|
|||||||
| |||||||
| |||||||
1 | AN ACT concerning consumer fraud.
| ||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||
3 | represented in the General Assembly:
| ||||||
4 | Section 5. The Personal Information Protection Act is | ||||||
5 | amended by changing Section 10 and by adding Sections 12, 25, | ||||||
6 | and 30 as follows: | ||||||
7 | (815 ILCS 530/10)
| ||||||
8 | Sec. 10. Notice of Breach. | ||||||
9 | (a) Any data collector that owns or licenses personal | ||||||
10 | information concerning an Illinois resident shall notify the
| ||||||
11 | resident at no charge that there has been a breach of the | ||||||
12 | security of the
system data following discovery or notification | ||||||
13 | of the breach.
The disclosure notification shall be made in the | ||||||
14 | most
expedient time possible and without unreasonable delay,
| ||||||
15 | consistent with any measures necessary to determine the
scope | ||||||
16 | of the breach and restore the reasonable integrity,
security, | ||||||
17 | and confidentiality of the data system.
| ||||||
18 | (b) Any data collector that maintains computerized data | ||||||
19 | that
includes personal information that the data collector does | ||||||
20 | not own or license shall notify the owner or licensee of the | ||||||
21 | information of any breach of the security of the data | ||||||
22 | immediately following discovery, if the personal information | ||||||
23 | was, or is reasonably believed to have been, acquired by
an | ||||||
24 | unauthorized person.
| ||||||
25 | (b-5) The notification required by this Section may be | ||||||
26 | delayed upon a request by law enforcement if a law enforcement | ||||||
27 | agency determines that the notification will impede a criminal | ||||||
28 | investigation. The notification time period required by this | ||||||
29 | Section shall commence after the data collector receives notice | ||||||
30 | from the law enforcement agency that the notification will not | ||||||
31 | compromise the investigation.
| ||||||
32 | (c) For purposes of this Section, notice to consumers may |
| |||||||
| |||||||
1 | be provided by one of the following methods:
| ||||||
2 | (1) written notice; | ||||||
3 | (2) electronic notice, if the notice provided is
| ||||||
4 | consistent with the provisions regarding electronic
| ||||||
5 | records and signatures for notices legally required to be
| ||||||
6 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
7 | United States Code;
or | ||||||
8 | (3) substitute notice, if the data collector
| ||||||
9 | demonstrates that the cost of providing notice would exceed
| ||||||
10 | $250,000 or that the affected class of subject persons to | ||||||
11 | be notified exceeds 500,000, or the data collector does not
| ||||||
12 | have sufficient contact information. Substitute notice | ||||||
13 | shall consist of all of the following: (i) email notice if | ||||||
14 | the data collector has an email address for the subject | ||||||
15 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
16 | collector's web site page if the data collector maintains
| ||||||
17 | one; and (iii) notification to major statewide media. | ||||||
18 | (d) Notwithstanding subsection (c), a data collector
that | ||||||
19 | maintains its own notification procedures as part of an
| ||||||
20 | information security policy for the treatment of personal
| ||||||
21 | information and is otherwise consistent with the timing | ||||||
22 | requirements of this Act, shall be deemed in compliance
with | ||||||
23 | the notification requirements of this Section if the
data | ||||||
24 | collector notifies subject persons in accordance with its | ||||||
25 | policies in the event of a breach of the security of the system | ||||||
26 | data.
| ||||||
27 | (Source: P.A. 94-36, eff. 1-1-06.) | ||||||
28 | (815 ILCS 530/12 new)
| ||||||
29 | Sec. 12. Notice of breach; State agency. | ||||||
30 | (a) Any State agency that collects personal information | ||||||
31 | concerning an Illinois resident shall notify the
resident at no | ||||||
32 | charge that there has been a breach of the security of the
| ||||||
33 | system data or written material following discovery or | ||||||
34 | notification of the breach.
The disclosure notification shall | ||||||
35 | be made in the most
expedient time possible and without |
| |||||||
| |||||||
1 | unreasonable delay,
consistent with any measures necessary to | ||||||
2 | determine the
scope of the breach and restore the reasonable | ||||||
3 | integrity,
security, and confidentiality of the data system. | ||||||
4 | (b) For purposes of this Section, notice to residents may | ||||||
5 | be provided by one of the following methods:
| ||||||
6 | (1) written notice;
| ||||||
7 | (2) electronic notice, if the notice provided is
| ||||||
8 | consistent with the provisions regarding electronic
| ||||||
9 | records and signatures for notices legally required to be
| ||||||
10 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
11 | United States Code;
or
| ||||||
12 | (3) substitute notice, if the State agency
| ||||||
13 | demonstrates that the cost of providing notice would exceed
| ||||||
14 | $250,000 or that the affected class of subject persons to | ||||||
15 | be notified exceeds 500,000, or the State agency does not
| ||||||
16 | have sufficient contact information. Substitute notice | ||||||
17 | shall consist of all of the following: (i) email notice if | ||||||
18 | the State agency has an email address for the subject | ||||||
19 | persons; (ii) conspicuous posting of the notice on the | ||||||
20 | State agency's web site page if the State agency maintains
| ||||||
21 | one; and (iii) notification to major statewide media.
| ||||||
22 | (c) Notwithstanding subsection (b), a State agency
that | ||||||
23 | maintains its own notification procedures as part of an
| ||||||
24 | information security policy for the treatment of personal
| ||||||
25 | information and is otherwise consistent with the timing | ||||||
26 | requirements of this Act shall be deemed in compliance
with the | ||||||
27 | notification requirements of this Section if the
State agency | ||||||
28 | notifies subject persons in accordance with its policies in the | ||||||
29 | event of a breach of the security of the system data or written | ||||||
30 | material.
| ||||||
31 | (d) If a State agency is required to notify more than 1,000 | ||||||
32 | persons of a breach of security pursuant to this Section, the | ||||||
33 | State agency shall also notify, without unreasonable delay, all | ||||||
34 | consumer reporting agencies that compile and maintain files on | ||||||
35 | consumers on a nationwide basis, as defined by 15 U.S.C. | ||||||
36 | Section 1681a(p), of the timing, distribution, and content of |
| |||||||
| |||||||
1 | the notices. Nothing in this subsection (d) shall be construed | ||||||
2 | to require the State agency to provide to the consumer | ||||||
3 | reporting agency the names or other personal identifying | ||||||
4 | information of breach notice recipients.
| ||||||
5 | (815 ILCS 530/25 new)
| ||||||
6 | Sec. 25. Annual reporting. Any State agency that collects | ||||||
7 | personal data and has had a breach of security of the system | ||||||
8 | data or written material shall submit a report within 5 | ||||||
9 | business days of the discovery or notification of the breach to | ||||||
10 | the General Assembly listing the breaches and outlining any | ||||||
11 | corrective measures that have been taken to prevent future | ||||||
12 | breaches of the security of the system data or written | ||||||
13 | material. Any State agency that has submitted a report under | ||||||
14 | this Section shall submit an annual report listing all breaches | ||||||
15 | of security of the system data or written materials and the | ||||||
16 | corrective measures that have been taken to prevent future | ||||||
17 | breaches. | ||||||
18 | (815 ILCS 530/30 new)
| ||||||
19 | Sec. 30. Safe disposal of information. Any State agency | ||||||
20 | that collects personal data that is no longer needed or stored | ||||||
21 | at the agency shall dispose of the personal data or written | ||||||
22 | material it has collected in such a manner as to ensure the | ||||||
23 | security and confidentiality of the material.
| ||||||
24 | Section 99. Effective date. This Act takes effect upon | ||||||
25 | becoming law.
|