Translate
HB3375 - 104th General Assembly
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| 1 | AN ACT concerning business. | |||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||
| 3 | represented in the General Assembly: | |||||||||||||||||||
| 4 | Section 5. The Personal Information Protection Act is | |||||||||||||||||||
| 5 | amended by changing Section 45 as follows: | |||||||||||||||||||
| 6 | (815 ILCS 530/45) | |||||||||||||||||||
| 7 | Sec. 45. Data security. | |||||||||||||||||||
| 8 | (a) A data collector that owns or licenses, or maintains | |||||||||||||||||||
| 9 | or stores but does not own or license, records that contain | |||||||||||||||||||
| 10 | personal information concerning an Illinois resident shall | |||||||||||||||||||
| 11 | implement and maintain reasonable security measures to protect | |||||||||||||||||||
| 12 | those records from unauthorized access, acquisition, | |||||||||||||||||||
| 13 | destruction, use, modification, or disclosure. | |||||||||||||||||||
| 14 | (b) A contract for the disclosure of personal information | |||||||||||||||||||
| 15 | concerning an Illinois resident that is maintained by a data | |||||||||||||||||||
| 16 | collector must include a provision requiring the person to | |||||||||||||||||||
| 17 | whom the information is disclosed to implement and maintain | |||||||||||||||||||
| 18 | reasonable security measures to protect those records from | |||||||||||||||||||
| 19 | unauthorized access, acquisition, destruction, use, | |||||||||||||||||||
| 20 | modification, or disclosure. | |||||||||||||||||||
| 21 | (c) If a state or federal law requires a data collector to | |||||||||||||||||||
| 22 | provide greater protection to records that contain personal | |||||||||||||||||||
| 23 | information concerning an Illinois resident that are | |||||||||||||||||||
| |||||||
| |||||||
| 1 | maintained by the data collector and the data collector is in | ||||||
| 2 | compliance with the provisions of that state or federal law, | ||||||
| 3 | the data collector shall be deemed to be in compliance with the | ||||||
| 4 | provisions of this Section. | ||||||
| 5 | (d) A data collector that is subject to and in compliance | ||||||
| 6 | with the standards established pursuant to Section 501(b) of | ||||||
| 7 | the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, | ||||||
| 8 | shall be deemed to be in compliance with the provisions of this | ||||||
| 9 | Section. | ||||||
| 10 | (e) No data collector shall routinely collect the social | ||||||
| 11 | security number of an Illinois resident without a specific and | ||||||
| 12 | immediate need. As used in this subsection, "specific and | ||||||
| 13 | immediate need" includes, but is not limited to, conducting a | ||||||
| 14 | background check as part of an employee onboarding process and | ||||||
| 15 | verifying eligibility to work through an I-9 Employment | ||||||
| 16 | Eligibility Verification form. "Specific and immediate need" | ||||||
| 17 | does not include patient intake paperwork at a health care | ||||||
| 18 | facility, unless otherwise required by State or federal law. | ||||||
| 19 | (Source: P.A. 99-503, eff. 1-1-17.) | ||||||