|
|
|||||||
| |||||||
| |||||||
| 1 | AN ACT concerning State government.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 1. Short title. This Act may be cited as the | ||||||
| 5 | Identity Protection Act. | ||||||
| 6 | Section 5. Definitions. In this Act: | ||||||
| 7 | "Identity-protection policy" means any policy created to | ||||||
| 8 | protect social security numbers from unauthorized disclosure.
| ||||||
| 9 | "Local government agency" means that term as it is defined | ||||||
| 10 | in Section 1-8 of the Illinois State Auditing Act.
| ||||||
| 11 | "Person" means any individual in the employ of a State | ||||||
| 12 | agency or local government agency.
| ||||||
| 13 | "Publicly post" or "publicly display" means to | ||||||
| 14 | intentionally communicate or otherwise intentionally make | ||||||
| 15 | available to the general public.
| ||||||
| 16 | "State agency" means that term as it is defined in Section | ||||||
| 17 | 1-7 of the Illinois State Auditing Act.
| ||||||
| 18 | Section 10. Prohibited Activities. | ||||||
| 19 | (a) Beginning July 1, 2010, no person or State or local | ||||||
| 20 | government agency may do any of the following:
| ||||||
| 21 | (1) Publicly post or publicly display in any manner an | ||||||
| 22 | individual's social security number.
| ||||||
| |||||||
| |||||||
| 1 | (2) Print an individual's social security number on any | ||||||
| 2 | card required for the individual to access products or | ||||||
| 3 | services provided by the person or entity.
| ||||||
| 4 | (3) Require an individual to transmit his or her social | ||||||
| 5 | security number over the Internet, unless the connection is | ||||||
| 6 | secure or the social security number is encrypted.
| ||||||
| 7 | (4) Print an individual's social security number on any | ||||||
| 8 | materials that are mailed to the individual, through the | ||||||
| 9 | U.S. Postal Service, any private mail service, electronic | ||||||
| 10 | mail, or any similar method of delivery, unless State or | ||||||
| 11 | federal law requires the social security number to be on | ||||||
| 12 | the document to be mailed. Notwithstanding any provision in | ||||||
| 13 | this Section to the contrary, social security numbers may | ||||||
| 14 | be included in applications forms sent by mail, including, | ||||||
| 15 | but not limited to, any material mailed in connection with | ||||||
| 16 | the administration of the Unemployment Insurance Act, any | ||||||
| 17 | material mailed in connection with any tax administered by | ||||||
| 18 | the Department of Revenue, and documents sent as part of an | ||||||
| 19 | application or enrollment process or to establish, amend, | ||||||
| 20 | or terminate an account, contract, or policy or to confirm | ||||||
| 21 | the accuracy of the social security number. A social | ||||||
| 22 | security number that may permissibly be mailed under this | ||||||
| 23 | Section may not be printed, in whole or in part, on a | ||||||
| 24 | postcard or other mailer that does not require an envelope | ||||||
| 25 | or be visible on an envelope without the envelope having | ||||||
| 26 | been opened.
| ||||||
| |||||||
| |||||||
| 1 | (b) Except as otherwise provided in this Act, beginning | ||||||
| 2 | July 1, 2010, no person or State or local government agency may | ||||||
| 3 | do any of the following:
| ||||||
| 4 | (1) Collect, use, or disclose a social security number | ||||||
| 5 | from an individual, unless (i) required to do so under | ||||||
| 6 | State or federal law, rules, or regulations, or the | ||||||
| 7 | collection, use, or disclosure of the social security | ||||||
| 8 | number is otherwise necessary for the performance of that | ||||||
| 9 | agency's duties and responsibilities; (ii) the need and | ||||||
| 10 | purpose for the social security number is documented before | ||||||
| 11 | collection of the social security number; and (iii) the | ||||||
| 12 | social security number collected is relevant to the | ||||||
| 13 | documented need and purpose.
| ||||||
| 14 | (2) Require an individual to use his or her social | ||||||
| 15 | security number to access an Internet website.
| ||||||
| 16 | (3) Use the social security number for any purpose | ||||||
| 17 | other than the purpose for which it was collected.
| ||||||
| 18 | (c) The prohibitions in subsection (b) do not apply in the | ||||||
| 19 | following circumstances:
| ||||||
| 20 | (1) The disclosure of social security numbers to | ||||||
| 21 | agents, employees, contractors, or subcontractors of a | ||||||
| 22 | governmental entity or disclosure by a governmental entity | ||||||
| 23 | to another governmental entity or its agents, employees, | ||||||
| 24 | contractors, or subcontractors if disclosure is necessary | ||||||
| 25 | in order for the entity to perform its duties and | ||||||
| 26 | responsibilities; and, if disclosing to a contractor or | ||||||
| |||||||
| |||||||
| 1 | subcontractor, prior to such disclosure, the governmental | ||||||
| 2 | entity must first receive from the contractor or | ||||||
| 3 | subcontractor a copy of the contractor's or | ||||||
| 4 | subcontractor's policy that sets forth how the | ||||||
| 5 | requirements imposed under this Act on a governmental | ||||||
| 6 | entity to protect an individual's social security number | ||||||
| 7 | will be achieved.
| ||||||
| 8 | (2) The disclosure of social security numbers pursuant | ||||||
| 9 | to a court order, warrant, or subpoena.
| ||||||
| 10 | (3) The collection, use, or disclosure of social | ||||||
| 11 | security numbers in order to ensure the safety of: State | ||||||
| 12 | and local government employees; persons committed to | ||||||
| 13 | correctional facilities, local jails, and other | ||||||
| 14 | law-enforcement facilities or retention centers; wards of | ||||||
| 15 | the State; and all persons working in or visiting a State | ||||||
| 16 | or local government agency facility.
| ||||||
| 17 | (4) The collection, use, or disclosure of social | ||||||
| 18 | security numbers for internal verification or | ||||||
| 19 | administrative purposes.
| ||||||
| 20 | (5) The disclosure of social security numbers by a | ||||||
| 21 | State agency to any entity for the collection of delinquent | ||||||
| 22 | child support or of any State debt or to a governmental | ||||||
| 23 | agency to assist with an investigation or the prevention of | ||||||
| 24 | fraud.
| ||||||
| 25 | (6) The collection or use of social security numbers to | ||||||
| 26 | investigate or prevent fraud, to conduct background | ||||||
| |||||||
| |||||||
| 1 | checks, to collect a debt, to obtain a credit report from a | ||||||
| 2 | consumer reporting agency under the federal Fair Credit | ||||||
| 3 | Reporting Act, to undertake any permissible purpose that is | ||||||
| 4 | enumerated under the federal Gramm Leach Bliley Act, or to | ||||||
| 5 | locate a missing person, a lost relative, or a person who | ||||||
| 6 | is due a benefit, such as a pension benefit or an unclaimed | ||||||
| 7 | property benefit.
| ||||||
| 8 | (d) If any State or local government agency has adopted | ||||||
| 9 | standards for the collection, use, or disclosure of social | ||||||
| 10 | security numbers that are stricter than the standards under | ||||||
| 11 | this Act with respect to the protection of those social | ||||||
| 12 | security numbers, then, in the event of any conflict with the | ||||||
| 13 | provisions of this Act, the stricter standards adopted by the | ||||||
| 14 | State or local government agency shall control.
| ||||||
| 15 | Section 15. Public inspection and copying of documents. | ||||||
| 16 | Notwithstanding any other provision of this Act to the | ||||||
| 17 | contrary, a person or State or local government agency must | ||||||
| 18 | comply with the provisions of any other State law with respect | ||||||
| 19 | to allowing the public inspection and copying of information or | ||||||
| 20 | documents containing all or any portion of an individual's | ||||||
| 21 | social security number. A person or State or local government | ||||||
| 22 | agency must redact social security numbers from the information | ||||||
| 23 | or documents before allowing the public inspection or copying | ||||||
| 24 | of the information or documents. | ||||||
| |||||||
| |||||||
| 1 | Section 20. Applicability. | ||||||
| 2 | (a) This Act does not apply to the collection, use, or | ||||||
| 3 | disclosure of a social security number as required by State or | ||||||
| 4 | federal law, rule, or regulation.
| ||||||
| 5 | (b) This Act does not apply to documents that are recorded | ||||||
| 6 | with a county recorder or required to be open to the public | ||||||
| 7 | under any State or federal law, rule, or regulation, applicable | ||||||
| 8 | case law, Supreme Court Rule, or the Constitution of the State | ||||||
| 9 | of Illinois. Notwithstanding this Section, county recorders | ||||||
| 10 | must comply with Section 35 of this Act.
| ||||||
| 11 | Section 25. Compliance with federal law. If a federal law | ||||||
| 12 | takes effect requiring any federal agency to establish a | ||||||
| 13 | national unique patient health identifier program, any State or | ||||||
| 14 | local government agency that complies with the federal law | ||||||
| 15 | shall be deemed to be in compliance with this Act. | ||||||
| 16 | Section 30. Embedded social security numbers. Beginning | ||||||
| 17 | December 31, 2009, no person or State or local government | ||||||
| 18 | agency may encode or embed a social security number in or on a | ||||||
| 19 | card or document, including, but not limited to, using a bar | ||||||
| 20 | code, chip, magnetic strip, RFID technology, or other | ||||||
| 21 | technology, in place of removing the social security number as | ||||||
| 22 | required by this Act. | ||||||
| 23 | Section 35. Identity-protection policy; local government. | ||||||
| |||||||
| |||||||
| 1 | (a) Each local government agency must draft and approve an | ||||||
| 2 | identity-protection policy within 12 months after the | ||||||
| 3 | effective date of this Act. The policy must do all of the | ||||||
| 4 | following:
| ||||||
| 5 | (1) Identify this Act.
| ||||||
| 6 | (2) Require all employees of the local government | ||||||
| 7 | agency identified as having access to social security | ||||||
| 8 | numbers in the course of performing their duties to be | ||||||
| 9 | trained to protect the confidentiality of social security | ||||||
| 10 | numbers. Training should include instructions on the | ||||||
| 11 | proper handling of information that contains social | ||||||
| 12 | security numbers from the time of collection through the | ||||||
| 13 | destruction of the information.
| ||||||
| 14 | (3) Direct that only employees who are required to use | ||||||
| 15 | or handle information or documents that contain social | ||||||
| 16 | security numbers have access to such information or | ||||||
| 17 | documents. | ||||||
| 18 | (4) Require that social security numbers requested | ||||||
| 19 | from an individual be provided in a manner that makes the | ||||||
| 20 | social security number easily redacted if required to be | ||||||
| 21 | released as part of a public records request.
| ||||||
| 22 | (5) Require that, when collecting a social security | ||||||
| 23 | number or upon request by the individual, a statement of | ||||||
| 24 | the purpose or purposes for which the agency is collecting | ||||||
| 25 | and using the social security number be provided.
| ||||||
| 26 | (b) Each local government agency must file a written copy | ||||||
| |||||||
| |||||||
| 1 | of its privacy policy with the governing board of the unit of | ||||||
| 2 | local government within 30 days after approval of the policy. | ||||||
| 3 | Each local government agency must advise its employees of the | ||||||
| 4 | existence of the policy and make a copy of the policy available | ||||||
| 5 | to each of its employees, and must also make its privacy policy | ||||||
| 6 | available to any member of the public, upon request. If a local | ||||||
| 7 | government agency amends its privacy policy, then that agency | ||||||
| 8 | must file a written copy of the amended policy with the | ||||||
| 9 | appropriate entity and must also advise its employees of the | ||||||
| 10 | existence of the amended policy and make a copy of the amended | ||||||
| 11 | policy available to each of its employees.
| ||||||
| 12 | (c) Each local government agency must implement the | ||||||
| 13 | components of its identity-protection policy that are | ||||||
| 14 | necessary to meet the requirements of this Act within 12 months | ||||||
| 15 | after the date the identity-protection policy is approved. This | ||||||
| 16 | subsection (c) shall not affect the requirements of Section 10 | ||||||
| 17 | of this Act.
| ||||||
| 18 | Section 37. Identity-protection policy; State. | ||||||
| 19 | (a) Each State agency must draft and approve an | ||||||
| 20 | identity-protection policy within 12 months after the | ||||||
| 21 | effective date of this Act. The policy must do all of the | ||||||
| 22 | following:
| ||||||
| 23 | (1) Identify this Act.
| ||||||
| 24 | (2) Require all employees of the State agency | ||||||
| 25 | identified as having access to social security numbers in | ||||||
| |||||||
| |||||||
| 1 | the course of performing their duties to be trained to | ||||||
| 2 | protect the confidentiality of social security numbers. | ||||||
| 3 | Training should include instructions on proper handling of | ||||||
| 4 | information that contains social security numbers from the | ||||||
| 5 | time of collection through the destruction of the | ||||||
| 6 | information.
| ||||||
| 7 | (3) Direct that only employees who are required to use | ||||||
| 8 | or handle information or documents that contain social | ||||||
| 9 | security numbers have access to such information or | ||||||
| 10 | documents.
| ||||||
| 11 | (4) Require that social security numbers requested | ||||||
| 12 | from an individual be placed in a manner that makes the | ||||||
| 13 | social security number easily redacted if required to be | ||||||
| 14 | released as part of a public records request.
| ||||||
| 15 | (5) Require that, when collecting a social security | ||||||
| 16 | number or upon request by the individual, a statement of | ||||||
| 17 | the purpose or purposes for which the agency is collecting | ||||||
| 18 | and using the social security number be provided.
| ||||||
| 19 | (b) Each State agency must provide a copy of its | ||||||
| 20 | identity-protection policy to the Social Security Number | ||||||
| 21 | Protection Task Force within 30 days after the approval of the | ||||||
| 22 | policy.
| ||||||
| 23 | (c) Each State agency must implement the components of its | ||||||
| 24 | identity-protection policy that are necessary to meet the | ||||||
| 25 | requirements of this Act within 12 months after the date the | ||||||
| 26 | identity-protection policy is approved. This subsection (c) | ||||||
| |||||||
| |||||||
| 1 | shall not affect the requirements of Section 10 of this Act.
| ||||||
| 2 | Section 40. Judicial branch and clerks of courts. The | ||||||
| 3 | judicial branch and clerks of the circuit court are not subject | ||||||
| 4 | to the provisions of this Act, except that the Supreme Court | ||||||
| 5 | shall, under its rulemaking authority or by administrative | ||||||
| 6 | order, adopt requirements applicable to the judicial branch, | ||||||
| 7 | including clerks of the circuit court, regulating the | ||||||
| 8 | disclosure of social security numbers consistent with the | ||||||
| 9 | intent of this Act and the unique circumstances relevant in the | ||||||
| 10 | judicial process. | ||||||
| 11 | Section 45. Violation. Any person who intentionally | ||||||
| 12 | violates the prohibitions in Section 10 of this Act is guilty | ||||||
| 13 | of a Class B misdemeanor. | ||||||
| 14 | Section 50. Home rule. A home rule unit of local | ||||||
| 15 | government, any non-home rule municipality, or any non-home | ||||||
| 16 | rule county may regulate the use of social security numbers, | ||||||
| 17 | but that regulation must be no less restrictive than this Act. | ||||||
| 18 | This Act is a limitation under subsection (i) of Section 6 of | ||||||
| 19 | Article VII of the Illinois Constitution on the concurrent | ||||||
| 20 | exercise by home rule units of powers and functions exercised | ||||||
| 21 | by the State. | ||||||
| 22 | Section 55. This Act does not supersede any more | ||||||
| |||||||
| |||||||
| 1 | restrictive law, rule, or regulation regarding the collection, | ||||||
| 2 | use, or disclosure of social security numbers. | ||||||
| 3 | Section 60. Rulemaking conditions. Rulemaking authority to | ||||||
| 4 | implement this Act, if any, is conditioned on the rules being | ||||||
| 5 | adopted in accordance with all provisions of the Illinois | ||||||
| 6 | Administrative Procedure Act and all rules and procedures of | ||||||
| 7 | the Joint Committee on Administrative Rules; any purported rule | ||||||
| 8 | not so adopted, for whatever reason, is unauthorized. | ||||||
| 9 | Section 90. The State Mandates Act is amended by adding | ||||||
| 10 | Section 8.33 as follows: | ||||||
| 11 | (30 ILCS 805/8.33 new) | ||||||
| 12 | Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8 | ||||||
| 13 | of this Act, no reimbursement by the State is required for the | ||||||
| 14 | implementation of any mandate created by the Identity | ||||||
| 15 | Protection Act.
| ||||||