101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB2871

 

Introduced , by Rep. Celina Villanueva

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Data Broker Registration Act. Requires a data broker to annually register with the Secretary of State. Defines "data broker" as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Provides registration requirements, the duties a data broker has to protect personally identifiable information, and the requirements for an information security program. Effective January 1, 2020.


LRB101 08512 JRG 53589 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

HB2871LRB101 08512 JRG 53589 b

1    AN ACT concerning regulation.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the Data
5Broker Registration Act.
 
6    Section 5. Definitions.
7    "Brokered personal information" means one or more of the
8following computerized data elements about a consumer, if
9categorized or organized for dissemination to third parties:
10        (1) name;
11        (2) address;
12        (3) date of birth;
13        (4) place of birth;
14        (5) mother's maiden name;
15        (6) unique biometric data generated from measurements
16    or technical analysis of human body characteristics used by
17    the owner or licensee of the data to identify or
18    authenticate the consumer, such as a fingerprint, retina or
19    iris image, or other unique physical representation or
20    digital representation of biometric data;
21        (7) name or address of a member of the consumer's
22    immediate family or household;
23        (8) social security number or other government-issued

 

 

HB2871- 2 -LRB101 08512 JRG 53589 b

1    identification number; or
2        (9) other information that, alone or in combination
3    with the other information sold or licensed, would allow a
4    reasonable person to identify the consumer with reasonable
5    certainty.
6    "Brokered personal information" does not include publicly
7available information to the extent that it is related to a
8consumer's business or profession.
9    "Data broker" means a business or unit of a business,
10separately or together, that knowingly collects and sells or
11licenses to third parties the brokered personal information of
12a consumer with whom the business does not have a direct
13relationship.
14    "Data broker security breach" means an unauthorized
15acquisition or a reasonable belief of an unauthorized
16acquisition of more than one element of brokered personal
17information maintained by a data broker when the brokered
18personal information is not encrypted, redacted, or protected
19by another method that renders the information unreadable or
20unusable by an unauthorized person. "Data broker security
21breach" does not include good faith but unauthorized
22acquisition of brokered personal information by an employee or
23agent of the data broker for a legitimate purpose of the data
24broker if the brokered personal information is not used for a
25purpose unrelated to the data broker's business or subject to
26further unauthorized disclosure.
 

 

 

HB2871- 3 -LRB101 08512 JRG 53589 b

1    Section 10. Annual registration.
2    (a) Annually, on or before January 31 following a year in
3which a person meets the definition of "data broker", a data
4broker shall:
5        (1) register with the Secretary of State;
6        (2) pay a registration fee of $100; and
7        (3) provide the following information:
8            (A) the name and primary physical, email, and
9        Internet addresses of the data broker;
10            (B) if the data broker permits a consumer to opt
11        out of the data broker's collection of brokered
12        personal information, opt out of its databases, or opt
13        out of certain sales of data:
14                (i) the method for requesting an opt-out;
15                (ii) if the opt-out applies to only certain
16            activities or sales, which ones; and
17                (iii) whether the data broker permits a
18            consumer to authorize a third party to perform the
19            opt-out on the consumer's behalf;
20            (C) a statement specifying the data collection,
21        databases, or sales activities from which a consumer
22        may not opt out;
23            (D) a statement whether the data broker implements
24        a purchaser credentialing process;
25            (E) the number of data broker security breaches

 

 

HB2871- 4 -LRB101 08512 JRG 53589 b

1        that the data broker has experienced during the prior
2        year, and if known, the total number of consumers
3        affected by the breaches;
4            (F) where the data broker has actual knowledge that
5        it possesses the brokered personal information of
6        minors, a separate statement detailing the data
7        collection practices, databases, sales activities, and
8        opt-out policies that are applicable to the brokered
9        personal information of minors; and
10            (G) any additional information or explanation the
11        data broker chooses to provide concerning its data
12        collection practices.
13    (b) A data broker that fails to register under subsection
14(a) is liable to the State for:
15        (1) a civil penalty of $50 for each day, not to exceed
16    a total of $10,000 for each year, it fails to register
17    under this Section;
18        (2) an amount equal to the fees due under this Section
19    during the period it failed to register under this Section;
20    and
21        (3) other penalties imposed by law.
22    (c) The Attorney General may maintain an action in circuit
23court to collect the penalties imposed in this Section and to
24seek appropriate injunctive relief.
 
25    Section 15. Duty to protect personally identifiable

 

 

HB2871- 5 -LRB101 08512 JRG 53589 b

1information.
2    (a) A data broker shall develop, implement, and maintain a
3comprehensive information security program that is written in
4one or more readily accessible parts and contains
5administrative, technical, and physical safeguards that are
6appropriate to:
7        (1) the size, scope, and type of business of the data
8    broker obligated to safeguard the personally identifiable
9    information under such comprehensive information security
10    program;
11        (2) the amount of resources available to the data
12    broker;
13        (3) the amount of stored data; and
14        (4) the need for security and confidentiality of
15    personally identifiable information.
16    (b) A data broker subject to this Section shall adopt
17safeguards in the comprehensive security program that are
18consistent with the safeguards for protection of personally
19identifiable information and information of a similar
20character set forth in other State rules or federal regulations
21applicable to the data broker.
 
22    Section 20. Information security program; minimum
23features. A comprehensive information security program shall,
24at minimum, have the following features:
25        (1) designation of one or more employees to maintain

 

 

HB2871- 6 -LRB101 08512 JRG 53589 b

1    the program;
2        (2) identification and assessment of reasonably
3    foreseeable internal and external risks to the security,
4    confidentiality, and integrity of any electronic, paper,
5    or other records containing personally identifiable
6    information and a process for evaluating and improving,
7    where necessary, the effectiveness of the current
8    safeguards for limiting such risks, including:
9            (A) ongoing employee training, including training
10        for temporary and contract employees;
11            (B) employee compliance with policies and
12        procedures; and
13            (C) means for detecting and preventing security
14            system failures;
15        (3) security policies for employees relating to the
16    storage, access, and transportation of records containing
17    personally identifiable information outside business
18    premises;
19        (4) disciplinary measures for violations of the
20    comprehensive information security program rules;
21        (5) measures that prevent terminated employees from
22    accessing records containing personally identifiable
23    information;
24        (6) supervision of service providers by:
25            (A) taking reasonable steps to select and retain
26        third-party service providers that are capable of

 

 

HB2871- 7 -LRB101 08512 JRG 53589 b

1        maintaining appropriate security measures to protect
2        personally identifiable information consistent with
3        applicable law; and
4            (B) requiring third-party service providers by
5        contract to implement and maintain appropriate
6        security measures for personally identifiable
7        information;
8        (7) reasonable restrictions upon physical access to
9    records containing personally identifiable information and
10    storage of the records and data in locked facilities,
11    storage areas, or containers;
12        (8) regular monitoring to ensure that the
13    comprehensive information security program is operating in
14    a manner reasonably calculated to prevent unauthorized
15    access to or unauthorized use of personally identifiable
16    information; and upgrading information safeguards as
17    necessary to limit risks;
18        (9) regular review of the scope of the security
19    measures:
20            (A) at least annually; or
21            (B) whenever there is a material change in business
22        practices that may reasonably implicate the security
23        or integrity of records containing personally
24        identifiable information; and
25        (10) documentation of responsive actions taken in
26    connection with any incident involving a breach of

 

 

HB2871- 8 -LRB101 08512 JRG 53589 b

1    security; and mandatory post-incident review of events and
2    actions taken, if any, to make changes in business
3    practices relating to protection of personally
4    identifiable information.
 
5    Section 25. Information security program; computer system
6security requirements. A comprehensive information security
7program required by this Act shall, at minimum, and to the
8extent technically feasible, have the following elements:
9        (1) secure user authentication protocols, as follows:
10            (A) an authentication protocol that has the
11        following features:
12                (i) control of user IDs and other identifiers;
13                (ii) a reasonably secure method of assigning
14            and selecting passwords or use of unique
15            identifier technologies, such as biometrics or
16            token devices;
17                (iii) control of data security passwords to
18            ensure that such passwords are kept in a location
19            and format that do not compromise the security of
20            the data they protect;
21                (iv) restricting access to only active users
22            and active user accounts; and
23                (v) blocking access to user identification
24            after multiple unsuccessful attempts to gain
25            access; or

 

 

HB2871- 9 -LRB101 08512 JRG 53589 b

1            (B) an authentication protocol that provides a
2        higher level of security than the features specified in
3        subparagraph (A).
4        (2) secure access control measures that:
5            (A) restrict access to records and files
6        containing personally identifiable information to
7        those who need such information to perform their job
8        duties; and
9            (B) assign to each person with computer access
10        unique identifications plus passwords, which are not
11        vendor-supplied default passwords, that are reasonably
12        designed to maintain the integrity of the security of
13        the access controls or a protocol that provides a
14        higher degree of security;
15        (3) encryption of all transmitted records and files
16    containing personally identifiable information that will
17    travel across public networks and encryption of all data
18    containing personally identifiable information to be
19    transmitted wirelessly or a protocol that provides a higher
20    degree of security;
21        (4) reasonable monitoring of systems for unauthorized
22    use of or access to personally identifiable information;
23        (5) encryption of all personally identifiable
24    information stored on laptops or other portable devices or
25    a protocol that provides a higher degree of security;
26        (6) for files containing personally identifiable

 

 

HB2871- 10 -LRB101 08512 JRG 53589 b

1    information on a system that is connected to the Internet,
2    reasonably up-to-date firewall protection and operating
3    system security patches that are reasonably designed to
4    maintain the integrity of the personally identifiable
5    information or a protocol that provides a higher degree of
6    security;
7        (7) reasonably up-to-date versions of system security
8    agent software that must include malware protection and
9    reasonably up-to-date patches and virus definitions, or a
10    version of such software that can still be supported with
11    up-to-date patches and virus definitions and is set to
12    receive the most current security updates on a regular
13    basis or a protocol that provides a higher degree of
14    security; and
15        (8) education and training of employees on the proper
16    use of the computer security system and the importance of
17    personally identifiable information security.
 
18    Section 99. Effective date. This Act takes effect January
191, 2020.