|
| | SB1624 Enrolled | | LRB101 10546 JLS 55652 b |
|
|
1 | | AN ACT concerning business.
|
2 | | Be it enacted by the People of the State of Illinois,
|
3 | | represented in the General Assembly:
|
4 | | Section 5. The Personal Information Protection Act is |
5 | | amended by changing Section 10 as follows: |
6 | | (815 ILCS 530/10) |
7 | | Sec. 10. Notice of breach ; notice to Attorney General . |
8 | | (a) Any data collector that owns or licenses personal |
9 | | information concerning an Illinois resident shall notify the
|
10 | | resident at no charge that there has been a breach of the |
11 | | security of the
system data following discovery or notification |
12 | | of the breach.
The disclosure notification shall be made in the |
13 | | most
expedient time possible and without unreasonable delay,
|
14 | | consistent with any measures necessary to determine the
scope |
15 | | of the breach and restore the reasonable integrity,
security, |
16 | | and confidentiality of the data system. The disclosure |
17 | | notification to an Illinois resident shall include, but need |
18 | | not be limited to, information as follows: |
19 | | (1) With respect to personal information as defined in |
20 | | Section 5 in paragraph (1) of the definition of "personal |
21 | | information": |
22 | | (A) the toll-free numbers and addresses for |
23 | | consumer reporting agencies; |
|
| | SB1624 Enrolled | - 2 - | LRB101 10546 JLS 55652 b |
|
|
1 | | (B) the toll-free number, address, and website |
2 | | address for the Federal Trade Commission; and |
3 | | (C) a statement that the individual can obtain |
4 | | information from these sources about fraud alerts and |
5 | | security freezes. |
6 | | (2) With respect to personal information defined in |
7 | | Section 5 in paragraph (2) of the definition of "personal |
8 | | information", notice may be provided in electronic or other |
9 | | form directing the Illinois resident whose personal |
10 | | information has been breached to promptly change his or her |
11 | | user name or password and security question or answer, as |
12 | | applicable, or to take other steps appropriate to protect |
13 | | all online accounts for which the resident uses the same |
14 | | user name or email address and password or security |
15 | | question and answer. |
16 | | The notification shall not, however, include information |
17 | | concerning the number of Illinois residents affected by the |
18 | | breach. |
19 | | (b) Any data collector that maintains or stores, but does |
20 | | not own or license, computerized data that
includes personal |
21 | | information that the data collector does not own or license |
22 | | shall notify the owner or licensee of the information of any |
23 | | breach of the security of the data immediately following |
24 | | discovery, if the personal information was, or is reasonably |
25 | | believed to have been, acquired by
an unauthorized person. In |
26 | | addition to providing such notification to the owner or |
|
| | SB1624 Enrolled | - 3 - | LRB101 10546 JLS 55652 b |
|
|
1 | | licensee, the data collector shall cooperate with the owner or |
2 | | licensee in matters relating to the breach. That cooperation |
3 | | shall include, but need not be limited to, (i) informing the |
4 | | owner or licensee of the breach, including giving notice of the |
5 | | date or approximate date of the breach and the nature of the |
6 | | breach, and (ii) informing the owner or licensee of any steps |
7 | | the data collector has taken or plans to take relating to the |
8 | | breach. The data collector's cooperation shall not, however, be |
9 | | deemed to require either the disclosure of confidential |
10 | | business information or trade secrets or the notification of an |
11 | | Illinois resident who may have been affected by the breach.
|
12 | | (b-5) The notification to an Illinois resident required by |
13 | | subsection (a) of this Section may be delayed if an appropriate |
14 | | law enforcement agency determines that notification will |
15 | | interfere with a criminal investigation and provides the data |
16 | | collector with a written request for the delay. However, the |
17 | | data collector must notify the Illinois resident as soon as |
18 | | notification will no longer interfere with the investigation.
|
19 | | (c) For purposes of this Section, notice to consumers may |
20 | | be provided by one of the following methods:
|
21 | | (1) written notice; |
22 | | (2) electronic notice, if the notice provided is
|
23 | | consistent with the provisions regarding electronic
|
24 | | records and signatures for notices legally required to be
|
25 | | in writing as set forth in Section 7001 of Title 15 of the |
26 | | United States Code;
or |
|
| | SB1624 Enrolled | - 4 - | LRB101 10546 JLS 55652 b |
|
|
1 | | (3) substitute notice, if the data collector
|
2 | | demonstrates that the cost of providing notice would exceed
|
3 | | $250,000 or that the affected class of subject persons to |
4 | | be notified exceeds 500,000, or the data collector does not
|
5 | | have sufficient contact information. Substitute notice |
6 | | shall consist of all of the following: (i) email notice if |
7 | | the data collector has an email address for the subject |
8 | | persons; (ii) conspicuous posting of the notice on the data
|
9 | | collector's web site page if the data collector maintains
|
10 | | one; and (iii) notification to major statewide media or, if |
11 | | the breach impacts residents in one geographic area, to |
12 | | prominent local media in areas where affected individuals |
13 | | are likely to reside if such notice is reasonably |
14 | | calculated to give actual notice to persons whom notice is |
15 | | required. |
16 | | (d) Notwithstanding any other subsection in this Section, a |
17 | | data collector
that maintains its own notification procedures |
18 | | as part of an
information security policy for the treatment of |
19 | | personal
information and is otherwise consistent with the |
20 | | timing requirements of this Act, shall be deemed in compliance
|
21 | | with the notification requirements of this Section if the
data |
22 | | collector notifies subject persons in accordance with its |
23 | | policies in the event of a breach of the security of the system |
24 | | data.
|
25 | | (e)(1) This subsection does not apply to data collectors |
26 | | that are covered entities or business associates and are in |
|
| | SB1624 Enrolled | - 5 - | LRB101 10546 JLS 55652 b |
|
|
1 | | compliance with Section 50. |
2 | | (2) Any data collector required to issue notice pursuant to |
3 | | this Section to more than 500 Illinois residents as a result of |
4 | | a single breach of the security system shall provide notice to |
5 | | the Attorney General of the breach, including: |
6 | | (A) A description of the nature of the breach of |
7 | | security or unauthorized acquisition
or use. |
8 | | (B) The number of Illinois residents affected by such |
9 | | incident at the time of notification. |
10 | | (C) Any steps the data collector has taken or plans to |
11 | | take relating to the incident. |
12 | | Such notification must be made in the most expedient time |
13 | | possible and without unreasonable delay but in no event later |
14 | | than when the data collector provides notice to consumers |
15 | | pursuant to this Section. If the date of the breach is unknown |
16 | | at the time the notice is sent to the Attorney General, the |
17 | | data collector shall send the Attorney General the date of the |
18 | | breach as soon as possible. |
19 | | Upon receiving notification from a data collector of a |
20 | | breach of personal information, the Attorney General may |
21 | | publish the name of the data collector that suffered the |
22 | | breach, the types of personal information compromised in the |
23 | | breach, and the date range of the breach. |
24 | | (Source: P.A. 99-503, eff. 1-1-17; 100-201, eff. 8-18-17.)
|