|
|
|||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||
| 1 | AN ACT concerning business.
| ||||||||||||||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||||||||||
| 3 | represented in the General Assembly:
| ||||||||||||||||||||||||||||||||
| 4 | Section 5. The Personal Information Protection Act is | ||||||||||||||||||||||||||||||||
| 5 | amended by changing Sections 5, 10, and 12 and by adding | ||||||||||||||||||||||||||||||||
| 6 | Sections 35 and 40 as follows: | ||||||||||||||||||||||||||||||||
| 7 | (815 ILCS 530/5)
| ||||||||||||||||||||||||||||||||
| 8 | Sec. 5. Definitions. In this Act: | ||||||||||||||||||||||||||||||||
| 9 | "Data Collector" may include, but is not limited to,
| ||||||||||||||||||||||||||||||||
| 10 | government agencies, public and private universities,
| ||||||||||||||||||||||||||||||||
| 11 | privately and publicly held corporations, financial
| ||||||||||||||||||||||||||||||||
| 12 | institutions, retail operators, and any other entity that, for | ||||||||||||||||||||||||||||||||
| 13 | any purpose, handles, collects, disseminates, or otherwise
| ||||||||||||||||||||||||||||||||
| 14 | deals with nonpublic personal information.
| ||||||||||||||||||||||||||||||||
| 15 | "Breach of the security of the system data" or "breach" | ||||||||||||||||||||||||||||||||
| 16 | means
unauthorized acquisition or use of computerized data that | ||||||||||||||||||||||||||||||||
| 17 | compromises the security, confidentiality, or integrity of | ||||||||||||||||||||||||||||||||
| 18 | personal information maintained by the data collector. "Breach | ||||||||||||||||||||||||||||||||
| 19 | of the security of the system data" does not include good faith
| ||||||||||||||||||||||||||||||||
| 20 | acquisition of personal information by an employee or agent of
| ||||||||||||||||||||||||||||||||
| 21 | the data collector for a legitimate purpose of the data
| ||||||||||||||||||||||||||||||||
| 22 | collector, provided that the personal information is not used
| ||||||||||||||||||||||||||||||||
| 23 | for a purpose unrelated to the data collector's business or
| ||||||||||||||||||||||||||||||||
| |||||||
| |||||||
| 1 | subject to further unauthorized disclosure.
| ||||||
| 2 | "Personal information" means an individual's first name or | ||||||
| 3 | first initial and last name in combination with any one or more
| ||||||
| 4 | of the following data elements, when either the name or the | ||||||
| 5 | data elements are not encrypted or redacted:
| ||||||
| 6 | (1) Social Security number. | ||||||
| 7 | (2) Driver's license number or State identification
| ||||||
| 8 | card number.
| ||||||
| 9 | (3) Account number or credit or debit card number, or | ||||||
| 10 | an
account number or credit card number in combination with
| ||||||
| 11 | any required security code, access code, or password that
| ||||||
| 12 | would permit access to an individual's financial account.
| ||||||
| 13 | "Personal information" does not include publicly available
| ||||||
| 14 | information that is lawfully made available to the general
| ||||||
| 15 | public from federal, State, or local government records.
| ||||||
| 16 | (Source: P.A. 94-36, eff. 1-1-06.) | ||||||
| 17 | (815 ILCS 530/10)
| ||||||
| 18 | Sec. 10. Notice of Breach. | ||||||
| 19 | (a) Any data collector that owns or licenses personal | ||||||
| 20 | information concerning an Illinois resident shall notify the
| ||||||
| 21 | resident at no charge that there has been a breach of the | ||||||
| 22 | security of the
system data following discovery or notification | ||||||
| 23 | of the breach.
The disclosure notification shall be made in the | ||||||
| 24 | most
expedient time possible and without unreasonable delay,
| ||||||
| 25 | consistent with any measures necessary to determine the
scope | ||||||
| |||||||
| |||||||
| 1 | of the breach and restore the reasonable integrity,
security, | ||||||
| 2 | and confidentiality of the data system. The disclosure | ||||||
| 3 | notification to an Illinois resident shall include, but need | ||||||
| 4 | not be limited to, information concerning (i) the resident's | ||||||
| 5 | right to obtain a police report relating to the breach, (ii) | ||||||
| 6 | how the resident may request a security freeze pursuant to | ||||||
| 7 | Section 2MM of the Consumer Fraud and Deceptive Business | ||||||
| 8 | Practices Act and the necessary information that must be | ||||||
| 9 | provided when requesting the security freeze, and (iii) any | ||||||
| 10 | fees that must be paid to a consumer reporting agency in | ||||||
| 11 | connection with a request for a security freeze. The | ||||||
| 12 | notification shall not, however, include information | ||||||
| 13 | concerning the nature of the breach or the number of Illinois | ||||||
| 14 | residents affected by the breach. | ||||||
| 15 | In addition, a data collector that owns or licenses such | ||||||
| 16 | personal information shall notify the Attorney General of the | ||||||
| 17 | breach. The notification to the Attorney General shall include, | ||||||
| 18 | but need not be limited to, information concerning (i) the | ||||||
| 19 | nature of the breach, (ii) the number of Illinois residents | ||||||
| 20 | affected by the breach at the time of notification, and (iii) | ||||||
| 21 | any steps the data collector has taken or plans to take | ||||||
| 22 | relating to the breach.
| ||||||
| 23 | (b) Any data collector that maintains or stores, but does | ||||||
| 24 | not own or license, computerized data that
includes personal | ||||||
| 25 | information that the data collector does not own or license | ||||||
| 26 | shall notify the owner or licensee of the information of any | ||||||
| |||||||
| |||||||
| 1 | breach of the security of the data immediately following | ||||||
| 2 | discovery, if the personal information was, or is reasonably | ||||||
| 3 | believed to have been, acquired by
an unauthorized person. In | ||||||
| 4 | addition to providing such notification to the owner or | ||||||
| 5 | licensee, the data collector shall cooperate with the owner or | ||||||
| 6 | licensee in matters relating to the breach. That cooperation | ||||||
| 7 | shall include, but need not be limited to, (i) informing the | ||||||
| 8 | owner or licensee of the breach, including giving notice of the | ||||||
| 9 | date or approximate date of the breach and the nature of the | ||||||
| 10 | breach, and (ii) informing the owner or licensee of any steps | ||||||
| 11 | the data collector has taken or plans to take relating to the | ||||||
| 12 | breach. The data collector's cooperation shall not, however, be | ||||||
| 13 | deemed to require either the disclosure of confidential | ||||||
| 14 | business information or trade secrets or the notification of an | ||||||
| 15 | Illinois resident who may have been affected by the breach.
| ||||||
| 16 | (b-5) The notification to an Illinois resident required by | ||||||
| 17 | subsection (a) of this Section may be delayed if an appropriate | ||||||
| 18 | law enforcement agency determines that notification will | ||||||
| 19 | interfere with a criminal investigation and provides the data | ||||||
| 20 | collector with a written request for the delay. However, the | ||||||
| 21 | data collector must notify the Illinois resident as soon as | ||||||
| 22 | notification will no longer interfere with the investigation.
| ||||||
| 23 | (c) For purposes of this Section, notice to consumers may | ||||||
| 24 | be provided by one of the following methods:
| ||||||
| 25 | (1) written notice; | ||||||
| 26 | (2) electronic notice, if the notice provided is
| ||||||
| |||||||
| |||||||
| 1 | consistent with the provisions regarding electronic
| ||||||
| 2 | records and signatures for notices legally required to be
| ||||||
| 3 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 4 | United States Code;
or | ||||||
| 5 | (3) substitute notice, if the data collector
| ||||||
| 6 | demonstrates that the cost of providing notice would exceed
| ||||||
| 7 | $250,000 or that the affected class of subject persons to | ||||||
| 8 | be notified exceeds 500,000, or the data collector does not
| ||||||
| 9 | have sufficient contact information. Substitute notice | ||||||
| 10 | shall consist of all of the following: (i) email notice if | ||||||
| 11 | the data collector has an email address for the subject | ||||||
| 12 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
| 13 | collector's web site page if the data collector maintains
| ||||||
| 14 | one; and (iii) notification to major statewide media. | ||||||
| 15 | (d) Notwithstanding subsection (c), a data collector
that | ||||||
| 16 | maintains its own notification procedures as part of an
| ||||||
| 17 | information security policy for the treatment of personal
| ||||||
| 18 | information and is otherwise consistent with the timing | ||||||
| 19 | requirements of this Act, shall be deemed in compliance
with | ||||||
| 20 | the notification requirements of this Section if the
data | ||||||
| 21 | collector notifies subject persons in accordance with its | ||||||
| 22 | policies in the event of a breach of the security of the system | ||||||
| 23 | data.
| ||||||
| 24 | (Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.) | ||||||
| 25 | (815 ILCS 530/12)
| ||||||
| |||||||
| |||||||
| 1 | Sec. 12. Notice of breach; State agency. | ||||||
| 2 | (a) Any State agency that collects personal information | ||||||
| 3 | concerning an Illinois resident shall notify the
resident at no | ||||||
| 4 | charge that there has been a breach of the security of the
| ||||||
| 5 | system data or written material following discovery or | ||||||
| 6 | notification of the breach.
The disclosure notification shall | ||||||
| 7 | be made in the most
expedient time possible and without | ||||||
| 8 | unreasonable delay,
consistent with any measures necessary to | ||||||
| 9 | determine the
scope of the breach and restore the reasonable | ||||||
| 10 | integrity,
security, and confidentiality of the data system. | ||||||
| 11 | The disclosure notification to an Illinois resident shall | ||||||
| 12 | include, but need not be limited to, information concerning (i) | ||||||
| 13 | the resident's right to obtain a police report relating to the | ||||||
| 14 | breach, (ii) how the resident may request a security freeze | ||||||
| 15 | pursuant to Section 2MM of the Consumer Fraud and Deceptive | ||||||
| 16 | Business Practices Act and the necessary information that must | ||||||
| 17 | be provided when requesting the security freeze, and (iii) any | ||||||
| 18 | fees that must be paid to a consumer reporting agency in | ||||||
| 19 | connection with a request for a security freeze. The | ||||||
| 20 | notification to an Illinois resident shall not, however, | ||||||
| 21 | include information concerning the nature of the breach or the | ||||||
| 22 | number of Illinois residents affected by the breach. | ||||||
| 23 | (b) For purposes of this Section, notice to residents may | ||||||
| 24 | be provided by one of the following methods:
| ||||||
| 25 | (1) written notice;
| ||||||
| 26 | (2) electronic notice, if the notice provided is
| ||||||
| |||||||
| |||||||
| 1 | consistent with the provisions regarding electronic
| ||||||
| 2 | records and signatures for notices legally required to be
| ||||||
| 3 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 4 | United States Code;
or
| ||||||
| 5 | (3) substitute notice, if the State agency
| ||||||
| 6 | demonstrates that the cost of providing notice would exceed
| ||||||
| 7 | $250,000 or that the affected class of subject persons to | ||||||
| 8 | be notified exceeds 500,000, or the State agency does not
| ||||||
| 9 | have sufficient contact information. Substitute notice | ||||||
| 10 | shall consist of all of the following: (i) email notice if | ||||||
| 11 | the State agency has an email address for the subject | ||||||
| 12 | persons; (ii) conspicuous posting of the notice on the | ||||||
| 13 | State agency's web site page if the State agency maintains
| ||||||
| 14 | one; and (iii) notification to major statewide media.
| ||||||
| 15 | (c) Notwithstanding subsection (b), a State agency
that | ||||||
| 16 | maintains its own notification procedures as part of an
| ||||||
| 17 | information security policy for the treatment of personal
| ||||||
| 18 | information and is otherwise consistent with the timing | ||||||
| 19 | requirements of this Act shall be deemed in compliance
with the | ||||||
| 20 | notification requirements of this Section if the
State agency | ||||||
| 21 | notifies subject persons in accordance with its policies in the | ||||||
| 22 | event of a breach of the security of the system data or written | ||||||
| 23 | material.
| ||||||
| 24 | (d) If a State agency is required to notify more than 1,000 | ||||||
| 25 | persons of a breach of security pursuant to this Section, the | ||||||
| 26 | State agency shall also notify, without unreasonable delay, all | ||||||
| |||||||
| |||||||
| 1 | consumer reporting agencies that compile and maintain files on | ||||||
| 2 | consumers on a nationwide basis, as defined by 15 U.S.C. | ||||||
| 3 | Section 1681a(p), of the timing, distribution, and content of | ||||||
| 4 | the notices. Nothing in this subsection (d) shall be construed | ||||||
| 5 | to require the State agency to provide to the consumer | ||||||
| 6 | reporting agency the names or other personal identifying | ||||||
| 7 | information of breach notice recipients.
| ||||||
| 8 | (Source: P.A. 94-947, eff. 6-27-06.) | ||||||
| 9 | (815 ILCS 530/35 new) | ||||||
| 10 | Sec. 35. Attorney General's duties; data collector; State | ||||||
| 11 | agencies. | ||||||
| 12 | (a) Upon receiving notification of a breach of the security | ||||||
| 13 | of the
system data from a data collector under subsection (a) | ||||||
| 14 | of Section 10, the Attorney General shall identify any relevant | ||||||
| 15 | consumer reporting agency or State agency, as deemed | ||||||
| 16 | appropriate by the Attorney General, and forward the names of | ||||||
| 17 | the identified consumer reporting agencies and State agencies | ||||||
| 18 | to the data collector who provided the notification. The data | ||||||
| 19 | collector shall thereafter, as soon as practicable and without | ||||||
| 20 | unreasonable delay, also provide notification of the breach to | ||||||
| 21 | each consumer reporting agency and State agency identified by | ||||||
| 22 | the Attorney General. | ||||||
| 23 | (b) A State agency that receives notification of a breach | ||||||
| 24 | of the security of the
system data from a data collector under | ||||||
| 25 | subsection (a) of this Section shall provide written | ||||||
| |||||||
| |||||||
| 1 | notification of the nature and circumstances of the breach to | ||||||
| 2 | the Department of Central Management Services as soon as | ||||||
| 3 | practicable and without unreasonable delay. The agency shall | ||||||
| 4 | thereafter comply with all policies and procedures adopted by | ||||||
| 5 | the Department of Central Management Services pertaining to the | ||||||
| 6 | reporting and investigation of a breach of the security of the
| ||||||
| 7 | system data. | ||||||
| 8 | (815 ILCS 530/40 new) | ||||||
| 9 | Sec. 40. Disposal of materials containing personal | ||||||
| 10 | information; Attorney General. | ||||||
| 11 | (a) In this Section, "person" means: a natural person; a | ||||||
| 12 | corporation, partnership, association, or other legal entity; | ||||||
| 13 | a unit of local government or any agency, department, division, | ||||||
| 14 | bureau, board, commission, or committee thereof; or the State | ||||||
| 15 | of Illinois or any constitutional officer, agency, department, | ||||||
| 16 | division, bureau, board, commission, or committee thereof. | ||||||
| 17 | (b) When disposing of materials containing personal | ||||||
| 18 | information, a person must meet the following minimum standards | ||||||
| 19 | for proper disposal of such materials: | ||||||
| 20 | (1) Paper documents containing personal information | ||||||
| 21 | must be either redacted, burned, pulverized, or shredded so | ||||||
| 22 | that personal information cannot practicably be read or | ||||||
| 23 | reconstructed. | ||||||
| 24 | (2) Electronic media and other non-paper media | ||||||
| 25 | containing personal information must be destroyed or | ||||||
| |||||||
| |||||||
| 1 | erased so that personal information cannot practicably be | ||||||
| 2 | read or reconstructed. | ||||||
| 3 | (c) Any person disposing of materials containing personal | ||||||
| 4 | information may contract with a third party to dispose of such | ||||||
| 5 | materials in accordance with this Section. Any third party that | ||||||
| 6 | contracts with a person to dispose of materials containing | ||||||
| 7 | personal information must implement and monitor compliance | ||||||
| 8 | with policies and procedures that prohibit unauthorized access | ||||||
| 9 | to or acquisition of or use of personal information during the | ||||||
| 10 | collection, transportation, and disposal of materials | ||||||
| 11 | containing personal information. | ||||||
| 12 | (d) Any person who violates this Section is subject to a | ||||||
| 13 | civil penalty of not more than $100 for each individual with | ||||||
| 14 | respect to whom personal information is disposed of in | ||||||
| 15 | violation of this Section. A civil penalty may not, however, | ||||||
| 16 | exceed $50,000 for each instance of improper disposal of | ||||||
| 17 | materials containing personal information. The Attorney | ||||||
| 18 | General may impose a civil penalty after notice to the person | ||||||
| 19 | accused of violating this Section and an opportunity for that | ||||||
| 20 | person to be heard in the matter. The Attorney General may file | ||||||
| 21 | a civil action in the circuit court to recover any penalty | ||||||
| 22 | imposed under this Section. | ||||||
| 23 | (e) In addition to the authority to impose a civil penalty | ||||||
| 24 | under subsection (d), the Attorney General may bring an action | ||||||
| 25 | in the circuit court to remedy a violation of this Section, | ||||||
| 26 | seeking any appropriate relief.
| ||||||