94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB0209

 

Introduced 2/2/2005, by Sen. Martin A. Sandoval

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Personal Information Protection Act. Requires each financial institution to provide an annual disclosure statement to all persons for which the financial institution maintains unencrypted personal information concerning measures the financial institution has taken to prevent (i) a breach of the security system and (ii) any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the financial institution. Requires each financial institution to maintain duplicate records of all computerized data at a back-up site located at least 90 miles from the primary site at which the data is stored. Provides that the effectiveness of the back-up site shall be tested annually and requires the results of that test to be included in the annual disclosure statement.


LRB094 05727 MKM 35779 b

 

 

A BILL FOR

 

SB0209 LRB094 05727 MKM 35779 b

1     AN ACT concerning regulation.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Personal Information Protection Act.
 
6     Section 5. Definitions. As used in this Act:
7     "Financial institution" means (i) any bank subject to the
8 Illinois Banking Act, any savings bank subject to the Savings
9 Bank Act, any savings and loan association subject to the
10 Illinois Savings and Loan Act of 1985, or any credit union
11 subject to the Illinois Credit Union Act; (ii) any federally
12 chartered commercial bank, savings bank, savings and loan
13 association, or credit union organized and operated in this
14 State under the laws of the United States; and (iii) any
15 business corporation, limited liability company, business
16 trust, partnership, joint venture, or other entity that is
17 directly or indirectly at least 50% owned by or commonly owned
18 with a financial institution.
19     "Personal information" means a person's first name or first
20 initial and last name in combination with any one or more of
21 the following data elements, when either the name or the data
22 elements are not encrypted:
23         (1) social security number;
24         (2) driver's license number or state identification
25     card number; or
26         (3) account number, credit or debit card number, in
27     combination with any required security code, access code,
28     or password that would permit access to a financial
29     account.
30 "Personal information" does not include information that is
31 lawfully made available to the public from federal, State, or
32 local government records.
 

 

 

SB0209 - 2 - LRB094 05727 MKM 35779 b

1     Section 10. Disclosure of measures to prevent security
2 breach. Each financial institution shall provide an annual
3 disclosure statement to all persons for whom the financial
4 institution maintains unencrypted personal information
5 concerning the measures the financial institution has taken to
6 prevent (i) a breach of the security system and (ii) any
7 unauthorized acquisition of computerized data that compromises
8 the security, confidentiality, or integrity of personal
9 information maintained by the financial institution. If a
10 financial institution maintains computerized data that
11 includes personal information that the financial institution
12 does not own, the financial institution shall provide the
13 annual disclosure statement to the owner or licensee of that
14 information. The disclosure shall include an analysis of the
15 testing of each back-up site, as required under Section 15.
 
16     Section 15. Maintenance of duplicate records. Each
17 financial institution shall maintain duplicate records of all
18 computerized data at a back-up site located at least 90 miles
19 from the primary site at which the data is stored. The
20 effectiveness of the back-up site in the event of a breach of
21 the security system at the primary site shall be tested
22 annually.