|
Rep. Kelly Burke
Filed: 4/8/2011
| | 09700HB3025ham002 | | LRB097 06857 AEK 53928 a |
|
|
1 | | AMENDMENT TO HOUSE BILL 3025
|
2 | | AMENDMENT NO. ______. Amend House Bill 3025, AS AMENDED, by |
3 | | replacing everything after the enacting clause with the |
4 | | following:
|
5 | | "Section 5. The Personal Information Protection Act is |
6 | | amended by changing Sections 5, 10, and 12 and by adding |
7 | | Section 40 as follows: |
8 | | (815 ILCS 530/5)
|
9 | | Sec. 5. Definitions. In this Act: |
10 | | "Data Collector" may include, but is not limited to,
|
11 | | government agencies, public and private universities,
|
12 | | privately and publicly held corporations, financial
|
13 | | institutions, retail operators, and any other entity that, for |
14 | | any purpose, handles, collects, disseminates, or otherwise
|
15 | | deals with nonpublic personal information.
|
16 | | "Breach of the security of the system data" or "breach" |
|
| | 09700HB3025ham002 | - 2 - | LRB097 06857 AEK 53928 a |
|
|
1 | | means
unauthorized acquisition of computerized data that |
2 | | compromises the security, confidentiality, or integrity of |
3 | | personal information maintained by the data collector. "Breach |
4 | | of the security of the system data" does not include good faith
|
5 | | acquisition of personal information by an employee or agent of
|
6 | | the data collector for a legitimate purpose of the data
|
7 | | collector, provided that the personal information is not used
|
8 | | for a purpose unrelated to the data collector's business or
|
9 | | subject to further unauthorized disclosure.
|
10 | | "Personal information" means an individual's first name or |
11 | | first initial and last name in combination with any one or more
|
12 | | of the following data elements, when either the name or the |
13 | | data elements are not encrypted or redacted:
|
14 | | (1) Social Security number. |
15 | | (2) Driver's license number or State identification
|
16 | | card number.
|
17 | | (3) Account number or credit or debit card number, or |
18 | | an
account number or credit card number in combination with
|
19 | | any required security code, access code, or password that
|
20 | | would permit access to an individual's financial account.
|
21 | | "Personal information" does not include publicly available
|
22 | | information that is lawfully made available to the general
|
23 | | public from federal, State, or local government records.
|
24 | | (Source: P.A. 94-36, eff. 1-1-06.) |
25 | | (815 ILCS 530/10)
|
|
| | 09700HB3025ham002 | - 3 - | LRB097 06857 AEK 53928 a |
|
|
1 | | Sec. 10. Notice of Breach. |
2 | | (a) Any data collector that owns or licenses personal |
3 | | information concerning an Illinois resident shall notify the
|
4 | | resident at no charge that there has been a breach of the |
5 | | security of the
system data following discovery or notification |
6 | | of the breach.
The disclosure notification shall be made in the |
7 | | most
expedient time possible and without unreasonable delay,
|
8 | | consistent with any measures necessary to determine the
scope |
9 | | of the breach and restore the reasonable integrity,
security, |
10 | | and confidentiality of the data system. The disclosure |
11 | | notification to an Illinois resident shall include, but need |
12 | | not be limited to, (i) the toll-free numbers and addresses for |
13 | | consumer reporting agencies, (ii) the toll-free number, |
14 | | address, and website address for the Federal Trade Commission, |
15 | | and (iii) a statement that the individual can obtain |
16 | | information from these sources about fraud alerts and security |
17 | | freezes. The notification shall not, however, include |
18 | | information concerning the number of Illinois residents |
19 | | affected by the breach. |
20 | | (b) Any data collector that maintains or stores, but does |
21 | | not own or license, computerized data that
includes personal |
22 | | information that the data collector does not own or license |
23 | | shall notify the owner or licensee of the information of any |
24 | | breach of the security of the data immediately following |
25 | | discovery, if the personal information was, or is reasonably |
26 | | believed to have been, acquired by
an unauthorized person. In |
|
| | 09700HB3025ham002 | - 4 - | LRB097 06857 AEK 53928 a |
|
|
1 | | addition to providing such notification to the owner or |
2 | | licensee, the data collector shall cooperate with the owner or |
3 | | licensee in matters relating to the breach. That cooperation |
4 | | shall include, but need not be limited to, (i) informing the |
5 | | owner or licensee of the breach, including giving notice of the |
6 | | date or approximate date of the breach and the nature of the |
7 | | breach, and (ii) informing the owner or licensee of any steps |
8 | | the data collector has taken or plans to take relating to the |
9 | | breach. The data collector's cooperation shall not, however, be |
10 | | deemed to require either the disclosure of confidential |
11 | | business information or trade secrets or the notification of an |
12 | | Illinois resident who may have been affected by the breach.
|
13 | | (b-5) The notification to an Illinois resident required by |
14 | | subsection (a) of this Section may be delayed if an appropriate |
15 | | law enforcement agency determines that notification will |
16 | | interfere with a criminal investigation and provides the data |
17 | | collector with a written request for the delay. However, the |
18 | | data collector must notify the Illinois resident as soon as |
19 | | notification will no longer interfere with the investigation.
|
20 | | (c) For purposes of this Section, notice to consumers may |
21 | | be provided by one of the following methods:
|
22 | | (1) written notice; |
23 | | (2) electronic notice, if the notice provided is
|
24 | | consistent with the provisions regarding electronic
|
25 | | records and signatures for notices legally required to be
|
26 | | in writing as set forth in Section 7001 of Title 15 of the |
|
| | 09700HB3025ham002 | - 5 - | LRB097 06857 AEK 53928 a |
|
|
1 | | United States Code;
or |
2 | | (3) substitute notice, if the data collector
|
3 | | demonstrates that the cost of providing notice would exceed
|
4 | | $250,000 or that the affected class of subject persons to |
5 | | be notified exceeds 500,000, or the data collector does not
|
6 | | have sufficient contact information. Substitute notice |
7 | | shall consist of all of the following: (i) email notice if |
8 | | the data collector has an email address for the subject |
9 | | persons; (ii) conspicuous posting of the notice on the data
|
10 | | collector's web site page if the data collector maintains
|
11 | | one; and (iii) notification to major statewide media. |
12 | | (d) Notwithstanding any other subsection in this Section |
13 | | (c) , a data collector
that maintains its own notification |
14 | | procedures as part of an
information security policy for the |
15 | | treatment of personal
information and is otherwise consistent |
16 | | with the timing requirements of this Act, shall be deemed in |
17 | | compliance
with the notification requirements of this Section |
18 | | if the
data collector notifies subject persons in accordance |
19 | | with its policies in the event of a breach of the security of |
20 | | the system data.
|
21 | | (Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.) |
22 | | (815 ILCS 530/12)
|
23 | | Sec. 12. Notice of breach; State agency. |
24 | | (a) Any State agency that collects personal information |
25 | | concerning an Illinois resident shall notify the
resident at no |
|
| | 09700HB3025ham002 | - 6 - | LRB097 06857 AEK 53928 a |
|
|
1 | | charge that there has been a breach of the security of the
|
2 | | system data or written material following discovery or |
3 | | notification of the breach.
The disclosure notification shall |
4 | | be made in the most
expedient time possible and without |
5 | | unreasonable delay,
consistent with any measures necessary to |
6 | | determine the
scope of the breach and restore the reasonable |
7 | | integrity,
security, and confidentiality of the data system. |
8 | | The disclosure notification to an Illinois resident shall |
9 | | include, but need not be limited to, (i) the toll-free numbers |
10 | | and addresses for consumer reporting agencies, (ii) the |
11 | | toll-free number, address, and website address for the Federal |
12 | | Trade Commission, and (iii) a statement that the individual can |
13 | | obtain information from these sources about fraud alerts and |
14 | | security freezes. The notification shall not, however, include |
15 | | information concerning the number of Illinois residents |
16 | | affected by the breach. |
17 | | (a-5) The notification to an Illinois resident required by |
18 | | subsection (a) of this Section may be delayed if an appropriate |
19 | | law enforcement agency determines that notification will |
20 | | interfere with a criminal investigation and provides the State |
21 | | agency with a written request for the delay. However, the State |
22 | | agency must notify the Illinois resident as soon as |
23 | | notification will no longer interfere with the investigation. |
24 | | (b) For purposes of this Section, notice to residents may |
25 | | be provided by one of the following methods:
|
26 | | (1) written notice;
|
|
| | 09700HB3025ham002 | - 7 - | LRB097 06857 AEK 53928 a |
|
|
1 | | (2) electronic notice, if the notice provided is
|
2 | | consistent with the provisions regarding electronic
|
3 | | records and signatures for notices legally required to be
|
4 | | in writing as set forth in Section 7001 of Title 15 of the |
5 | | United States Code;
or
|
6 | | (3) substitute notice, if the State agency
|
7 | | demonstrates that the cost of providing notice would exceed
|
8 | | $250,000 or that the affected class of subject persons to |
9 | | be notified exceeds 500,000, or the State agency does not
|
10 | | have sufficient contact information. Substitute notice |
11 | | shall consist of all of the following: (i) email notice if |
12 | | the State agency has an email address for the subject |
13 | | persons; (ii) conspicuous posting of the notice on the |
14 | | State agency's web site page if the State agency maintains
|
15 | | one; and (iii) notification to major statewide media.
|
16 | | (c) Notwithstanding subsection (b), a State agency
that |
17 | | maintains its own notification procedures as part of an
|
18 | | information security policy for the treatment of personal
|
19 | | information and is otherwise consistent with the timing |
20 | | requirements of this Act shall be deemed in compliance
with the |
21 | | notification requirements of this Section if the
State agency |
22 | | notifies subject persons in accordance with its policies in the |
23 | | event of a breach of the security of the system data or written |
24 | | material.
|
25 | | (d) If a State agency is required to notify more than 1,000 |
26 | | persons of a breach of security pursuant to this Section, the |
|
| | 09700HB3025ham002 | - 8 - | LRB097 06857 AEK 53928 a |
|
|
1 | | State agency shall also notify, without unreasonable delay, all |
2 | | consumer reporting agencies that compile and maintain files on |
3 | | consumers on a nationwide basis, as defined by 15 U.S.C. |
4 | | Section 1681a(p), of the timing, distribution, and content of |
5 | | the notices. Nothing in this subsection (d) shall be construed |
6 | | to require the State agency to provide to the consumer |
7 | | reporting agency the names or other personal identifying |
8 | | information of breach notice recipients.
|
9 | | (Source: P.A. 94-947, eff. 6-27-06.) |
10 | | (815 ILCS 530/40 new) |
11 | | Sec. 40. Disposal of materials containing personal |
12 | | information; Attorney General. |
13 | | (a) In this Section, "person" means: a natural person; a |
14 | | corporation, partnership, association, or other legal entity; |
15 | | a unit of local government or any agency, department, division, |
16 | | bureau, board, commission, or committee thereof; or the State |
17 | | of Illinois or any constitutional officer, agency, department, |
18 | | division, bureau, board, commission, or committee thereof. |
19 | | (b) A person must dispose of the materials containing |
20 | | personal information in a manner that renders the personal |
21 | | information unreadable, unusable, and undecipherable. Proper |
22 | | disposal methods include, but are not limited to, the |
23 | | following: |
24 | | (1) Paper documents containing personal information |
25 | | may be either redacted, burned, pulverized, or shredded so |
|
| | 09700HB3025ham002 | - 9 - | LRB097 06857 AEK 53928 a |
|
|
1 | | that personal information cannot practicably be read or |
2 | | reconstructed. |
3 | | (2) Electronic media and other non-paper media |
4 | | containing personal information may be destroyed or erased |
5 | | so that personal information cannot practicably be read or |
6 | | reconstructed. |
7 | | (c) Any person disposing of materials containing personal |
8 | | information may contract with a third party to dispose of such |
9 | | materials in accordance with this Section. Any third party that |
10 | | contracts with a person to dispose of materials containing |
11 | | personal information must implement and monitor compliance |
12 | | with policies and procedures that prohibit unauthorized access |
13 | | to or acquisition of or use of personal information during the |
14 | | collection, transportation, and disposal of materials |
15 | | containing personal information. |
16 | | (d) Any person, including but not limited to a third party |
17 | | referenced in subsection (c), who violates this Section is |
18 | | subject to a civil penalty of not more than $100 for each |
19 | | individual with respect to whom personal information is |
20 | | disposed of in violation of this Section. A civil penalty may |
21 | | not, however, exceed $50,000 for each instance of improper |
22 | | disposal of materials containing personal information. The |
23 | | Attorney General may impose a civil penalty after notice to the |
24 | | person accused of violating this Section and an opportunity for |
25 | | that person to be heard in the matter. The Attorney General may |
26 | | file a civil action in the circuit court to recover any penalty |