |
17 |
| (1) The financial institution disclosing the nonpublic |
18 |
| personal information and the financial institution |
19 |
| receiving it are regulated by the same functional |
20 |
| regulator; provided, however, that for purposes of this |
21 |
| subsection, financial institutions regulated by the Office |
22 |
| of the Comptroller of the Currency, Office of Thrift |
23 |
| Supervision, National Credit Union Administration, or a |
24 |
| state regulator of depository institutions shall be deemed |
25 |
| to be regulated by the same functional regulator; financial |
26 |
| institutions regulated by the Securities and Exchange |
|
|
|
HB3725 |
- 18 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| Commission, the United States Department of Labor, or a |
2 |
| state securities regulator shall be deemed to be regulated |
3 |
| by the same functional regulator; and insurers admitted in
|
4 |
| this State to transact insurance and licensed to write |
5 |
| insurance policies shall be deemed to be in compliance with |
6 |
| this paragraph. |
7 |
| (2) The financial institution disclosing the nonpublic |
8 |
| personal information and the financial institution |
9 |
| receiving it are both principally engaged in the same line |
10 |
| of business. For purposes of this subsection, "same line of |
11 |
| business" shall be one and only one of the following: |
12 |
| (A) Insurance. |
13 |
| (B) Banking. |
14 |
| (C) Securities. |
15 |
| (3) The financial institution disclosing the nonpublic |
16 |
| personal information and the financial institution |
17 |
| receiving it share a common brand, excluding a brand |
18 |
| consisting solely of a graphic element or symbol, within |
19 |
| their trademark, service mark, or trade name, which is
used |
20 |
| to identify the source of the products and services |
21 |
| provided. A wholly owned subsidiary shall include a |
22 |
| subsidiary wholly owned directly or wholly owned |
23 |
| indirectly in a chain of wholly owned subsidiaries.
Nothing |
24 |
| in this subsection shall permit the disclosure by a
|
25 |
| financial institution of medical record information, as |
26 |
| defined in the Illinois Insurance Code, except in |
|
|
|
HB3725 |
- 19 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| compliance with the requirements of this Act, including the |
2 |
| requirements set forth in subsections (a) and (b). |
3 |
| (d)(1) The consumer shall be provided a reasonable |
4 |
| opportunity prior to disclosure of nonpublic personal |
5 |
| information to direct that nonpublic personal information not |
6 |
| be disclosed. A consumer may direct at any time that his or her |
7 |
| nonpublic personal information not be disclosed. A financial |
8 |
| institution shall comply with a consumer's directions |
9 |
| concerning the sharing of his or her nonpublic personal |
10 |
| information within 45 days of receipt by the financial |
11 |
| institution. When a consumer directs that nonpublic personal |
12 |
| information not be disclosed, that direction is in effect until |
13 |
| otherwise stated by the
consumer. A financial institution that |
14 |
| has not provided a consumer with annual notice pursuant to |
15 |
| subsection (b) shall provide the consumer with a form that |
16 |
| meets the requirements of this subsection, and shall allow 45 |
17 |
| days to lapse from the date of providing the form in person or |
18 |
| the postmark or other postal verification of mailing before |
19 |
| disclosing nonpublic personal information pertaining to the
|
20 |
| consumer.
Nothing in this subsection shall prohibit the |
21 |
| disclosure of nonpublic personal information as allowed by |
22 |
| subsection (c) or Section 40. |
23 |
| (2) A financial institution may elect to comply with the
|
24 |
| requirements of subsection (a) with respect to disclosure of |
25 |
| nonpublic personal information to an affiliate or with respect |
26 |
| to nonpublic personal information disclosed pursuant to |
|
|
|
HB3725 |
- 20 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| paragraph (2) of subsection (b), or subsection (c) of Section |
2 |
| 35. |
3 |
| (3) If a financial institution does not have a continuing |
4 |
| relationship with a consumer other than the initial transaction |
5 |
| in which the product or service is provided, no annual |
6 |
| disclosure requirement exists pursuant to this section as long |
7 |
| as the financial institution provides the consumer with the |
8 |
| form required by this
section at the time of the initial |
9 |
| transaction. As used in this section, "annually" means at least |
10 |
| once in any period of 12 consecutive months during which that |
11 |
| relationship exists. The financial institution may define the |
12 |
| 12-consecutive-month period, but shall apply it to the consumer |
13 |
| on a consistent basis. If, for example, a financial institution |
14 |
| defines the 12-consecutive-month
period as a calendar year and |
15 |
| provides the annual notice to the consumer once in each |
16 |
| calendar year, it complies with the requirement to send the |
17 |
| notice annually. |
18 |
| (4) A financial institution with assets in excess of |
19 |
| $25,000,000 shall include a self-addressed first class |
20 |
| business reply return envelope with the notice. A financial
|
21 |
| institution with assets of up to and including $25,000,000 |
22 |
| shall include a self-addressed return envelope with the notice. |
23 |
| In lieu of the first class business reply return envelope |
24 |
| required by this paragraph, a financial institution may offer a |
25 |
| self-addressed return envelope with the notice and at least two |
26 |
| alternative cost-free means for consumers to communicate their |
|
|
|
HB3725 |
- 21 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| privacy choices, such as calling a toll-free number, sending a |
2 |
| facsimile to a toll-free telephone number, or using electronic |
3 |
| means.
A financial institution shall clearly and conspicuously |
4 |
| disclose in the form required by this subsection the |
5 |
| information necessary to direct the consumer on how to |
6 |
| communicate his or her choices, including the toll-free or |
7 |
| facsimile number or Web site address that may be used, if those |
8 |
| means of communication are offered by the
financial |
9 |
| institution. |
10 |
| (5) A financial institution may provide a joint notice from |
11 |
| it and one or more of its affiliates or other financial |
12 |
| institutions, as identified in the notice, so long as the |
13 |
| notice is accurate with respect to the financial institution |
14 |
| and the affiliates and other
financial institutions. |
15 |
| (e) Nothing in this Act shall prohibit a financial
|
16 |
| institution from marketing its own products and services or the |
17 |
| products and services of affiliates or nonaffiliated third |
18 |
| parties to customers of the financial institution as long as |
19 |
| (1) nonpublic personal information is not disclosed in |
20 |
| connection with the delivery of the applicable marketing |
21 |
| materials to those customers except as permitted by Section 40 |
22 |
| and (2) in cases in which the applicable nonaffiliated third |
23 |
| party may extrapolate nonpublic personal information about the |
24 |
| consumer responding to those marketing materials, the |
25 |
| applicable nonaffiliated third party has signed a
contract with |
26 |
| the financial institution under the terms of which (A) the |
|
|
|
HB3725 |
- 22 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| nonaffiliated third party is prohibited from using that |
2 |
| information for any purpose other than the purpose for which it |
3 |
| was provided, as set forth in the contract, and (B) the |
4 |
| financial institution has the right by audit, inspections, or |
5 |
| other means to verify the nonaffiliated third party's |
6 |
| compliance with that contract.
|
7 |
| Section 25. Receipt of nonpublic personal information.
|
8 |
| Except as otherwise provided in this Act, an entity
that |
9 |
| receives nonpublic personal information from a financial |
10 |
| institution under this Act shall not disclose this information |
11 |
| to any other entity, unless the disclosure would be lawful if |
12 |
| made directly to the other entity by the financial institution. |
13 |
| An entity that receives nonpublic personal information |
14 |
| pursuant to any exception set forth in Section 45 shall not use |
15 |
| or disclose the information except in the ordinary course of |
16 |
| business to carry out
the activity covered by the exception |
17 |
| under which the information was received.
|
18 |
| Section 30. Notice. |
19 |
| (a) Nothing in this Act shall require a financial
|
20 |
| institution to provide a written notice to a consumer pursuant |
21 |
| to Section 20 if the financial institution does not disclose |
22 |
| nonpublic personal information to any nonaffiliated third |
23 |
| party or to any affiliate, except as allowed in this Act.
|
24 |
| (b) A notice provided to a member of a household pursuant |
|
|
|
HB3725 |
- 23 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| to Section 20 shall be considered notice to all members of that |
2 |
| household unless that household contains another individual |
3 |
| who also has a separate account with the financial institution. |
4 |
| (c)(1) The requirement to send a written notice to a |
5 |
| consumer may be fulfilled by electronic means if the following |
6 |
| requirements are met: |
7 |
| (A) The notice, and the manner in which it is sent, |
8 |
| meets all of the requirements for notices that are |
9 |
| required by law to be in writing, as set forth in |
10 |
| Section 101 of the federal Electronic Signatures in |
11 |
| Global and National Commerce Act. |
12 |
| (B) All other requirements applicable to the |
13 |
| notice, as set forth in this Act, are met, including, |
14 |
| but not limited to, requirements concerning content, |
15 |
| timing, form, and delivery. An electronic notice sent |
16 |
| pursuant to this section is not required to include a |
17 |
| return envelope.
|
18 |
| (C) The notice is delivered to the consumer in a |
19 |
| form the consumer may keep. |
20 |
| (2) A notice that is made available to a consumer, and |
21 |
| is not delivered to the consumer, does not satisfy the |
22 |
| requirements of paragraph (1). |
23 |
| (3) Any electronic consumer reply to an electronic |
24 |
| notice sent pursuant to this Act is effective. A person |
25 |
| that electronically sends a notice required by this Act to |
26 |
| a consumer may not by contract, or otherwise, eliminate the |
|
|
|
HB3725 |
- 24 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| effectiveness of the consumer's electronic reply. |
2 |
| (4) This Act modifies the provisions of Section 101 of |
3 |
| the federal Electronic Signatures in Global and National |
4 |
| Commerce Act. However, it does not modify, limit, or |
5 |
| supersede the provisions of subsection (c), (d), (e), (f), |
6 |
| or (h) of Section 101 of the federal Electronic Signatures |
7 |
| in Global and National Commerce Act, nor does it authorize |
8 |
| electronic delivery of any notice of the type described
in |
9 |
| subsection (b) of Section 103 of that federal act.
|
10 |
| Section 35. Affinity partners.
|
11 |
| (a) When a financial institution and an organization or
|
12 |
| business entity that is not a financial institution ("affinity |
13 |
| partner") have an agreement to issue a credit card in the name |
14 |
| of the affinity partner ("affinity card"), the financial |
15 |
| institution shall be permitted to disclose to the affinity |
16 |
| partner in whose name the card is issued only the following |
17 |
| information pertaining to the financial institution's |
18 |
| customers who are in receipt of the affinity
card: (1) name, |
19 |
| address, telephone number, and electronic mail address and (2) |
20 |
| record of purchases made using the affinity card in a business |
21 |
| establishment, including a Web site, bearing the brand name of |
22 |
| the affinity partner. |
23 |
| (b) When a financial institution and an affinity partner |
24 |
| have an agreement to issue a financial product or service, |
25 |
| other than a credit card, on behalf of the affinity partner |
|
|
|
HB3725 |
- 25 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| ("affinity financial product or service"), the financial |
2 |
| institution shall be permitted to disclose to the affinity |
3 |
| partner only the following information pertaining to the |
4 |
| financial institution's customers who obtained the affinity |
5 |
| financial product or service: name, address, telephone number, |
6 |
| and electronic mail address. |
7 |
| (c) The disclosures specified in subsections (a) and (b) |
8 |
| shall be permitted only if the following requirements are met: |
9 |
|
(1) The financial institution has provided the |
10 |
| consumer a notice meeting the requirements of subsection |
11 |
| (d) of Section 20, and the consumer has not directed that |
12 |
| nonpublic personal information not be disclosed. A |
13 |
| response to a notice meeting the requirements of subsection |
14 |
| (d) directing the financial institution to not disclose
|
15 |
| nonpublic personal information to a nonaffiliated |
16 |
| financial
institution shall be deemed a direction to the |
17 |
| financial institution to not disclose nonpublic personal |
18 |
| information to an affinity partner, unless the form |
19 |
| containing the notice provides the consumer with a separate |
20 |
| choice for disclosure to affinity partners.
|
21 |
| (2) The financial institution has a contractual |
22 |
| agreement with the affinity partner that requires the |
23 |
| affinity partner to maintain the confidentiality of the |
24 |
| nonpublic personal information and prohibits affinity |
25 |
| partners from using the information for any purposes other
|
26 |
| than verifying membership, verifying the consumer's |
|
|
|
HB3725 |
- 26 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| contact
information, or offering the affinity partner's |
2 |
| own products or services to the consumer. |
3 |
| (3) The customer list is not disclosed in any way that |
4 |
| reveals or permits extrapolation of any additional |
5 |
| nonpublic personal information about any customer on the |
6 |
| list. |
7 |
| (4) If the affinity partner sends any message to any |
8 |
| electronic mail addresses obtained pursuant to this |
9 |
| section, the message shall include at least both of the |
10 |
| following: |
11 |
| (A) The identity of the sender of the message. |
12 |
| (B) A cost-free means for the recipient to notify |
13 |
| the sender not to electronically mail any further |
14 |
| message to the recipient. |
15 |
| (d) Nothing in this Section shall prohibit the disclosure |
16 |
| of nonpublic personal information pursuant to Section 40. |
17 |
| (e) This Section does not apply to credit cards issued in |
18 |
| the name of an entity primarily engaged in retail sales or a |
19 |
| name proprietary to a company primarily engaged in retail |
20 |
| sales.
|
21 |
| Section 40. Release of nonpublic personal information.
|
22 |
| (a) This Act shall not apply to information that is
not |
23 |
| personally identifiable to a particular person. |
24 |
| (b) Notwithstanding Sections 15, 20, 30, and 35, a |
25 |
| financial institution may release nonpublic personal |
|
|
|
HB3725 |
- 27 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| information under the following circumstances: |
2 |
| (1) The nonpublic personal information is necessary to |
3 |
| effect, administer, or enforce a transaction requested or |
4 |
| authorized by the consumer, or in connection with servicing |
5 |
| or processing a financial product or service requested or |
6 |
| authorized by the consumer, or in connection with |
7 |
| maintaining or servicing the consumer's account with
the |
8 |
| financial institution, or with another entity as part of a |
9 |
| private label credit card program or other extension of |
10 |
| credit on behalf of that entity, or in connection with a |
11 |
| proposed or actual securitization or secondary market |
12 |
| sale, including sales of servicing rights, or similar |
13 |
| transactions related to a transaction of the consumer. |
14 |
| (2) The nonpublic personal information is released |
15 |
| with the consent of or at the direction of the consumer. |
16 |
| (3) The nonpublic personal information is: |
17 |
| (A) Released to protect the confidentiality or |
18 |
| security of the financial institution's records |
19 |
| pertaining to the consumer, the service or product, or |
20 |
| the transaction therein. |
21 |
| (B) Released to protect against or prevent actual |
22 |
| or potential fraud, identity theft, unauthorized |
23 |
| transactions, claims, or other liability. |
24 |
| (C) Released for required institutional risk |
25 |
| control, or for resolving customer disputes or |
26 |
| inquiries. |
|
|
|
HB3725 |
- 28 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| (D) Released to persons holding a legal or |
2 |
| beneficial interest relating to the consumer, |
3 |
| including for purposes of debt collection. |
4 |
| (E) Released to persons acting in a fiduciary or |
5 |
| representative capacity on behalf of the consumer. |
6 |
| (4) The nonpublic personal information is released to |
7 |
| provide information to insurance rate advisory |
8 |
| organizations, guaranty funds or agencies, applicable |
9 |
| rating agencies of the financial institution, persons |
10 |
| assessing the institution's compliance with industry
|
11 |
| standards, and the institution's attorneys, accountants, |
12 |
| and auditors. |
13 |
| (5) The nonpublic personal information is released to |
14 |
| the extent specifically required or specifically permitted |
15 |
| under other provisions of law and in accordance with the |
16 |
| Right to Financial Privacy Act of 1978 (12 U.S.C. Sec. 3401 |
17 |
| et seq.), to law enforcement agencies, including a federal |
18 |
| functional regulator, the
Secretary of the Treasury with |
19 |
| respect to subchapter II of Chapter 53 of Title 31, and |
20 |
| Chapter 2 of Title I of Public Law 91-508 (12 U.S.C. Secs. |
21 |
| 1951-1959), the Illinois Department of Insurance, or the |
22 |
| Federal Trade Commission, and self-regulatory |
23 |
| organizations, or for an investigation on a
matter related |
24 |
| to public safety. |
25 |
| (6) The nonpublic personal information is released in |
26 |
| connection with a proposed or actual sale, merger, |
|
|
|
HB3725 |
- 29 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| transfer, or exchange of all or a portion of a business or |
2 |
| operating unit if the disclosure of nonpublic personal |
3 |
| information concerns solely consumers of the business or |
4 |
| unit. |
5 |
| (7) The nonpublic personal information is released to |
6 |
| comply with federal, state, or local laws, rules, and other |
7 |
| applicable legal requirements; to comply with a properly |
8 |
| authorized civil, criminal, administrative, or regulatory |
9 |
| investigation or subpoena or summons by federal, state, or |
10 |
| local authorities; or to respond to judicial process or |
11 |
| government regulatory authorities having jurisdiction over
|
12 |
| the financial institution for examination, compliance, or |
13 |
| other purposes as authorized by law. |
14 |
| (8) When a financial institution is reporting a known |
15 |
| or suspected instance of elder or dependent adult financial |
16 |
| abuse or is cooperating with a local adult protective |
17 |
| services agency investigation of known or suspected elder |
18 |
| or dependent adult financial abuse pursuant to the Elder |
19 |
| Abuse and Neglect Act. |
20 |
| (9) The nonpublic personal information is released to |
21 |
| an affiliate or a nonaffiliated third party in order for |
22 |
| the affiliate or nonaffiliated third party to perform |
23 |
| business or professional services, such as printing, |
24 |
| mailing services, data processing or analysis, or customer |
25 |
| surveys, on behalf of the financial institution, provided |
26 |
| that all of the following requirements are met: |
|
|
|
HB3725 |
- 30 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| (A) The services to be performed by the affiliate |
2 |
| or nonaffiliated third party could lawfully be |
3 |
| performed by the financial institution. |
4 |
| (B) There is a written contract between the |
5 |
| affiliate or nonaffiliated third party and the |
6 |
| financial institution that prohibits the affiliate or |
7 |
| nonaffiliated third party, as the case may be, from |
8 |
| disclosing or using the nonpublic personal information |
9 |
| other than to carry out the purpose for which the |
10 |
| financial institution disclosed the information, as |
11 |
| set forth in the written
contract. |
12 |
| (C) The nonpublic personal information provided to |
13 |
| the affiliate or nonaffiliated third party is limited |
14 |
| to that which is necessary for the affiliate or |
15 |
| nonaffiliated third party to perform the services |
16 |
| contracted for on behalf of the financial institution. |
17 |
| (D) The financial institution does not receive any |
18 |
| payment from or through the affiliate or nonaffiliated |
19 |
| third party in connection with, or as a result of, the |
20 |
| release of the nonpublic personal information. |
21 |
| (10) The nonpublic personal information is released to |
22 |
| identify or locate missing and abducted children, |
23 |
| witnesses, criminals and fugitives, parties to lawsuits, |
24 |
| parents delinquent in child support payments, organ and |
25 |
| bone marrow donors, pension fund beneficiaries, and |
26 |
| missing heirs. |
|
|
|
HB3725 |
- 31 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| (11) The nonpublic personal information is released to |
2 |
| a real estate appraiser licensed or certified by the State |
3 |
| and the nonpublic personal information is compiled |
4 |
| strictly to complete other real estate appraisals and is |
5 |
| not used for any other purpose.
|
6 |
| (12) The nonpublic personal information is released as |
7 |
| required by Title III of the federal United and |
8 |
| Strengthening America by Providing Appropriate Tools |
9 |
| Required to Intercept and Obstruct Terrorism Act of 2001 |
10 |
| (USA Patriot Act; P.L. 107-56). |
11 |
| (13) The nonpublic personal information is released |
12 |
| either to a consumer reporting agency pursuant to the Fair |
13 |
| Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.) or from |
14 |
| a consumer report reported by a consumer reporting agency. |
15 |
| (14) The nonpublic personal information is released in |
16 |
| connection with a written agreement between a consumer and |
17 |
| a broker-dealer registered under the Securities Exchange |
18 |
| Act of 1934 or an investment adviser registered under the |
19 |
| Investment Advisers Act of 1940 to provide investment |
20 |
| management services, portfolio advisory services, or |
21 |
| financial planning, and the nonpublic personal information |
22 |
| is released for the sole purpose of providing the products |
23 |
| and services covered by that agreement. |
24 |
| (c) Nothing in this Act is intended to change existing law |
25 |
| relating to access by law enforcement agencies to information |
26 |
| held by financial institutions.
|
|
|
|
HB3725 |
- 32 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| Section 45. Application.
|
2 |
| (a) The provisions of this Act do not apply to any
person |
3 |
| or entity that meets the requirements of paragraph (1) or (2) |
4 |
| below. However, when nonpublic personal information is being or |
5 |
| will be shared by a person or entity meeting the requirements |
6 |
| of paragraph (1) or (2) with an affiliate or nonaffiliated |
7 |
| third party, this Act shall apply. |
8 |
| (1) The person or entity is licensed in one or both of |
9 |
| the following categories and is acting within the scope of |
10 |
| the respective license or certificate: |
11 |
| (A) As an insurance producer, certified under the |
12 |
| Illinois Insurance Code, as a registered investment |
13 |
| adviser under the Illinois Securities Law of 1953, or |
14 |
| as an investment adviser pursuant to Section |
15 |
| 202(a)(11) of the federal Investment Advisers Act of |
16 |
| 1940. |
17 |
| (B) Is licensed to sell securities by the National |
18 |
| Association of Securities Dealers (NASD).
|
19 |
| (2) The person or entity meets the requirements in |
20 |
| paragraph (1) and has a written contractual agreement |
21 |
| with another person or entity described in paragraph |
22 |
| (1) and the contract clearly and explicitly includes |
23 |
| the following: |
24 |
| (A) The rights and obligations between the |
25 |
| licensees arising out of the business relationship |
|
|
|
HB3725 |
- 33 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| relating to insurance or securities transactions. |
2 |
| (B) An explicit limitation on the use of nonpublic |
3 |
| personal information about a consumer to transactions |
4 |
| authorized by the contract and permitted pursuant to |
5 |
| this Act. |
6 |
| (C) A requirement that transactions specified in |
7 |
| the contract fall within the scope of activities |
8 |
| permitted by the licenses of the parties. |
9 |
| (b) The restrictions on disclosure and use of nonpublic |
10 |
| personal information, and the requirement for notification and |
11 |
| disclosure provided in this Act, shall not limit the ability of |
12 |
| insurance producers and brokers to respond to written or |
13 |
| electronic, including telephone, requests from consumers |
14 |
| seeking price quotes on insurance products and services or to |
15 |
| obtain competitive quotes to renew an
existing insurance |
16 |
| contract, provided that any nonpublic personal information |
17 |
| disclosed pursuant to this subsection shall not be used or |
18 |
| disclosed except in the ordinary course of business in order to |
19 |
| obtain those quotes. |
20 |
| (c)(1) The disclosure or sharing of personal
information |
21 |
| from an insurer, as defined in Article XL of the Illinois |
22 |
| Insurance Code, or its affiliates to an agent whose contractual |
23 |
| or employment relationship requires that the agent offer only |
24 |
| the insurer's policies for sale or
financial products or |
25 |
| services that meet the requirements of paragraph (2) of |
26 |
| subsection (b) of Section 20 and are authorized by the insurer, |
|
|
|
HB3725 |
- 34 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| or whose contractual or employment relationship with an insurer |
2 |
| gives the insurer the right of first refusal for all policies |
3 |
| of insurance by the agent, and who may not share nonpublic |
4 |
| personal information with any insurer other than the insurer |
5 |
| with
whom the agent has a contractual or employment |
6 |
| relationship as described above, is not a violation of this |
7 |
| Act, provided that the agent may not disclose nonpublic |
8 |
| personal information to any party except as permitted by this |
9 |
| Act. An insurer or its affiliates do not disclose or share |
10 |
| nonpublic personal information with exclusive agents merely |
11 |
| because information is maintained in common information |
12 |
| systems or databases, and exclusive agents of the insurer or |
13 |
| its affiliates have access to those common information
systems |
14 |
| or databases, provided that where a consumer has exercised his |
15 |
| or her rights to prohibit disclosure pursuant to this Act, |
16 |
| nonpublic personal information is not further disclosed or used |
17 |
| by an exclusive agent except as permitted by this Act. |
18 |
| (2) Nothing in this subsection is intended to affect the |
19 |
| sharing of information allowed in subsection (a) or subsection |
20 |
| (b).
|
21 |
| Section 50. Negligence.
|
22 |
| (a) An entity that negligently discloses or shares
|
23 |
| nonpublic personal information in violation of this Act shall |
24 |
| be liable, irrespective of the amount of damages suffered by |
25 |
| the consumer as a result of that violation, for a civil penalty |
|
|
|
HB3725 |
- 35 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| not to exceed $2,500 per violation. However, if the disclosure |
2 |
| or sharing results in the release of nonpublic personal |
3 |
| information of more than one individual, the total civil |
4 |
| penalty awarded pursuant to this subsection shall not exceed |
5 |
| $500,000. |
6 |
| (b) An entity that knowingly and willfully obtains, |
7 |
| discloses, shares, or uses nonpublic personal information in |
8 |
| violation of this Act shall be liable for a civil penalty not |
9 |
| to exceed $2,500 per individual violation, irrespective of the |
10 |
| amount of damages suffered by the consumer as a result of that |
11 |
| violation. |
12 |
| (c) In determining the penalty to be assessed pursuant to a |
13 |
| violation of this Act, the court shall take into account the |
14 |
| following factors:
|
15 |
| (1) The total assets and net worth of the violating |
16 |
| entity. |
17 |
| (2) The nature and seriousness of the violation. |
18 |
| (3) The persistence of the violation, including any |
19 |
| attempts to correct the situation leading to the violation.
|
20 |
| (4) The length of time over which the violation |
21 |
| occurred. |
22 |
| (5) The number of times the entity has violated this |
23 |
| Act. |
24 |
| (6) The harm caused to consumers by the violation. |
25 |
| (7) The level of proceeds derived from the violation. |
26 |
| (8) The impact of possible penalties on the overall |
|
|
|
HB3725 |
- 36 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| fiscal solvency of the violating entity. |
2 |
| (d) In the event a violation of this Act results in the
|
3 |
| identity theft of a consumer, as defined by Article 16g of the |
4 |
| Criminal Code, the civil penalties set forth in this Section |
5 |
| shall be doubled. |
6 |
| (e) The civil penalties provided for in this Section shall |
7 |
| be exclusively assessed and recovered in a civil action brought |
8 |
| in the name of the people of the State of Illinois in any court |
9 |
| of competent jurisdiction by any of the following: |
10 |
| (1) The Attorney General. |
11 |
| (2) The functional regulator with jurisdiction over |
12 |
| regulation of the financial institution as follows: |
13 |
| (A) In the case of banks, savings associations, |
14 |
| credit unions, commercial lending companies, and bank |
15 |
| holding companies, by the Department of Financial |
16 |
| Institutions or the Office of Banks and Real Estate, or |
17 |
| the appropriate federal authority; |
18 |
| (B) in the case of any person engaged in the |
19 |
| business of insurance, by the Department of Insurance; |
20 |
| (C) in the case of any investment broker or dealer, |
21 |
| investment company, investment advisor, residential |
22 |
| mortgage lender or finance lender, by the Illinois |
23 |
| Secretary of State; and |
24 |
| (D) in the case of a financial institution not |
25 |
| subject to the jurisdiction of any functional |
26 |
| regulator listed under subparagraphs (A) to (C), |
|
|
|
HB3725 |
- 37 - |
LRB095 07553 MJR 27703 b |
|
|
1 |
| inclusive, above, by the Attorney General.
|
2 |
| Section 55. Authority of departments or agencies.
Nothing |
3 |
| in this Act shall be construed as altering or annulling the |
4 |
| authority of any department or agency of the state to regulate |
5 |
| any financial institution subject to its jurisdiction.
|
6 |
| Section 90. Severability.
The provisions of this Act shall |
7 |
| be severable, and if any phrase, clause, sentence, or provision |
8 |
| is declared to be invalid or is preempted by federal law or |
9 |
| regulation, the validity of the remainder of this Act shall not |
10 |
| be affected thereby.
|