101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB3200

 

Introduced , by Rep. Diane Pappas

 

SYNOPSIS AS INTRODUCED:
 
815 ILCS 530/10

    Amends the Personal Information Protection Act. Provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the Illinois resident to whom the breach relates. Requires the notice to be provided no later than 5 days after the breach.


LRB101 10070 JLS 55173 b

 

 

A BILL FOR

 

HB3200LRB101 10070 JLS 55173 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Personal Information Protection Act is
5amended by changing Section 10 as follows:
 
6    (815 ILCS 530/10)
7    Sec. 10. Notice of breach.
8    (a) Any data collector that owns or licenses personal
9information concerning an Illinois resident shall notify the
10Attorney General and the resident at no charge that there has
11been a breach of the security of the system data following
12discovery or notification of the breach. The disclosure
13notification shall be made in the most expedient time possible,
14but no later than 5 days after the breach and without
15unreasonable delay, consistent with any measures necessary to
16determine the scope of the breach and restore the reasonable
17integrity, security, and confidentiality of the data system.
18The disclosure notification to an Illinois resident shall
19include, but need not be limited to, information as follows:
20        (1) With respect to personal information as defined in
21    Section 5 in paragraph (1) of the definition of "personal
22    information":
23            (A) the toll-free numbers and addresses for

 

 

HB3200- 2 -LRB101 10070 JLS 55173 b

1        consumer reporting agencies;
2            (B) the toll-free number, address, and website
3        address for the Federal Trade Commission; and
4            (C) a statement that the individual can obtain
5        information from these sources about fraud alerts and
6        security freezes.
7        (2) With respect to personal information defined in
8    Section 5 in paragraph (2) of the definition of "personal
9    information", notice may be provided in electronic or other
10    form directing the Illinois resident whose personal
11    information has been breached to promptly change his or her
12    user name or password and security question or answer, as
13    applicable, or to take other steps appropriate to protect
14    all online accounts for which the resident uses the same
15    user name or email address and password or security
16    question and answer.
17    The notification shall not, however, include information
18concerning the number of Illinois residents affected by the
19breach.
20    (b) Any data collector that maintains or stores, but does
21not own or license, computerized data that includes personal
22information that the data collector does not own or license
23shall notify the Attorney General and the owner or licensee of
24the information of any breach of the security of the data
25immediately following discovery, if the personal information
26was, or is reasonably believed to have been, acquired by an

 

 

HB3200- 3 -LRB101 10070 JLS 55173 b

1unauthorized person. In addition to providing such
2notification to the owner or licensee, the data collector shall
3cooperate with the owner or licensee in matters relating to the
4breach. That cooperation shall include, but need not be limited
5to, (i) informing the owner or licensee of the breach,
6including giving notice of the date or approximate date of the
7breach and the nature of the breach, and (ii) informing the
8owner or licensee of any steps the data collector has taken or
9plans to take relating to the breach. The data collector's
10cooperation shall not, however, be deemed to require either the
11disclosure of confidential business information or trade
12secrets or the notification of an Illinois resident who may
13have been affected by the breach.
14    (b-5) The notification to an Illinois resident required by
15subsection (a) of this Section may be delayed if an appropriate
16law enforcement agency determines that notification will
17interfere with a criminal investigation and provides the data
18collector with a written request for the delay. However, the
19data collector must notify the Illinois resident as soon as
20notification will no longer interfere with the investigation.
21    (c) For purposes of this Section, notice to consumers may
22be provided by one of the following methods:
23        (1) written notice;
24        (2) electronic notice, if the notice provided is
25    consistent with the provisions regarding electronic
26    records and signatures for notices legally required to be

 

 

HB3200- 4 -LRB101 10070 JLS 55173 b

1    in writing as set forth in Section 7001 of Title 15 of the
2    United States Code; or
3        (3) substitute notice, if the data collector
4    demonstrates that the cost of providing notice would exceed
5    $250,000 or that the affected class of subject persons to
6    be notified exceeds 500,000, or the data collector does not
7    have sufficient contact information. Substitute notice
8    shall consist of all of the following: (i) email notice if
9    the data collector has an email address for the subject
10    persons; (ii) conspicuous posting of the notice on the data
11    collector's web site page if the data collector maintains
12    one; and (iii) notification to major statewide media or, if
13    the breach impacts residents in one geographic area, to
14    prominent local media in areas where affected individuals
15    are likely to reside if such notice is reasonably
16    calculated to give actual notice to persons whom notice is
17    required.
18    (d) Notwithstanding any other subsection in this Section, a
19data collector that maintains its own notification procedures
20as part of an information security policy for the treatment of
21personal information and is otherwise consistent with the
22timing requirements of this Act, shall be deemed in compliance
23with the notification requirements of this Section if the data
24collector notifies subject persons in accordance with its
25policies in the event of a breach of the security of the system
26data.

 

 

HB3200- 5 -LRB101 10070 JLS 55173 b

1(Source: P.A. 99-503, eff. 1-1-17; 100-201, eff. 8-18-17.)