102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
HB3412

 

Introduced 2/22/2021, by Rep. Janet Yang Rohr

 

SYNOPSIS AS INTRODUCED:
 
815 ILCS 530/10

    Amends the Personal Information Protection Act. Provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the Illinois resident to whom the breach relates. Requires the notice to be provided no later than 5 days after the breach.


LRB102 12757 JLS 18096 b

 

 

A BILL FOR

 

HB3412LRB102 12757 JLS 18096 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Personal Information Protection Act is
5amended by changing Section 10 as follows:
 
6    (815 ILCS 530/10)
7    Sec. 10. Notice of breach; notice to Attorney General.
8    (a) Any data collector that owns or licenses personal
9information concerning an Illinois resident shall notify the
10Attorney General and the resident at no charge that there has
11been a breach of the security of the system data following
12discovery or notification of the breach. The disclosure
13notification shall be made in the most expedient time
14possible, but no later than 5 days after the breach and without
15unreasonable delay, consistent with any measures necessary to
16determine the scope of the breach and restore the reasonable
17integrity, security, and confidentiality of the data system.
18The disclosure notification to an Illinois resident shall
19include, but need not be limited to, information as follows:
20        (1) With respect to personal information as defined in
21    Section 5 in paragraph (1) of the definition of "personal
22    information":
23            (A) the toll-free numbers and addresses for

 

 

HB3412- 2 -LRB102 12757 JLS 18096 b

1        consumer reporting agencies;
2            (B) the toll-free number, address, and website
3        address for the Federal Trade Commission; and
4            (C) a statement that the individual can obtain
5        information from these sources about fraud alerts and
6        security freezes.
7        (2) With respect to personal information defined in
8    Section 5 in paragraph (2) of the definition of "personal
9    information", notice may be provided in electronic or
10    other form directing the Illinois resident whose personal
11    information has been breached to promptly change his or
12    her user name or password and security question or answer,
13    as applicable, or to take other steps appropriate to
14    protect all online accounts for which the resident uses
15    the same user name or email address and password or
16    security question and answer.
17    The notification shall not, however, include information
18concerning the number of Illinois residents affected by the
19breach.
20    (b) Any data collector that maintains or stores, but does
21not own or license, computerized data that includes personal
22information that the data collector does not own or license
23shall notify the Attorney General and the owner or licensee of
24the information of any breach of the security of the data
25immediately following discovery, if the personal information
26was, or is reasonably believed to have been, acquired by an

 

 

HB3412- 3 -LRB102 12757 JLS 18096 b

1unauthorized person. In addition to providing such
2notification to the owner or licensee, the data collector
3shall cooperate with the owner or licensee in matters relating
4to the breach. That cooperation shall include, but need not be
5limited to, (i) informing the owner or licensee of the breach,
6including giving notice of the date or approximate date of the
7breach and the nature of the breach, and (ii) informing the
8owner or licensee of any steps the data collector has taken or
9plans to take relating to the breach. The data collector's
10cooperation shall not, however, be deemed to require either
11the disclosure of confidential business information or trade
12secrets or the notification of an Illinois resident who may
13have been affected by the breach.
14    (b-5) The notification to an Illinois resident required by
15subsection (a) of this Section may be delayed if an
16appropriate law enforcement agency determines that
17notification will interfere with a criminal investigation and
18provides the data collector with a written request for the
19delay. However, the data collector must notify the Illinois
20resident as soon as notification will no longer interfere with
21the investigation.
22    (c) For purposes of this Section, notice to consumers may
23be provided by one of the following methods:
24        (1) written notice;
25        (2) electronic notice, if the notice provided is
26    consistent with the provisions regarding electronic

 

 

HB3412- 4 -LRB102 12757 JLS 18096 b

1    records and signatures for notices legally required to be
2    in writing as set forth in Section 7001 of Title 15 of the
3    United States Code; or
4        (3) substitute notice, if the data collector
5    demonstrates that the cost of providing notice would
6    exceed $250,000 or that the affected class of subject
7    persons to be notified exceeds 500,000, or the data
8    collector does not have sufficient contact information.
9    Substitute notice shall consist of all of the following:
10    (i) email notice if the data collector has an email
11    address for the subject persons; (ii) conspicuous posting
12    of the notice on the data collector's web site page if the
13    data collector maintains one; and (iii) notification to
14    major statewide media or, if the breach impacts residents
15    in one geographic area, to prominent local media in areas
16    where affected individuals are likely to reside if such
17    notice is reasonably calculated to give actual notice to
18    persons whom notice is required.
19    (d) Notwithstanding any other subsection in this Section,
20a data collector that maintains its own notification
21procedures as part of an information security policy for the
22treatment of personal information and is otherwise consistent
23with the timing requirements of this Act, shall be deemed in
24compliance with the notification requirements of this Section
25if the data collector notifies subject persons in accordance
26with its policies in the event of a breach of the security of

 

 

HB3412- 5 -LRB102 12757 JLS 18096 b

1the system data.
2    (e)(1) This subsection does not apply to data collectors
3that are covered entities or business associates and are in
4compliance with Section 50.
5    (2) Any data collector required to issue notice pursuant
6to this Section to more than 500 Illinois residents as a result
7of a single breach of the security system shall provide notice
8to the Attorney General of the breach, including:
9        (A) A description of the nature of the breach of
10    security or unauthorized acquisition or use.
11        (B) The number of Illinois residents affected by such
12    incident at the time of notification.
13        (C) Any steps the data collector has taken or plans to
14    take relating to the incident.
15    Such notification must be made in the most expedient time
16possible and without unreasonable delay but in no event later
17than when the data collector provides notice to consumers
18pursuant to this Section. If the date of the breach is unknown
19at the time the notice is sent to the Attorney General, the
20data collector shall send the Attorney General the date of the
21breach as soon as possible.
22    Upon receiving notification from a data collector of a
23breach of personal information, the Attorney General may
24publish the name of the data collector that suffered the
25breach, the types of personal information compromised in the
26breach, and the date range of the breach.

 

 

HB3412- 6 -LRB102 12757 JLS 18096 b

1(Source: P.A. 100-201, eff. 8-18-17; 101-343, eff. 1-1-20.)