HB1633 Enrolled LRB094 07564 RXD 37732 b

1     AN ACT concerning business.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Personal Information Protection Act.
 
6     Section 5. Definitions. In this Act:
7     "Data Collector" may include, but is not limited to,
8 government agencies, public and private universities,
9 privately and publicly held corporations, financial
10 institutions, retail operators, and any other entity that, for
11 any purpose, handles, collects, disseminates, or otherwise
12 deals with nonpublic personal information.
13     "Breach of the security of the system data" means
14 unauthorized acquisition of computerized data that compromises
15 the security, confidentiality, or integrity of personal
16 information maintained by the data collector. "Breach of the
17 security of the system data" does not include good faith
18 acquisition of personal information by an employee or agent of
19 the data collector for a legitimate purpose of the data
20 collector, provided that the personal information is not used
21 for a purpose unrelated to the data collector's business or
22 subject to further unauthorized disclosure.
23     "Personal information" means an individual's first name or
24 first initial and last name in combination with any one or more
25 of the following data elements, when either the name or the
26 data elements are not encrypted or redacted:
27         (1) Social Security number.
28         (2) Driver's license number or State identification
29     card number.
30         (3) Account number or credit or debit card number, or
31     an account number or credit card number in combination with
32     any required security code, access code, or password that

 

 

HB1633 Enrolled - 2 - LRB094 07564 RXD 37732 b

1     would permit access to an individual's financial account.
2 "Personal information" does not include publicly available
3 information that is lawfully made available to the general
4 public from federal, State, or local government records.
 
5     Section 10. Notice of Breach.
6     (a) Any data collector that owns or licenses personal
7 information concerning an Illinois resident shall notify the
8 resident that there has been a breach of the security of the
9 system data following discovery or notification of the breach.
10 The disclosure notification shall be made in the most expedient
11 time possible and without unreasonable delay, consistent with
12 any measures necessary to determine the scope of the breach and
13 restore the reasonable integrity, security, and
14 confidentiality of the data system.
15     (b) Any data collector that maintains computerized data
16 that includes personal information that the data collector does
17 not own or license shall notify the owner or licensee of the
18 information of any breach of the security of the data
19 immediately following discovery, if the personal information
20 was, or is reasonably believed to have been, acquired by an
21 unauthorized person.
22     (c) For purposes of this Section, notice to consumers may
23 be provided by one of the following methods:
24         (1) written notice;
25         (2) electronic notice, if the notice provided is
26     consistent with the provisions regarding electronic
27     records and signatures for notices legally required to be
28     in writing as set forth in Section 7001 of Title 15 of the
29     United States Code; or
30         (3) substitute notice, if the data collector
31     demonstrates that the cost of providing notice would exceed
32     $250,000 or that the affected class of subject persons to
33     be notified exceeds 500,000, or the data collector does not
34     have sufficient contact information. Substitute notice
35     shall consist of all of the following: (i) email notice if

 

 

HB1633 Enrolled - 3 - LRB094 07564 RXD 37732 b

1     the data collector has an email address for the subject
2     persons; (ii) conspicuous posting of the notice on the data
3     collector's web site page if the data collector maintains
4     one; and (iii) notification to major statewide media.
5     (d) Notwithstanding subsection (c), a data collector that
6 maintains its own notification procedures as part of an
7 information security policy for the treatment of personal
8 information and is otherwise consistent with the timing
9 requirements of this Act, shall be deemed in compliance with
10 the notification requirements of this Section if the data
11 collector notifies subject persons in accordance with its
12 policies in the event of a breach of the security of the system
13 data.
 
14     Section 15. Waiver. Any waiver of the provisions of this
15 Act is contrary to public policy and is void and unenforceable.
 
16     Section 20. Violation. A violation of this Act constitutes
17 an unlawful practice under the Consumer Fraud and Deceptive
18 Business Practices Act.
 
19     Section 900. The Consumer Fraud and Deceptive Business
20 Practices Act is amended by changing Section 2Z as follows:
 
21     (815 ILCS 505/2Z)  (from Ch. 121 1/2, par. 262Z)
22     Sec. 2Z. Violations of other Acts. Any person who knowingly
23 violates the Automotive Repair Act, the Home Repair and
24 Remodeling Act, the Dance Studio Act, the Physical Fitness
25 Services Act, the Hearing Instrument Consumer Protection Act,
26 the Illinois Union Label Act, the Job Referral and Job Listing
27 Services Consumer Protection Act, the Travel Promotion
28 Consumer Protection Act, the Credit Services Organizations
29 Act, the Automatic Telephone Dialers Act, the Pay-Per-Call
30 Services Consumer Protection Act, the Telephone Solicitations
31 Act, the Illinois Funeral or Burial Funds Act, the Cemetery
32 Care Act, the Safe and Hygienic Bed Act, the Pre-Need Cemetery

 

 

HB1633 Enrolled - 4 - LRB094 07564 RXD 37732 b

1 Sales Act, the High Risk Home Loan Act, subsection (a) or (b)
2 of Section 3-10 of the Cigarette Tax Act, subsection (a) or (b)
3 of Section 3-10 of the Cigarette Use Tax Act, the Electronic
4 Mail Act, paragraph (6) of subsection (k) of Section 6-305 of
5 the Illinois Vehicle Code, or the Automatic Contract Renewal
6 Act, or the Personal Information Protection Act commits an
7 unlawful practice within the meaning of this Act.
8 (Source: P.A. 92-426, eff. 1-1-02; 93-561, eff. 1-1-04; 93-950,
9 eff. 1-1-05.)