SB1833ham001 99TH GENERAL ASSEMBLY

Rep. Ann Williams

Filed: 5/11/2015

09900SB1833ham001

LRB099 09064 JLS 35392 a

1 AMENDMENT TO SENATE BILL 1833

2 AMENDMENT NO. ______. Amend Senate Bill 1833 on page 1 by

3 replacing line 5 with the following:

4 "amended by changing Sections 5, 10, and 12 and adding Sections

5 45,"; and

6 on page 1, line 6, by changing "and 50" to "50, and 55"; and

7 on page 2, line 4, by changing "history." to "history,

8 including, but not limited to, consumer profiles that are based

9 upon the information. "Consumer marketing information" does

10 not include information related to a consumer's online browsing

11 history, online search history, or purchasing history held by a

12 data collector that has a direct relationship with the

13 consumer."; and

14 on page 2, line 7, by changing "is" to "is stored and"; and

09900SB1833ham001

- 2 -

LRB099 09064 JLS 35392 a

1 on page 2, line 8, by changing "the device" to "an individual";

2 and

3 on page 3, line 14, by changing "data" to "data generated from

4 measurements or analysis of human body characteristics that

5 could be used to identify an individual"; and

6 on page 3, line 23, by changing "name" to "name, when not part

7 of an individual's surname"; and

8 on page 5, line 2, by changing "information"" to "information",

9 excluding geolocation information and consumer marketing

10 information"; and

11 on page 8, line 4, by changing "that" to "that owns or licenses

12 personal information and"; and

13 on page 8, line 9, by changing "A description of the" to "The

14 types of"; and

15 on page 8, line 20, by changing "2 days before" to "when"; and

16 on page 9, line 12, by changing "A description of the" to "The

17 types of"; and

18 on page 10 by replacing lines 10 through 18 with the following:

09900SB1833ham001

- 3 -

LRB099 09064 JLS 35392 a

1 "(f) Upon receiving notification from a data collector of a

2 breach of personal information, the Attorney General may

3 publish the name of the data collector that suffered the

4 breach, the types of personal information compromised in the

5 breach, and the date range of the breach."; and

6 on page 10 by inserting immediately below line 19 the

7 following:

8 "(815 ILCS 530/12)

9 Sec. 12. Notice of breach; State agency.

10 (a) Any State agency that collects personal information,

11 excluding geolocation and consumer marketing information,

12 concerning an Illinois resident shall notify the resident at no

13 charge that there has been a breach of the security of the

14 system data or written material following discovery or

15 notification of the breach. The disclosure notification shall

16 be made in the most expedient time possible and without

17 unreasonable delay, consistent with any measures necessary to

18 determine the scope of the breach and restore the reasonable

19 integrity, security, and confidentiality of the data system.

20 The disclosure notification to an Illinois resident shall

21 include, but need not be limited to information as follows:

22 (1) With respect to personal information defined in

23 Section 5 in paragraph (1) of the definition of "personal

24 information": ~~,~~

09900SB1833ham001

- 4 -

LRB099 09064 JLS 35392 a

1 (i) the toll-free numbers and addresses for

2 consumer reporting agencies; ~~,~~

3 (ii) the toll-free number, address, and website

4 address for the Federal Trade Commission; ~~,~~ and

5 (iii) a statement that the individual can obtain

6 information from these sources about fraud alerts and

7 security freezes.

8 (2) With respect to personal information as defined in

9 Section 5 in paragraph (2) of the definition of "personal

10 information", notice may be provided in electronic or other

11 form directing the Illinois resident whose personal

12 information has been breached to promptly change his or her

13 user name or password and security question or answer, as

14 applicable, or to take other steps appropriate to protect

15 all online accounts for which the resident uses the same

16 user name or email address and password or security

17 question and answer.

18 The notification shall not, however, include information

19 concerning the number of Illinois residents affected by the

20 breach.

21 (a-5) The notification to an Illinois resident required by

22 subsection (a) of this Section may be delayed if an appropriate

23 law enforcement agency determines that notification will

24 interfere with a criminal investigation and provides the State

25 agency with a written request for the delay. However, the State

26 agency must notify the Illinois resident as soon as

09900SB1833ham001

- 5 -

LRB099 09064 JLS 35392 a

1 notification will no longer interfere with the investigation.

2 (b) For purposes of this Section, notice to residents may

3 be provided by one of the following methods:

4 (1) written notice;

5 (2) electronic notice, if the notice provided is

6 consistent with the provisions regarding electronic

7 records and signatures for notices legally required to be

8 in writing as set forth in Section 7001 of Title 15 of the

9 United States Code; or

10 (3) substitute notice, if the State agency

11 demonstrates that the cost of providing notice would exceed

12 $250,000 or that the affected class of subject persons to

13 be notified exceeds 500,000, or the State agency does not

14 have sufficient contact information. Substitute notice

15 shall consist of all of the following: (i) email notice if

16 the State agency has an email address for the subject

17 persons; (ii) conspicuous posting of the notice on the

18 State agency's web site page if the State agency maintains

19 one; and (iii) notification to major statewide media.

20 (c) Notwithstanding subsection (b), a State agency that

21 maintains its own notification procedures as part of an

22 information security policy for the treatment of personal

23 information and is otherwise consistent with the timing

24 requirements of this Act shall be deemed in compliance with the

25 notification requirements of this Section if the State agency

26 notifies subject persons in accordance with its policies in the

09900SB1833ham001

- 6 -

LRB099 09064 JLS 35392 a

1 event of a breach of the security of the system data or written

2 material.

3 (d) If a State agency is required to notify more than 1,000

4 persons of a breach of security pursuant to this Section, the

5 State agency shall also notify, without unreasonable delay, all

6 consumer reporting agencies that compile and maintain files on

7 consumers on a nationwide basis, as defined by 15 U.S.C.

8 Section 1681a(p), of the timing, distribution, and content of

9 the notices. Nothing in this subsection (d) shall be construed

10 to require the State agency to provide to the consumer

11 reporting agency the names or other personal identifying

12 information of breach notice recipients.

13 (e) Notice to Attorney General.

14 (1) Any State agency that suffers a single breach of

15 the security of the data concerning the personal

16 information of more than 250 Illinois residents shall

17 provide notice to the Attorney General of the breach,

18 including:

19 (A) The categories of personal information

20 compromised in the breach.

21 (B) The number of Illinois residents affected by

22 such incident at the time of notification.

23 (C) Any steps the State agency has taken or plans

24 to take relating to notification of the breach to

25 consumers.

26 (D) The date and timeframe of the breach, if known

09900SB1833ham001

- 7 -

LRB099 09064 JLS 35392 a

1 at the time notification is provided.

2 Such notification must be made within 30 business days

3 of the State agency's discovery of the security breach or

4 when the State agency provides any notice to consumers

5 required by this Section, whichever is sooner, unless the

6 State agency has good cause for reasonable delay to

7 determine the scope of the breach and restore the

8 integrity, security, and confidentiality of the data

9 system, or when law enforcement requests in writing to

10 withhold disclosure of some or all of the information

11 required in the notification under this Section. If the

12 date or timeframe of the breach is unknown at the time the

13 notice is sent to the Attorney General, the State agency

14 shall send the Attorney General the date or timeframe of

15 the breach as soon as possible.

16 (Source: P.A. 97-483, eff. 1-1-12.)"; and

17 on page 11 by deleting lines 17 through 22; and

18 on page 11, line 23, by changing "(e)" to "(d)"; and

19 on page 13, line 23, by replacing "online service" with ", in

20 the case of an operator of an online service, make the policy

21 available in accordance with paragraph (5) of subsection (a) of

22 this Section"; and

09900SB1833ham001

- 8 -

LRB099 09064 JLS 35392 a

1 on page 15 by inserting immediately below line 10 the

2 following:

3 "(815 ILCS 530/55 new)

4 Sec. 55. Entities subject to the federal Health Insurance

5 Portability and Accountability Act of 1996. Any covered entity

6 or business associate that is subject to and in compliance with

7 the privacy and security standards for the protection of

8 electronic health information established pursuant to the

9 federal Health Insurance Portability and Accountability Act of

10 1996 and the Health Information Technology for Economic and

11 Clinical Health Act shall be deemed to be in compliance with

12 the provisions of this Act, provided that any covered entity or

13 business associate required to provide notification of a breach

14 to the Secretary of Health and Human Services pursuant to the

15 Health Information Technology for Economic and Clinical Health

16 Act also provides such notification to the Attorney General

17 within 5 business days of notifying the Secretary.".