Full Text of SB1479 94th General Assembly
SB1479 94TH GENERAL ASSEMBLY
|
|
|
94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006 SB1479
Introduced 2/23/2005, by Sen. Ira I. Silverstein SYNOPSIS AS INTRODUCED: |
|
|
Creates the Identity Theft Notification Act. Requires any data collector that owns or uses personal information in any form that includes personal information concerning an Illinois resident, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act.
|
| |
|
|
A BILL FOR
|
|
|
|
|
SB1479 |
|
LRB094 11200 RXD 41888 b |
|
| 1 |
| AN ACT concerning business.
| 2 |
| Be it enacted by the People of the State of Illinois,
| 3 |
| represented in the General Assembly:
| 4 |
| Section 1. Short title. This Act may be cited as the | 5 |
| Identity Theft Notification Act. | 6 |
| Section 5. Definitions. In this Act: | 7 |
| "Breach of the security of the system" means unauthorized | 8 |
| acquisition of computerized data that compromises the | 9 |
| security, confidentiality, or integrity of personal | 10 |
| information maintained by a data collector. "Breach of the | 11 |
| security of the system" does not include good faith acquisition | 12 |
| of personal information by an employee or agent of the data | 13 |
| collector, provided that the personal information is not used | 14 |
| for a purpose unrelated to the data collector's business or | 15 |
| subjected to further unauthorized disclosure. | 16 |
| "Breach of the security of non-computerized data" may | 17 |
| include, but is not limited to, unauthorized photocopying, | 18 |
| facsimiles, or other paper-based methods of transmitting | 19 |
| documents. | 20 |
| "Data collector" may include, but is not limited to, | 21 |
| government agencies, public and private universities, | 22 |
| privately and publicly held corporations, financial | 23 |
| institutions, retail operators, and any other entity which, for | 24 |
| any purpose, whether by automated collection or otherwise, | 25 |
| handles, collects, disseminates, or otherwise deals with | 26 |
| personal information. | 27 |
| "Personal information" means an individual's first name or | 28 |
| first initial and last name in combination with any one or more | 29 |
| of the following data elements, when either the name or the | 30 |
| data elements are not encrypted or redacted: | 31 |
| (1) Social security number. | 32 |
| (2) Driver's license number or Illinois State |
|
|
|
SB1479 |
- 2 - |
LRB094 11200 RXD 41888 b |
|
| 1 |
| Identification Card number. | 2 |
| (3) Account number, credit or debit card number, if | 3 |
| circumstances exist where the number could be used without | 4 |
| additional identifying information, access code, or | 5 |
| password.
| 6 |
| (4) Account passwords or personal identification | 7 |
| numbers or other access codes. | 8 |
| (5) Any item listed under paragraphs (1) through (4) | 9 |
| when not in connection with the individual's first name or | 10 |
| first initial and last name, if the information compromised | 11 |
| would be sufficient to perform or attempt to perform | 12 |
| identity theft against the person whose information was | 13 |
| compromised. | 14 |
| "Personal information" does not include publicly available | 15 |
| information that is lawfully made available to the general | 16 |
| public from federal, State, or local government records.
| 17 |
| Section 10. Security breach; notification. | 18 |
| (a) Any data collector that owns or uses personal | 19 |
| information in any form that includes personal information | 20 |
| concerning an Illinois resident, shall disclose any breach of | 21 |
| the security of the system following discovery or notification | 22 |
| of the breach in the security of the data, without regard for | 23 |
| whether the data has been accessed by an unauthorized third | 24 |
| party for legal or illegal purposes. The disclosure | 25 |
| notification shall be made in the most expedient time possible | 26 |
| and without unreasonable delay, consistent with the legitimate | 27 |
| needs of the law enforcement agency, as provided in subsection | 28 |
| (b), or any measures necessary to determine the scope of the | 29 |
| breach and restore the reasonable integrity of the data system. | 30 |
| (b) Notice may be provided by one of the following methods: | 31 |
| (1) written notice; | 32 |
| (2) electronic notice, if the notice provided is | 33 |
| consistent with the provisions regarding electronic | 34 |
| records and signatures set forth in Section 7001 of Title | 35 |
| 15 of the United States Code; or |
|
|
|
SB1479 |
- 3 - |
LRB094 11200 RXD 41888 b |
|
| 1 |
| (3) substitute notice, if the person or business | 2 |
| demonstrates that the cost of providing notice would exceed | 3 |
| $250,000, or the affected class of persons to be notified | 4 |
| exceeds 500,000, or the person or business does not have | 5 |
| sufficient contact information. Substitute notice shall | 6 |
| consist of all of the following: (i) email notification if | 7 |
| the person or business has an email address for the person | 8 |
| to be notified; (ii) conspicuous posting of the notice on | 9 |
| the web site page of the person or business, if the person | 10 |
| or business maintains a web site page; and (iii) | 11 |
| notification to major statewide media outlets. | 12 |
| The notification required under this subsection (b) may be | 13 |
| delayed if a law enforcement agency determines that the | 14 |
| notification will impede a criminal investigation. | 15 |
| Notification shall be made after the law enforcement agency | 16 |
| determines that it will not compromise its investigation.
| 17 |
| Section 15. Waiver. Any waiver of the provisions of this | 18 |
| Act is contrary to public policy and is void and unenforceable. | 19 |
| Section 20. Penalty. | 20 |
| (a) Any customer injured by a violation of this Act may | 21 |
| institute a civil action to recover damages. | 22 |
| (b) Any individual personally affected by repeated | 23 |
| violations may institute, in a circuit court, an action to | 24 |
| enjoin violations of this Act. | 25 |
| (c) The rights and remedies available under this Section | 26 |
| are cumulative to each other and to any other rights and | 27 |
| remedies available under law.
|
|