Section 850.125  Confidentiality Requirements for Third Parties

a)         The Local Government Revenue Recapture Act has strict protocols regarding third parties' handling of taxpayers' financial information. A third party may use the financial information it receives from the contracting municipality or county only for the purpose of providing services to the municipality or county as specified in the Act and may not use the information for any other purpose. Electronic data submitted to third parties by the contracting municipality or county must be accessible only to third parties who have entered into a confidentiality agreement with the municipality or county or who have an existing contract with the municipality or county. [50 ILCS 355/5-15]  Any work product containing financial information a third party has received from the contracting municipality or county and any referral made by the third party are subject to the same confidentiality requirements set out in this Section as the taxpayer's financial information itself.

b)         Third parties may not permanently retain this information or any work product containing such information and must permanently destroy any physical copies of the financial information or any work product containing such information if the taxpayer is not referred to the Department within 30 days after receipt of the taxpayer's financial information from a local government, unless the third party is monitoring disbursements from the Department on an ongoing basis for a local government, in which case the financial information or any work product containing such information shall be destroyed no later than 3 years after receipt. The third party also must dispose of the information or any work product containing such information within 30 days after the third party submits a taxpayer audit referral to the Department.

c)         Third parties must dispose of financial information or any work product containing such information in a manner that renders it unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following:

1)         in the case of paper documents, burning, pulverizing, or shredding so that the information cannot practicably be read or reconstructed; and

2)         in the case of electronic media and other non-paper media containing information, destroying or erasing so that information cannot practicably be read, reconstructed, or otherwise utilized by the third party or others.  [50 ILCS 355/5-20]

d)         Third parties are prohibited from selling, leasing, trading, marketing, or otherwise utilizing or profiting from a taxpayer's financial information, except for a fee as negotiated by the local government. Third parties may not permanently or temporarily collect, capture, purchase, use, receive through trade, or otherwise retain a taxpayer's financial information except as authorized in the Act. Third parties may not disclose, share, or otherwise disseminate a taxpayer's financial information.  (See 50 ILCS 355/5-20).

e)         Third parties must adhere to the following standards for the safeguarding of digital information:

1)         The third party has confidentiality standards for storing encrypted data at rest, using a cryptographic algorithm, that conform to the Federal Information Processing Standard (FIPS) Publication 140-2, or conform to similar security requirements contained in any successor publication;

2)         The third party uses multi-factor authentication;

3)         The third party uses HTTPS with at least TLS 1.2 or its successor to protect the data files while in transit between a browser and server;

4)         The third party adheres to best practices as recommended by the Open Web Application Security Project (OWASP);

5)         The third party has a firewall that protects against unauthorized use of the data;

6)         The third party maintains and shall continue to maintain at all times a physical location in Illinois; and

7)         The third party only transfers and receives information using end to end encryption and password protected files. [50 ILCS 355/5-35(a)]

f)         Violations by Third Parties.

1)         Any third party who violates any provision of this Act shall be subject to the penalties set forth in Section 11 of the Retailers' Occupation Tax Act.

2)         Any third party who violates Section 5-20 of the Act is subject to a civil penalty of not more than $10,000 for each taxpayer with respect to whom financial information is improperly disclosed, profited from, or disposed of in violation of that Section.

3)         The Attorney General may impose a civil penalty not to exceed $50,000 for each instance of improper disposal of materials containing financial information.

A)        The Attorney General may impose a civil penalty after notice to the person accused of violating Section 5-20 of the Act and an opportunity for that person to be heard in the matter.

B)        The Attorney General may file a civil action in the circuit court to recover any penalty imposed for a violation of Section 5-20 of the Act.

4)         In addition to the authority to impose a civil penalty under Section 5-60 of the Act, the Attorney General may bring an action in the circuit court to remedy a violation of Section 5-60 of the Act, seeking any appropriate relief. [50 ILCS 355/5-60]