Rep. Sandra M. Pihos

Filed: 3/31/2009

 

 


 

 


 
09600HB0547ham001 LRB096 05696 RLJ 24761 a

1
AMENDMENT TO HOUSE BILL 547

2     AMENDMENT NO. ______. Amend House Bill 547 by replacing
3 everything after the enacting clause with the following:
 
4     "Section 1. Short title. This Act may be cited as the
5 Identity Protection Act.
 
6     Section 5. Definitions. In this Act:
7     "Identity-protection policy" means any policy created to
8 protect social security numbers from unauthorized disclosure.
9     "Local government agency" means that term as it is defined
10 in Section 1-8 of the Illinois State Auditing Act.
11     "Person" means any individual in the employ of a State
12 agency or local government agency.
13     "Publicly post" or "publicly display" means to
14 intentionally communicate or otherwise intentionally make
15 available to the general public.
16     "State agency" means that term as it is defined in Section

 

 

09600HB0547ham001 - 2 - LRB096 05696 RLJ 24761 a

1 1-7 of the Illinois State Auditing Act.
 
2     Section 10. Prohibited Activities.
3     (a) Beginning July 1, 2010, no person or State or local
4 government agency may do any of the following:
5         (1) Publicly post or publicly display in any manner an
6     individual's social security number.
7         (2) Print an individual's social security number on any
8     card required for the individual to access products or
9     services provided by the person or entity.
10         (3) Require an individual to transmit his or her social
11     security number over the Internet, unless the connection is
12     secure or the social security number is encrypted.
13         (4) Print an individual's social security number on any
14     materials that are mailed to the individual, through the
15     U.S. Postal Service, any private mail service, electronic
16     mail, or any similar method of delivery, unless State or
17     federal law requires the social security number to be on
18     the document to be mailed. Notwithstanding any provision in
19     this Section to the contrary, social security numbers may
20     be included in applications forms sent by mail, including,
21     but not limited to, any material mailed in connection with
22     the administration of the Unemployment Insurance Act, any
23     material mailed in connection with any tax administered by
24     the Department of Revenue, and documents sent as part of an
25     application or enrollment process or to establish, amend,

 

 

09600HB0547ham001 - 3 - LRB096 05696 RLJ 24761 a

1     or terminate an account, contract, or policy or to confirm
2     the accuracy of the social security number. A social
3     security number that may permissibly be mailed under this
4     Section may not be printed, in whole or in part, on a
5     postcard or other mailer that does not require an envelope
6     or be visible on an envelope without the envelope having
7     been opened.
8     (b) Except as otherwise provided in this Act, beginning
9 July 1, 2010, no person or State or local government agency may
10 do any of the following:
11         (1) Collect, use, or disclose a social security number
12     from an individual, unless (i) required to do so under
13     State or federal law, rules, or regulations, or the
14     collection, use, or disclosure of the social security
15     number is otherwise necessary for the performance of that
16     agency's duties and responsibilities; (ii) the need and
17     purpose for the social security number is documented before
18     collection of the social security number; and (iii) the
19     social security number collected is relevant to the
20     documented need and purpose.
21         (2) Require an individual to use his or her social
22     security number to access an Internet website.
23         (3) Use the social security number for any purpose
24     other than the purpose for which it was collected.
25     (c) The prohibitions in subsection (b) do not apply in the
26 following circumstances:

 

 

09600HB0547ham001 - 4 - LRB096 05696 RLJ 24761 a

1         (1) The disclosure of social security numbers to
2     agents, employees, contractors, or subcontractors of a
3     governmental entity or disclosure by a governmental entity
4     to another governmental entity or its agents, employees,
5     contractors, or subcontractors if disclosure is necessary
6     in order for the entity to perform its duties and
7     responsibilities; and, if disclosing to a contractor or
8     subcontractor, prior to such disclosure, the governmental
9     entity must first receive from the contractor or
10     subcontractor a copy of the contractor's or
11     subcontractor's policy that sets forth how the
12     requirements imposed under this Act on a governmental
13     entity to protect an individual's social security number
14     will be achieved.
15         (2) The disclosure of social security numbers pursuant
16     to a court order, warrant, or subpoena.
17         (3) The collection, use, or disclosure of social
18     security numbers in order to ensure the safety of: State
19     and local government employees; persons committed to
20     correctional facilities, local jails, and other
21     law-enforcement facilities or retention centers; wards of
22     the State; and all persons working in or visiting a State
23     or local government agency facility.
24         (4) The collection, use, or disclosure of social
25     security numbers for internal verification or
26     administrative purposes.

 

 

09600HB0547ham001 - 5 - LRB096 05696 RLJ 24761 a

1         (5) The disclosure of social security numbers by a
2     State agency to any entity for the collection of delinquent
3     child support or of any State debt or to a governmental
4     agency to assist with an investigation or the prevention of
5     fraud.
6         (6) The collection or use of social security numbers to
7     investigate or prevent fraud, to conduct background
8     checks, to collect a debt, to obtain a credit report from a
9     consumer reporting agency under the federal Fair Credit
10     Reporting Act, to undertake any permissible purpose that is
11     enumerated under the federal Gramm Leach Bliley Act, or to
12     locate a missing person, a lost relative, or a person who
13     is due a benefit, such as a pension benefit or an unclaimed
14     property benefit.
15     (d) If any State or local government agency has adopted
16 standards for the collection, use, or disclosure of social
17 security numbers that are stricter than the standards under
18 this Act with respect to the protection of those social
19 security numbers, then, in the event of any conflict with the
20 provisions of this Act, the stricter standards adopted by the
21 State or local government agency shall control.
 
22     Section 15. Public inspection and copying of documents.
23 Notwithstanding any other provision of this Act to the
24 contrary, a person or State or local government agency must
25 comply with the provisions of any other State law with respect

 

 

09600HB0547ham001 - 6 - LRB096 05696 RLJ 24761 a

1 to allowing the public inspection and copying of information or
2 documents containing all or any portion of an individual's
3 social security number. A person or State or local government
4 agency must redact social security numbers from the information
5 or documents before allowing the public inspection or copying
6 of the information or documents.
 
7     Section 20. Applicability.
8     (a) This Act does not apply to the collection, use, or
9 disclosure of a social security number as required by State or
10 federal law, rule, or regulation.
11     (b) This Act does not apply to documents that are recorded
12 with a county recorder or required to be open to the public
13 under any State or federal law, rule, or regulation, applicable
14 case law, Supreme Court Rule, or the Constitution of the State
15 of Illinois. Notwithstanding this Section, county recorders
16 must comply with Section 35 of this Act.
 
17     Section 25. Compliance with federal law. If a federal law
18 takes effect requiring any federal agency to establish a
19 national unique patient health identifier program, any State or
20 local government agency that complies with the federal law
21 shall be deemed to be in compliance with this Act.
 
22     Section 30. Embedded social security numbers. Beginning
23 December 31, 2009, no person or State or local government

 

 

09600HB0547ham001 - 7 - LRB096 05696 RLJ 24761 a

1 agency may encode or embed a social security number in or on a
2 card or document, including, but not limited to, using a bar
3 code, chip, magnetic strip, RFID technology, or other
4 technology, in place of removing the social security number as
5 required by this Act.
 
6     Section 35. Identity-protection policy; local government.
7     (a) Each local government agency must draft and approve an
8 identity-protection policy within 12 months after the
9 effective date of this Act. The policy must do all of the
10 following:
11         (1) Identify this Act.
12         (2) Require all employees of the local government
13     agency identified as having access to social security
14     numbers in the course of performing their duties to be
15     trained to protect the confidentiality of social security
16     numbers. Training should include instructions on the
17     proper handling of information that contains social
18     security numbers from the time of collection through the
19     destruction of the information.
20         (3) Direct that only employees who are required to use
21     or handle information or documents that contain social
22     security numbers have access to such information or
23     documents.
24         (4) Require that social security numbers requested
25     from an individual be provided in a manner that makes the

 

 

09600HB0547ham001 - 8 - LRB096 05696 RLJ 24761 a

1     social security number easily redacted if required to be
2     released as part of a public records request.
3         (5) Require that, when collecting a social security
4     number or upon request by the individual, a statement of
5     the purpose or purposes for which the agency is collecting
6     and using the social security number be provided.
7     (b) Each local government agency must file a written copy
8 of its privacy policy with the governing board of the unit of
9 local government within 30 days after approval of the policy.
10 Each local government agency must advise its employees of the
11 existence of the policy and make a copy of the policy available
12 to each of its employees, and must also make its privacy policy
13 available to any member of the public, upon request. If a local
14 government agency amends its privacy policy, then that agency
15 must file a written copy of the amended policy with the
16 appropriate entity and must also advise its employees of the
17 existence of the amended policy and make a copy of the amended
18 policy available to each of its employees.
19     (c) Each local government agency must implement the
20 components of its identity-protection policy that are
21 necessary to meet the requirements of this Act within 12 months
22 after the date the identity-protection policy is approved. This
23 subsection (c) shall not affect the requirements of Section 10
24 of this Act.
 
25     Section 37. Identity-protection policy; State.

 

 

09600HB0547ham001 - 9 - LRB096 05696 RLJ 24761 a

1     (a) Each State agency must draft and approve an
2 identity-protection policy within 12 months after the
3 effective date of this Act. The policy must do all of the
4 following:
5         (1) Identify this Act.
6         (2) Require all employees of the State agency
7     identified as having access to social security numbers in
8     the course of performing their duties to be trained to
9     protect the confidentiality of social security numbers.
10     Training should include instructions on proper handling of
11     information that contains social security numbers from the
12     time of collection through the destruction of the
13     information.
14         (3) Direct that only employees who are required to use
15     or handle information or documents that contain social
16     security numbers have access to such information or
17     documents.
18         (4) Require that social security numbers requested
19     from an individual be placed in a manner that makes the
20     social security number easily redacted if required to be
21     released as part of a public records request.
22         (5) Require that, when collecting a social security
23     number or upon request by the individual, a statement of
24     the purpose or purposes for which the agency is collecting
25     and using the social security number be provided.
26     (b) Each State agency must provide a copy of its

 

 

09600HB0547ham001 - 10 - LRB096 05696 RLJ 24761 a

1 identity-protection policy to the Social Security Number
2 Protection Task Force within 30 days after the approval of the
3 policy.
4     (c) Each State agency must implement the components of its
5 identity-protection policy that are necessary to meet the
6 requirements of this Act within 12 months after the date the
7 identity-protection policy is approved. This subsection (c)
8 shall not affect the requirements of Section 10 of this Act.
 
9     Section 40. Judicial branch and clerks of courts. The
10 judicial branch and clerks of the circuit court are not subject
11 to the provisions of this Act, except that the Supreme Court
12 shall, under its rulemaking authority or by administrative
13 order, adopt requirements applicable to the judicial branch,
14 including clerks of the circuit court, regulating the
15 disclosure of social security numbers consistent with the
16 intent of this Act and the unique circumstances relevant in the
17 judicial process.
 
18     Section 45. Violation. Any person who intentionally
19 violates the prohibitions in Section 10 of this Act is guilty
20 of a Class B misdemeanor.
 
21     Section 50. Home rule. A home rule unit of local
22 government, any non-home rule municipality, or any non-home
23 rule county may regulate the use of social security numbers,

 

 

09600HB0547ham001 - 11 - LRB096 05696 RLJ 24761 a

1 but that regulation must be no less restrictive than this Act.
2 This Act is a limitation under subsection (i) of Section 6 of
3 Article VII of the Illinois Constitution on the concurrent
4 exercise by home rule units of powers and functions exercised
5 by the State.
 
6     Section 55. This Act does not supersede any more
7 restrictive law, rule, or regulation regarding the collection,
8 use, or disclosure of social security numbers.
 
9     Section 60. Rulemaking conditions. Rulemaking authority to
10 implement this Act, if any, is conditioned on the rules being
11 adopted in accordance with all provisions of the Illinois
12 Administrative Procedure Act and all rules and procedures of
13 the Joint Committee on Administrative Rules; any purported rule
14 not so adopted, for whatever reason, is unauthorized.
 
15     Section 90. The State Mandates Act is amended by adding
16 Section 8.33 as follows:
 
17     (30 ILCS 805/8.33 new)
18     Sec. 8.33. Exempt mandate. Notwithstanding Sections 6 and 8
19 of this Act, no reimbursement by the State is required for the
20 implementation of any mandate created by the Identity
21 Protection Act.".