Public Act 094-0947
 		





HB4449 Enrolled
LRB094 17445 LCT 52740 b






    AN ACT concerning consumer fraud.

 
    Be it enacted by the People of the State of Illinois,
 
represented in the General Assembly:

 
    Section 5. The Personal Information Protection Act is 
amended  by changing Section 10 and by adding Sections 12, 25, 
and 30 as follows:
 
    (815 ILCS 530/10)

    Sec. 10. Notice of Breach.   
    (a) Any data collector that owns or licenses personal 
information concerning an Illinois resident shall notify the

resident at no charge that there has been a breach of the 
security of the
system data following discovery or notification 
of the breach.
The disclosure notification shall be made in the 
most
expedient time possible and without unreasonable delay,

consistent with any measures necessary to determine the
scope 
of the breach and restore the reasonable integrity,
security, 
and confidentiality of the data system.

    (b) Any data collector that maintains computerized data 
that
includes personal information that the data collector does 
not own or license shall notify the owner or licensee of the 
information of any breach of the security of the data 
immediately following discovery, if the personal information 
was, or is reasonably believed to have been, acquired by
an 
unauthorized person.

    (b-5) The notification required by subsection (a) of this 
Section may be delayed if an appropriate law enforcement agency 
determines that notification will interfere with a criminal 
investigation and provides the data collector with a written 
request for the delay. However, the data collector must notify 
the Illinois resident as soon as notification will no longer 
interfere with the investigation.

    (c) For purposes of this Section, notice to consumers may  
be provided by one of the following methods:

        (1) written notice; 
        (2) electronic notice, if the notice provided is
      
    consistent with the provisions regarding electronic

    records and signatures for notices legally required to be
      
    in writing as set forth in Section 7001 of Title 15 of the      
    United States Code;
or 
        (3) substitute notice, if the data collector
      
    demonstrates that the cost of providing notice would exceed

    $250,000 or that the affected class of subject persons to      
    be notified exceeds 500,000, or the data collector does not

    have sufficient contact information. Substitute notice      
    shall consist of all of the following: (i) email notice if      
    the data collector has an email address for the subject      
    persons; (ii) conspicuous posting of the notice on the data
      
    collector's web site page if the data collector maintains
     
    one; and (iii) notification to major statewide media.  
    (d) Notwithstanding subsection (c), a data collector
that 
maintains its own notification procedures as part of an

information security policy for the treatment of personal

information and is otherwise consistent with the timing 
requirements of this Act, shall be deemed in compliance
with 
the notification requirements of this Section if the
data 
collector notifies subject persons in accordance with its 
policies in the event of a breach of the security of the system 
data.


(Source: P.A. 94-36, eff. 1-1-06.)
 
    (815 ILCS 530/12 new)

    Sec. 12. Notice of breach; State agency.
    (a) Any State agency that collects personal information 
concerning an Illinois resident shall notify the
resident at no 
charge that there has been a breach of the security of the

system data or written material following discovery or 
notification of the breach.
The disclosure notification shall 
be made in the most
expedient time possible and without 
unreasonable delay,
consistent with any measures necessary to 
determine the
scope of the breach and restore the reasonable 
integrity,
security, and confidentiality of the data system.
    (b) For purposes of this Section, notice to residents may  
be provided by one of the following methods:

        (1) written notice;

        (2) electronic notice, if the notice provided is
      
    consistent with the provisions regarding electronic

    records and signatures for notices legally required to be
      
    in writing as set forth in Section 7001 of Title 15 of the      
    United States Code;
or

        (3) substitute notice, if the State agency
      
    demonstrates that the cost of providing notice would exceed

    $250,000 or that the affected class of subject persons to      
    be notified exceeds 500,000, or the State agency does not

    have sufficient contact information. Substitute notice      
    shall consist of all of the following: (i) email notice if      
    the State agency has an email address for the subject      
    persons; (ii) conspicuous posting of the notice on the 
    State agency's web site page if the State agency maintains
     
    one; and (iii) notification to major statewide media.

    (c) Notwithstanding subsection (b), a State agency
that 
maintains its own notification procedures as part of an

information security policy for the treatment of personal

information and is otherwise consistent with the timing 
requirements of this Act shall be deemed in compliance
with the 
notification requirements of this Section if the
State agency 
notifies subject persons in accordance with its policies in the 
event of a breach of the security of the system data or written 
material.

    (d) If a State agency is required to notify more than 1,000 
persons of a breach of security pursuant to this Section, the 
State agency shall also notify, without unreasonable delay, all 
consumer reporting agencies that compile and maintain files on 
consumers on a nationwide basis, as defined by 15 U.S.C. 
Section 1681a(p), of the timing, distribution, and content of 
the notices.  Nothing in this subsection (d) shall be construed 
to require the State agency to provide to the consumer 
reporting agency the names or other personal identifying 
information of breach notice recipients.

 
    (815 ILCS 530/25 new)

    Sec. 25. Annual reporting. Any State agency that collects 
personal data and has had a breach of security of the system 
data or written material shall submit a report within 5 
business days of the discovery or notification of the breach to 
the General Assembly listing the breaches and outlining any 
corrective measures that have been taken to prevent future 
breaches of the security of the system data or written 
material. Any State agency that has submitted a report under 
this Section shall submit an annual report listing all breaches 
of security of the system data or written materials and the 
corrective measures that have been taken to prevent future 
breaches.
 
    (815 ILCS 530/30 new)

    Sec. 30. Safe disposal of information. Any State agency 
that collects personal data that is no longer needed or stored 
at the agency shall dispose of the personal data or written 
material it has collected in such a manner as to ensure the 
security and confidentiality of the material.

 

    Section 99. Effective date. This Act takes effect upon 
becoming law.