94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB1899

 

Introduced 2/25/2005, by Sen. Dan Cronin

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Identity Theft Notification Act. Requires any agency, person, or business that conducts business in Illinois and owns or licenses data that includes personal information concerning an Illinois resident to notify the resident that there has been a breach of the security of that data following discovery or notification of the breach. Requires any agency, person, or business that maintains data that includes personal information concerning an Illinois resident and that the agency, person, or business does not own to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the agency, person, or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the agency, person, or business does not have sufficient contact information.


LRB094 11231 RXD 41958 b

 

 

A BILL FOR

 

SB1899 LRB094 11231 RXD 41958 b

1     AN ACT concerning business.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Identity Theft Notification Act.
 
6     Section 5. Definitions. In this Act:
7     "Breach of the security of the data" means unauthorized
8 acquisition of data that compromises the security and
9 confidentiality of personal information maintained by an
10 agency, person, or business.
11 "Breach of the security of the data" does not include good
12 faith acquisition of personal information by an employee or
13 agent of the agency, person, or business, provided that the
14 personal information is not used for a purpose unrelated to the
15 business of the agency, person, or business or subjected to
16 further unauthorized disclosure.
17     "Personal information" means an individual's first name or
18 first initial and last name in combination with any one or more
19 of the following data elements, when the data elements are not
20 encrypted or redacted:
21         (1) Social security number.
22         (2) Driver's license number or Illinois State
23     Identification Card number.
24         (3) Account number or credit or debit card number,in
25     combination with any required security code, access code,
26     or password that would permit access to an individual's
27     financial account.
28 "Personal information" does not include publicly available
29 information that is lawfully made available to the general
30 public from federal, State, or local government records.
 
31     Section 10. Security breach; notification.

 

 

SB1899 - 2 - LRB094 11231 RXD 41958 b

1     (a) Any agency, person, or business that conducts business
2 in Illinois and that owns or licenses data that includes
3 personal information concerning an Illinois resident shall
4 notify the resident that there has been a breach of the
5 security of that data following discovery or notification of
6 the breach. The notification shall be made in the most
7 expedient time possible and without unreasonable delay,
8 consistent with the legitimate needs of the law enforcement
9 agency, as provided in subsection (d), or any measures
10 necessary to determine the scope of the breach and restore the
11 reasonable security and confidentiality of the data.
12     (b) Any agency, person, or business that maintains data
13 that includes personal information concerning an Illinois
14 resident and that the agency, person, or business does not own
15 shall notify the owner or licensee of the information of any
16 breach of the security of the data immediately following
17 discovery, if the personal information was, or is reasonably
18 believed to have been acquired by an unauthorized person.
19     (c) Notice may be provided by one of the following methods:
20         (1) written notice;
21         (2) electronic notice, if the notice provided is
22     consistent with the provisions regarding electronic
23     records and signatures set forth in Section 7001 of Title
24     15 of the United States Code; or
25         (3) substitute notice, if the agency, person, or
26     business demonstrates that the cost of providing notice
27     would exceed $250,000, or the affected class of persons to
28     be notified exceeds 500,000, or the agency, person, or
29     business does not have sufficient contact information.
30     Substitute notice shall consist of all of the following:
31     (i) email notification if the agency, person, or business
32     has an email address for the person to be notified; (ii)
33     conspicuous posting of the notice on the web site page of
34     the agency, person, or business, if the agency, person, or
35     business maintains a web site page; and (iii) notification
36     to major statewide media outlets.

 

 

SB1899 - 3 - LRB094 11231 RXD 41958 b

1     (d) The notification required under this Section may be
2 delayed if a law enforcement agency determines that the
3 notification will impede a criminal investigation.
4 Notification shall be made after the law enforcement agency
5 determines that it will not compromise its investigation.
6 Notification shall not be required if, as a result of an
7 investigation, the law enforcement agency concludes that
8 personal information was not acquired by an unauthorized
9 person.
10     (e) Notwithstanding subsection (c) of this Section, any
11 agency, person, or business that maintains its own notification
12 procedures as part of an information security policy for the
13 treatment of personal information and is otherwise consistent
14 with the timing requirements of this Section shall be deemed to
15 be in compliance with the notification requirements of this
16 Section if the agency, person, or business notifies the subject
17 persons in accordance with its policies in the event of a
18 breach of security of the data.