|
| | SB1833 Engrossed | | LRB099 09064 JLS 31312 b |
|
|
| 1 | | AN ACT concerning business.
|
| 2 | | Be it enacted by the People of the State of Illinois,
|
| 3 | | represented in the General Assembly:
|
| 4 | | Section 5. The Personal Information Protection Act is |
| 5 | | amended by changing Sections 5 and 10 and by adding Sections 45 |
| 6 | | and 50 as follows:
|
| 7 | | (815 ILCS 530/5)
|
| 8 | | Sec. 5. Definitions. In this Act: |
| 9 | | "Data Collector" may include, but is not limited to,
|
| 10 | | government agencies, public and private universities,
|
| 11 | | privately and publicly held corporations, financial
|
| 12 | | institutions, retail operators, and any other entity that, for |
| 13 | | any purpose, handles, collects, disseminates, or otherwise
|
| 14 | | deals with nonpublic personal information.
|
| 15 | | "Breach of the security of the system data" or "breach" |
| 16 | | means
unauthorized acquisition of computerized data that |
| 17 | | compromises the security, confidentiality, or integrity of |
| 18 | | personal information maintained by the data collector. "Breach |
| 19 | | of the security of the system data" does not include good faith
|
| 20 | | acquisition of personal information by an employee or agent of
|
| 21 | | the data collector for a legitimate purpose of the data
|
| 22 | | collector, provided that the personal information is not used
|
| 23 | | for a purpose unrelated to the data collector's business or
|
|
| | SB1833 Engrossed | - 2 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | subject to further unauthorized disclosure.
|
| 2 | | "Consumer marketing information" means information related |
| 3 | | to a consumer's online browsing history, online search history, |
| 4 | | or purchasing history. |
| 5 | | "Geolocation information" means information generated or |
| 6 | | derived from the operation or use of an electronic |
| 7 | | communications device that is sufficient to identify the street |
| 8 | | name and name of the city or town in which the device is |
| 9 | | located. "Geolocation information" does not include the |
| 10 | | contents of an electronic communication. |
| 11 | | "Health insurance information" means an individual's |
| 12 | | health insurance policy number or subscriber identification |
| 13 | | number, any unique identifier used by a health insurer to |
| 14 | | identify the individual, or any information in an individual's |
| 15 | | health insurance application and claims history, including any |
| 16 | | appeals records. |
| 17 | | "Medical information" means any information regarding an |
| 18 | | individual's medical history, mental or physical condition, or |
| 19 | | medical treatment or diagnosis by a healthcare professional, |
| 20 | | including health information provided to a website or mobile |
| 21 | | application. |
| 22 | | "Personal information" means either of the following: |
| 23 | | (1) an individual's first name or first initial and |
| 24 | | last name in combination with any one or more
of the |
| 25 | | following data elements, when either the name or the data |
| 26 | | elements are not encrypted or redacted or are encrypted or |
|
| | SB1833 Engrossed | - 3 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | redacted but the keys to unencrypt or unredact or otherwise |
| 2 | | read the name or data elements have been acquired without |
| 3 | | authorization through the breach of security:
|
| 4 | | (A) (1) Social Security number. |
| 5 | | (B) (2) Driver's license number or State |
| 6 | | identification
card number.
|
| 7 | | (C) (3) Account number or credit or debit card |
| 8 | | number, or an
account number or credit card number in |
| 9 | | combination with
any required security code, access |
| 10 | | code, or password that
would permit access to an |
| 11 | | individual's financial account.
|
| 12 | | (D) Medical information. |
| 13 | | (E) Health insurance information. |
| 14 | | (F) Unique biometric data, such as a fingerprint, |
| 15 | | retina or iris image, or other unique physical |
| 16 | | representation or digital representation of biometric |
| 17 | | data. |
| 18 | | (G) Geolocation information. |
| 19 | | (H) Consumer marketing information. |
| 20 | | (I) Any 2 of the following data elements: |
| 21 | | (i) home address, telephone number, or email |
| 22 | | address; |
| 23 | | (ii) mother's maiden name; |
| 24 | | (iii) month, day, and year of birth. |
| 25 | | (2) user name or email address, in combination with a |
| 26 | | password or security question and answer that would permit |
|
| | SB1833 Engrossed | - 4 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | access to an online account, when either the user name or |
| 2 | | email address or password or security question and answer |
| 3 | | are not encrypted or redacted or are encrypted or redacted |
| 4 | | but the keys to unencrypt or unredact or otherwise read the |
| 5 | | data elements have been obtained through the breach of |
| 6 | | security. |
| 7 | | "Personal information" does not include publicly available
|
| 8 | | information that is lawfully made available to the general
|
| 9 | | public from federal, State, or local government records.
|
| 10 | | (Source: P.A. 97-483, eff. 1-1-12.)
|
| 11 | | (815 ILCS 530/10)
|
| 12 | | Sec. 10. Notice of Breach. |
| 13 | | (a) Any data collector that owns or licenses personal |
| 14 | | information, excluding geolocation information and consumer |
| 15 | | marketing information, concerning an Illinois resident shall |
| 16 | | notify the
resident at no charge that there has been a breach |
| 17 | | of the security of the
system data following discovery or |
| 18 | | notification of the breach.
The disclosure notification shall |
| 19 | | be made in the most
expedient time possible and without |
| 20 | | unreasonable delay,
consistent with any measures necessary to |
| 21 | | determine the
scope of the breach and restore the reasonable |
| 22 | | integrity,
security, and confidentiality of the data system. |
| 23 | | The disclosure notification to an Illinois resident shall |
| 24 | | include, but need not be limited to, information as follows: |
| 25 | | (1) With respect to personal information as defined in |
|
| | SB1833 Engrossed | - 5 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | Section 5 in paragraph (1) of the definition of "personal |
| 2 | | information": |
| 3 | | (A) (i) the toll-free numbers and addresses for |
| 4 | | consumer reporting agencies; , |
| 5 | | (B) (ii) the toll-free number, address, and |
| 6 | | website address for the Federal Trade Commission; , and |
| 7 | | (C) (iii) a statement that the individual can |
| 8 | | obtain information from these sources about fraud |
| 9 | | alerts and security freezes. |
| 10 | | The notification shall not, however, include information |
| 11 | | concerning the number of Illinois residents affected by the |
| 12 | | breach. |
| 13 | | (2) With respect to personal information defined in |
| 14 | | Section 5 in paragraph (2) of the definition of "personal |
| 15 | | information", notice may be provided in electronic or other |
| 16 | | form directing the Illinois resident whose personal |
| 17 | | information has been breached to promptly change his or her |
| 18 | | username or password and security question or answer, as |
| 19 | | applicable, or to take other steps appropriate to protect |
| 20 | | all online accounts for which the resident uses the same |
| 21 | | user name or email address and password or security |
| 22 | | question and answer. |
| 23 | | (b) Any data collector that maintains or stores, but does |
| 24 | | not own or license, computerized data that
includes personal |
| 25 | | information that the data collector does not own or license |
| 26 | | shall notify the owner or licensee of the information of any |
|
| | SB1833 Engrossed | - 6 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | breach of the security of the data immediately following |
| 2 | | discovery, if the personal information was, or is reasonably |
| 3 | | believed to have been, acquired by
an unauthorized person. In |
| 4 | | addition to providing such notification to the owner or |
| 5 | | licensee, the data collector shall cooperate with the owner or |
| 6 | | licensee in matters relating to the breach. That cooperation |
| 7 | | shall include, but need not be limited to, (i) informing the |
| 8 | | owner or licensee of the breach, including giving notice of the |
| 9 | | date or approximate date of the breach and the nature of the |
| 10 | | breach, and (ii) informing the owner or licensee of any steps |
| 11 | | the data collector has taken or plans to take relating to the |
| 12 | | breach. The data collector's cooperation shall not, however, be |
| 13 | | deemed to require either the disclosure of confidential |
| 14 | | business information or trade secrets or the notification of an |
| 15 | | Illinois resident who may have been affected by the breach.
|
| 16 | | (b-5) The notification to an Illinois resident required by |
| 17 | | subsection (a) of this Section may be delayed if an appropriate |
| 18 | | law enforcement agency determines that notification will |
| 19 | | interfere with a criminal investigation and provides the data |
| 20 | | collector with a written request for the delay. However, the |
| 21 | | data collector must notify the Illinois resident as soon as |
| 22 | | notification will no longer interfere with the investigation.
|
| 23 | | (c) For purposes of this Section, notice to consumers may |
| 24 | | be provided by one of the following methods:
|
| 25 | | (1) written notice; |
| 26 | | (2) electronic notice, if the notice provided is
|
|
| | SB1833 Engrossed | - 7 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | consistent with the provisions regarding electronic
|
| 2 | | records and signatures for notices legally required to be
|
| 3 | | in writing as set forth in Section 7001 of Title 15 of the |
| 4 | | United States Code;
or |
| 5 | | (3) substitute notice, if the data collector
|
| 6 | | demonstrates that the cost of providing notice would exceed
|
| 7 | | $250,000 or that the affected class of subject persons to |
| 8 | | be notified exceeds 500,000, or the data collector does not
|
| 9 | | have sufficient contact information. Substitute notice |
| 10 | | shall consist of all of the following: (i) email notice if |
| 11 | | the data collector has an email address for the subject |
| 12 | | persons; (ii) conspicuous posting of the notice on the data
|
| 13 | | collector's web site page if the data collector maintains
|
| 14 | | one; and (iii) notification to major statewide media or, if |
| 15 | | the breach impacts residents in one geographic area, to |
| 16 | | prominent local media in areas where affected individuals |
| 17 | | are likely to reside if such notice is reasonably |
| 18 | | calculated to give actual notice to persons whom notice is |
| 19 | | required. |
| 20 | | (d) Notwithstanding any other subsection in this Section, a |
| 21 | | data collector
that maintains its own notification procedures |
| 22 | | as part of an
information security policy for the treatment of |
| 23 | | personal
information and is otherwise consistent with the |
| 24 | | timing requirements of this Act, shall be deemed in compliance
|
| 25 | | with the notification requirements of this Section if the
data |
| 26 | | collector notifies subject persons in accordance with its |
|
| | SB1833 Engrossed | - 8 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | policies in the event of a breach of the security of the system |
| 2 | | data.
|
| 3 | | (e) Notice to Attorney General. |
| 4 | | (1) Any data collector that suffers a single breach of |
| 5 | | the security of the data concerning the personal |
| 6 | | information of more than 250 Illinois residents shall |
| 7 | | provide notice to the Attorney General of the breach, |
| 8 | | including: |
| 9 | | (A) A description of the personal information |
| 10 | | compromised in the breach. |
| 11 | | (B) The number of Illinois residents affected by |
| 12 | | such incident at the time of notification. |
| 13 | | (C) Any steps the data collector has taken or plans |
| 14 | | to take relating to notification of the breach to |
| 15 | | consumers. |
| 16 | | (D) The date and timeframe of the breach, if known |
| 17 | | at the time notification is provided. |
| 18 | | Such notification must be made within 30 business days |
| 19 | | of the data collector's discovery of the security breach or |
| 20 | | 2 days before the data collector provides any notice to |
| 21 | | consumers required by this Section, whichever is sooner, |
| 22 | | unless the data collector has good cause for reasonable |
| 23 | | delay to determine the scope of the breach and restore the |
| 24 | | integrity, security, and confidentiality of the data |
| 25 | | system, or when law enforcement requests in writing to |
| 26 | | withhold disclosure of some or all of the information |
|
| | SB1833 Engrossed | - 9 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | required in the notification under this Section. If the |
| 2 | | date or timeframe of the breach is unknown at the time the |
| 3 | | notice is sent to the Attorney General, the data collector |
| 4 | | shall send the Attorney General the date or timeframe of |
| 5 | | the breach as soon as possible. |
| 6 | | (2) Any data collector that maintains or stores, but |
| 7 | | does not own or license, computerized data that includes |
| 8 | | personal information that suffers a single breach of the |
| 9 | | security of the data concerning the personal information of |
| 10 | | more than 250 Illinois residents shall notify the Attorney |
| 11 | | General of the following: |
| 12 | | (A) A description of the personal information |
| 13 | | compromised in the breach. |
| 14 | | (B) The number of Illinois residents affected by |
| 15 | | such incident at the time of notification. |
| 16 | | (C) Any steps the data collector has taken or plans |
| 17 | | to take relating to notification of the owner or |
| 18 | | licensee of the breach and what measures, if any, the |
| 19 | | data collector has taken to notify Illinois residents. |
| 20 | | (D) The date and timeframe of the breach, if known |
| 21 | | at the time notification is provided. |
| 22 | | Such notification must be made within 30 business days |
| 23 | | of the data collector's discovery of the security breach or |
| 24 | | when the data collector provides notice to the owner or |
| 25 | | licensee of the information pursuant to this Section, |
| 26 | | whichever is sooner, unless the data collector has good |
|
| | SB1833 Engrossed | - 10 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | cause for reasonable delay to determine the scope of the |
| 2 | | breach and restore the integrity, security, and |
| 3 | | confidentiality of the data system, or when law enforcement |
| 4 | | requests in writing to withhold disclosure of some or all |
| 5 | | of the information required in the notification under this |
| 6 | | Section. If the date or timeframe of the breach is unknown |
| 7 | | at the time the notice is sent to the Attorney General, the |
| 8 | | data collector shall send the Attorney General the date or |
| 9 | | timeframe of the breach as soon as possible. |
| 10 | | (f) A data collector that suffers a breach subject to the |
| 11 | | breach notification standards established pursuant to the |
| 12 | | federal Health Information Technology Act, 42 U.S.C. Section |
| 13 | | 17932, shall be deemed to be in compliance with the provisions |
| 14 | | of this Section if that data collector does the following: (1) |
| 15 | | provides notification to individuals in compliance with the |
| 16 | | federal Health Information Technology Act and implementing |
| 17 | | regulations and (2) provides notification to the Attorney |
| 18 | | General pursuant to subsection (e). |
| 19 | | (Source: P.A. 97-483, eff. 1-1-12.)
|
| 20 | | (815 ILCS 530/45 new) |
| 21 | | Sec. 45. Data security. |
| 22 | | (a) A data collector that owns or licenses, or maintains or |
| 23 | | stores but does not own or license, records that contain |
| 24 | | personal information concerning an Illinois resident shall |
| 25 | | implement and maintain reasonable security measures to protect |
|
| | SB1833 Engrossed | - 11 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | those records from unauthorized access, acquisition, |
| 2 | | destruction, use, modification, or disclosure. |
| 3 | | (b) A contract for the disclosure of personal information |
| 4 | | concerning an Illinois resident that is maintained by a data |
| 5 | | collector must include a provision requiring the person to whom |
| 6 | | the information is disclosed to implement and maintain |
| 7 | | reasonable security measures to protect those records from |
| 8 | | unauthorized access, acquisition, destruction, use, |
| 9 | | modification, or disclosure. |
| 10 | | (c) If a state or federal law requires a data collector to |
| 11 | | provide greater protection to records that contain personal |
| 12 | | information concerning an Illinois resident that are |
| 13 | | maintained by the data collector and the data collector is in |
| 14 | | compliance with the provisions of that state or federal law, |
| 15 | | the data collector shall be deemed to be in compliance with the |
| 16 | | provisions of this Section. |
| 17 | | (d) A data collector that is subject to and in compliance |
| 18 | | with the security standards for the protection of electronic |
| 19 | | health information, 45 C.F.R. Parts 160 and 164, established |
| 20 | | pursuant to the federal Health Insurance Portability and |
| 21 | | Accountability Act of 1996 shall be deemed to be in compliance |
| 22 | | with the provisions of this Section. |
| 23 | | (e) A data collector that is subject to and in compliance |
| 24 | | with the standards established pursuant to Section 501(b) of |
| 25 | | the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, |
| 26 | | shall be deemed to be in compliance with the provisions of this |
|
| | SB1833 Engrossed | - 12 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | Section.
|
| 2 | | (815 ILCS 530/50 new) |
| 3 | | Sec. 50. Posting of privacy policy. |
| 4 | | (a) As used in this Section: |
| 5 | | "Conspicuously post" means posting the privacy policy |
| 6 | | through any of the following: |
| 7 | | (1) A Web page on which the actual privacy policy is |
| 8 | | posted if the Web page is the homepage or first significant |
| 9 | | page after entering the Web site. |
| 10 | | (2) An icon that hyperlinks to a Web page on which the |
| 11 | | actual privacy policy is posted, if the icon is located on |
| 12 | | the homepage or the first significant page after entering |
| 13 | | the Web site, and if the icon contains the word "privacy". |
| 14 | | The icon shall also use a color that contrasts with the |
| 15 | | background color of the Web page or is otherwise |
| 16 | | distinguishable. |
| 17 | | (3) A text link that hyperlinks to a Web page on which |
| 18 | | the actual privacy policy is posted, if the text link is |
| 19 | | located on the homepage or first significant page after |
| 20 | | entering the Web site, and if the text link does one of the |
| 21 | | following: |
| 22 | | (A) Includes the word "privacy". |
| 23 | | (B) Is written in capital letters equal to or |
| 24 | | greater in size than the surrounding text. |
| 25 | | (C) Is written in larger type than the surrounding |
|
| | SB1833 Engrossed | - 13 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | text, or in contrasting type, font, or color to the |
| 2 | | surrounding text of the same size, or set off from the |
| 3 | | surrounding text of the same size by symbols or other |
| 4 | | marks that call attention to the language. |
| 5 | | (4) Any other functional hyperlink that is displayed in |
| 6 | | a noticeable manner. |
| 7 | | (5) In the case of an online service, any other |
| 8 | | reasonably accessible means of making the privacy policy |
| 9 | | available for a consumer of the online service. |
| 10 | | "Operator" means any person or entity that owns a Web site |
| 11 | | located on the Internet or an online service that collects and |
| 12 | | maintains personal information from a consumer residing in |
| 13 | | Illinois who uses or visits the Web site or online service if |
| 14 | | the Web site or online service is operated for commercial |
| 15 | | purposes. It does not include any third party that operates, |
| 16 | | hosts, or manages, but does not own, a Web site or online |
| 17 | | service on the owner's behalf or by processing information on |
| 18 | | behalf of the owner. |
| 19 | | (b) An operator of a commercial Web site or online service |
| 20 | | that collects personal information through the Internet about |
| 21 | | individual consumers residing in Illinois who use or visit its |
| 22 | | commercial Web site or online service shall conspicuously post |
| 23 | | its privacy policy on its Web site or online service. An |
| 24 | | operator shall be in violation of this subdivision only if the |
| 25 | | operator fails to post its policy within 30 days after being |
| 26 | | notified of noncompliance. |
|
| | SB1833 Engrossed | - 14 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | (c) The privacy policy required by subsection (b) shall, at |
| 2 | | a minimum, do the following: |
| 3 | | (1) Identify the categories of personal information |
| 4 | | that the operator collects through the Web site or online |
| 5 | | service about individual consumers who use or visit its |
| 6 | | commercial Web site or online service and the categories of |
| 7 | | third-party persons or entities with whom the operator may |
| 8 | | share that personal information. |
| 9 | | (2) If the operator maintains a process for an |
| 10 | | individual consumer who uses or visits its commercial Web |
| 11 | | site or online service to review and request changes to any |
| 12 | | of his or her personal information that is collected |
| 13 | | through the Web site or online service, provide a |
| 14 | | description of that process. |
| 15 | | (3) Describe the process by which the operator notifies |
| 16 | | consumers who use or visit its commercial Web site or |
| 17 | | online service of material changes to the operator's |
| 18 | | privacy policy for that Web site or online service. |
| 19 | | (4) Identify its effective date. |
| 20 | | (5) Disclose how the operator responds to Web browser |
| 21 | | "do not track" signals or other mechanisms that provide |
| 22 | | consumers the ability to exercise choice regarding the |
| 23 | | collection of personal information about an individual |
| 24 | | consumer's online activities over time and across |
| 25 | | third-party Web sites or online services, if the operator |
| 26 | | engages in that collection. |
|
| | SB1833 Engrossed | - 15 - | LRB099 09064 JLS 31312 b |
|
|
| 1 | | (6) Disclose whether other parties may collect |
| 2 | | personal information about an individual consumer's online |
| 3 | | activities over time and across different Web sites or |
| 4 | | online services when a consumer uses the operator's Web |
| 5 | | site or online service. |
| 6 | | An operator may satisfy the requirement of paragraph (5) by |
| 7 | | providing a clear and conspicuous hyperlink in the operator's |
| 8 | | privacy policy to an online location containing a description, |
| 9 | | including the effects, of any program or protocol the operator |
| 10 | | follows that offers the consumer that choice.
|