|
Public Act 099-0503
|
| HB1260 Enrolled | LRB099 05116 JLS 25145 b |
|
|
AN ACT concerning business.
|
Be it enacted by the People of the State of Illinois, |
represented in the General Assembly:
|
Section 5. The Personal Information Protection Act is |
amended by changing Sections 5, 10, and 12 and adding Sections |
45 and 50 as follows:
|
(815 ILCS 530/5)
|
Sec. 5. Definitions. In this Act: |
"Data Collector" may include, but is not limited to,
|
government agencies, public and private universities,
|
privately and publicly held corporations, financial
|
institutions, retail operators, and any other entity that, for |
any purpose, handles, collects, disseminates, or otherwise
|
deals with nonpublic personal information.
|
"Breach of the security of the system data" or "breach" |
means
unauthorized acquisition of computerized data that |
compromises the security, confidentiality, or integrity of |
personal information maintained by the data collector. "Breach |
of the security of the system data" does not include good faith
|
acquisition of personal information by an employee or agent of
|
the data collector for a legitimate purpose of the data
|
collector, provided that the personal information is not used
|
for a purpose unrelated to the data collector's business or
|
|
subject to further unauthorized disclosure.
|
"Health insurance information" means an individual's |
health insurance policy number or subscriber identification |
number, any unique identifier used by a health insurer to |
identify the individual, or any medical information in an |
individual's health insurance application and claims history, |
including any appeals records. |
"Medical information" means any information regarding an |
individual's medical history, mental or physical condition, or |
medical treatment or diagnosis by a healthcare professional, |
including such information provided to a website or mobile |
application. |
"Personal information" means either of the following: |
(1) an individual's first name or first initial and |
last name in combination with any one or more
of the |
following data elements, when either the name or the data |
elements are not encrypted or redacted or are encrypted or |
redacted but the keys to unencrypt or unredact or otherwise |
read the name or data elements have been acquired without |
authorization through the breach of security:
|
(A) (1) Social Security number. |
(B) (2) Driver's license number or State |
identification
card number.
|
(C) (3) Account number or credit or debit card |
number, or an
account number or credit card number in |
combination with
any required security code, access |
|
code, or password that
would permit access to an |
individual's financial account.
|
(D) Medical information. |
(E) Health insurance information. |
(F) Unique biometric data generated from |
measurements or technical analysis of human body |
characteristics used by the owner or licensee to |
authenticate an individual, such as a fingerprint, |
retina or iris image, or other unique physical |
representation or digital representation of biometric |
data. |
(2) user name or email address, in combination with a |
password or security question and answer that would permit |
access to an online account, when either the user name or |
email address or password or security question and answer |
are not encrypted or redacted or are encrypted or redacted |
but the keys to unencrypt or unredact or otherwise read the |
data elements have been obtained through the breach of |
security. |
"Personal information" does not include publicly available
|
information that is lawfully made available to the general
|
public from federal, State, or local government records.
|
(Source: P.A. 97-483, eff. 1-1-12.)
|
(815 ILCS 530/10)
|
Sec. 10. Notice of Breach. |
|
(a) Any data collector that owns or licenses personal |
information concerning an Illinois resident shall notify the
|
resident at no charge that there has been a breach of the |
security of the
system data following discovery or notification |
of the breach.
The disclosure notification shall be made in the |
most
expedient time possible and without unreasonable delay,
|
consistent with any measures necessary to determine the
scope |
of the breach and restore the reasonable integrity,
security, |
and confidentiality of the data system. The disclosure |
notification to an Illinois resident shall include, but need |
not be limited to, information as follows: |
(1) With respect to personal information as defined in |
Section 5 in paragraph (1) of the definition of "personal |
information": |
(A) (i) the toll-free numbers and addresses for |
consumer reporting agencies; , |
(B) (ii) the toll-free number, address, and |
website address for the Federal Trade Commission; , and |
(C) (iii) a statement that the individual can |
obtain information from these sources about fraud |
alerts and security freezes. |
The notification shall not, however, include information |
concerning the number of Illinois residents affected by the |
breach. |
(2) With respect to personal information defined in |
Section 5 in paragraph (2) of the definition of "personal |
|
information", notice may be provided in electronic or other |
form directing the Illinois resident whose personal |
information has been breached to promptly change his or her |
user name or password and security question or answer, as |
applicable, or to take other steps appropriate to protect |
all online accounts for which the resident uses the same |
user name or email address and password or security |
question and answer. |
(b) Any data collector that maintains or stores, but does |
not own or license, computerized data that
includes personal |
information that the data collector does not own or license |
shall notify the owner or licensee of the information of any |
breach of the security of the data immediately following |
discovery, if the personal information was, or is reasonably |
believed to have been, acquired by
an unauthorized person. In |
addition to providing such notification to the owner or |
licensee, the data collector shall cooperate with the owner or |
licensee in matters relating to the breach. That cooperation |
shall include, but need not be limited to, (i) informing the |
owner or licensee of the breach, including giving notice of the |
date or approximate date of the breach and the nature of the |
breach, and (ii) informing the owner or licensee of any steps |
the data collector has taken or plans to take relating to the |
breach. The data collector's cooperation shall not, however, be |
deemed to require either the disclosure of confidential |
business information or trade secrets or the notification of an |
|
Illinois resident who may have been affected by the breach.
|
(b-5) The notification to an Illinois resident required by |
subsection (a) of this Section may be delayed if an appropriate |
law enforcement agency determines that notification will |
interfere with a criminal investigation and provides the data |
collector with a written request for the delay. However, the |
data collector must notify the Illinois resident as soon as |
notification will no longer interfere with the investigation.
|
(c) For purposes of this Section, notice to consumers may |
be provided by one of the following methods:
|
(1) written notice; |
(2) electronic notice, if the notice provided is
|
consistent with the provisions regarding electronic
|
records and signatures for notices legally required to be
|
in writing as set forth in Section 7001 of Title 15 of the |
United States Code;
or |
(3) substitute notice, if the data collector
|
demonstrates that the cost of providing notice would exceed
|
$250,000 or that the affected class of subject persons to |
be notified exceeds 500,000, or the data collector does not
|
have sufficient contact information. Substitute notice |
shall consist of all of the following: (i) email notice if |
the data collector has an email address for the subject |
persons; (ii) conspicuous posting of the notice on the data
|
collector's web site page if the data collector maintains
|
one; and (iii) notification to major statewide media or, if |
|
the breach impacts residents in one geographic area, to |
prominent local media in areas where affected individuals |
are likely to reside if such notice is reasonably |
calculated to give actual notice to persons whom notice is |
required. |
(d) Notwithstanding any other subsection in this Section, a |
data collector
that maintains its own notification procedures |
as part of an
information security policy for the treatment of |
personal
information and is otherwise consistent with the |
timing requirements of this Act, shall be deemed in compliance
|
with the notification requirements of this Section if the
data |
collector notifies subject persons in accordance with its |
policies in the event of a breach of the security of the system |
data.
|
(Source: P.A. 97-483, eff. 1-1-12.)
|
(815 ILCS 530/12)
|
Sec. 12. Notice of breach; State agency. |
(a) Any State agency that collects personal information |
concerning an Illinois resident shall notify the
resident at no |
charge that there has been a breach of the security of the
|
system data or written material following discovery or |
notification of the breach.
The disclosure notification shall |
be made in the most
expedient time possible and without |
unreasonable delay,
consistent with any measures necessary to |
determine the
scope of the breach and restore the reasonable |
|
integrity,
security, and confidentiality of the data system. |
The disclosure notification to an Illinois resident shall |
include, but need not be limited to information as follows: |
(1) With respect to personal information defined in |
Section 5 in paragraph (1) of the definition of "personal |
information": , |
(i) the toll-free numbers and addresses for |
consumer reporting agencies; , |
(ii) the toll-free number, address, and website |
address for the Federal Trade Commission; , and |
(iii) a statement that the individual can obtain |
information from these sources about fraud alerts and |
security freezes. |
(2) With respect to personal information as defined in |
Section 5 in paragraph (2) of the definition of "personal |
information", notice may be provided in electronic or other |
form directing the Illinois resident whose personal |
information has been breached to promptly change his or her |
user name or password and security question or answer, as |
applicable, or to take other steps appropriate to protect |
all online accounts for which the resident uses the same |
user name or email address and password or security |
question and answer. |
The notification shall not, however, include information |
concerning the number of Illinois residents affected by the |
breach. |
|
(a-5) The notification to an Illinois resident required by |
subsection (a) of this Section may be delayed if an appropriate |
law enforcement agency determines that notification will |
interfere with a criminal investigation and provides the State |
agency with a written request for the delay. However, the State |
agency must notify the Illinois resident as soon as |
notification will no longer interfere with the investigation. |
(b) For purposes of this Section, notice to residents may |
be provided by one of the following methods:
|
(1) written notice;
|
(2) electronic notice, if the notice provided is
|
consistent with the provisions regarding electronic
|
records and signatures for notices legally required to be
|
in writing as set forth in Section 7001 of Title 15 of the |
United States Code;
or
|
(3) substitute notice, if the State agency
|
demonstrates that the cost of providing notice would exceed
|
$250,000 or that the affected class of subject persons to |
be notified exceeds 500,000, or the State agency does not
|
have sufficient contact information. Substitute notice |
shall consist of all of the following: (i) email notice if |
the State agency has an email address for the subject |
persons; (ii) conspicuous posting of the notice on the |
State agency's web site page if the State agency maintains
|
one; and (iii) notification to major statewide media.
|
(c) Notwithstanding subsection (b), a State agency
that |
|
maintains its own notification procedures as part of an
|
information security policy for the treatment of personal
|
information and is otherwise consistent with the timing |
requirements of this Act shall be deemed in compliance
with the |
notification requirements of this Section if the
State agency |
notifies subject persons in accordance with its policies in the |
event of a breach of the security of the system data or written |
material.
|
(d) If a State agency is required to notify more than 1,000 |
persons of a breach of security pursuant to this Section, the |
State agency shall also notify, without unreasonable delay, all |
consumer reporting agencies that compile and maintain files on |
consumers on a nationwide basis, as defined by 15 U.S.C. |
Section 1681a(p), of the timing, distribution, and content of |
the notices. Nothing in this subsection (d) shall be construed |
to require the State agency to provide to the consumer |
reporting agency the names or other personal identifying |
information of breach notice recipients.
|
(e) Notice to Attorney General. Any State agency that |
suffers a single breach of the security of the data concerning |
the personal information of more than 250 Illinois residents |
shall provide notice to the Attorney General of the breach, |
including: |
(A) The types of personal information compromised in |
the breach. |
(B) The number of Illinois residents affected by such |
|
incident at the time of notification. |
(C) Any steps the State agency has taken or plans to |
take relating to notification of the breach to consumers. |
(D) The date and timeframe of the breach, if known at |
the time notification is provided. |
Such notification must be made within 45 days of the State |
agency's discovery of the security breach or when the State |
agency provides any notice to consumers required by this |
Section, whichever is sooner, unless the State agency has good |
cause for reasonable delay to determine the scope of the breach |
and restore the integrity, security, and confidentiality of the |
data system, or when law enforcement requests in writing to |
withhold disclosure of some or all of the information required |
in the notification under this Section. If the date or |
timeframe of the breach is unknown at the time the notice is |
sent to the Attorney General, the State agency shall send the |
Attorney General the date or timeframe of the breach as soon as |
possible. |
(Source: P.A. 97-483, eff. 1-1-12.)
|
(815 ILCS 530/45 new) |
Sec. 45. Data security. |
(a) A data collector that owns or licenses, or maintains or |
stores but does not own or license, records that contain |
personal information concerning an Illinois resident shall |
implement and maintain reasonable security measures to protect |
|
those records from unauthorized access, acquisition, |
destruction, use, modification, or disclosure. |
(b) A contract for the disclosure of personal information |
concerning an Illinois resident that is maintained by a data |
collector must include a provision requiring the person to whom |
the information is disclosed to implement and maintain |
reasonable security measures to protect those records from |
unauthorized access, acquisition, destruction, use, |
modification, or disclosure. |
(c) If a state or federal law requires a data collector to |
provide greater protection to records that contain personal |
information concerning an Illinois resident that are |
maintained by the data collector and the data collector is in |
compliance with the provisions of that state or federal law, |
the data collector shall be deemed to be in compliance with the |
provisions of this Section. |
(d) A data collector that is subject to and in compliance |
with the standards established pursuant to Section 501(b) of |
the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, |
shall be deemed to be in compliance with the provisions of this |
Section.
|
(815 ILCS 530/50 new) |
Sec. 50. Entities subject to the federal Health Insurance |
Portability and Accountability Act of 1996. Any covered entity |
or business associate that is subject to and in compliance with |
|
the privacy and security standards for the protection of |
electronic health information established pursuant to the |
federal Health Insurance Portability and Accountability Act of |
1996 and the Health Information Technology for Economic and |
Clinical Health Act shall be deemed to be in compliance with |
the provisions of this Act, provided that any covered entity or |
business associate required to provide notification of a breach |
to the Secretary of Health and Human Services pursuant to the |
Health Information Technology for Economic and Clinical Health |
Act also provides such notification to the Attorney General |
within 5 business days of notifying the Secretary.
|