|
|
|||||||
| |||||||
| |||||||
| 1 | AN ACT concerning consumer fraud.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 5. The Personal Information Protection Act is | ||||||
| 5 | amended by changing Section 10 and by adding Sections 12, 25, | ||||||
| 6 | and 30 as follows: | ||||||
| 7 | (815 ILCS 530/10)
| ||||||
| 8 | Sec. 10. Notice of Breach. | ||||||
| 9 | (a) Any data collector that owns or licenses personal | ||||||
| 10 | information concerning an Illinois resident shall notify the
| ||||||
| 11 | resident at no charge that there has been a breach of the | ||||||
| 12 | security of the
system data following discovery or notification | ||||||
| 13 | of the breach.
The disclosure notification shall be made in the | ||||||
| 14 | most
expedient time possible and without unreasonable delay,
| ||||||
| 15 | consistent with any measures necessary to determine the
scope | ||||||
| 16 | of the breach and restore the reasonable integrity,
security, | ||||||
| 17 | and confidentiality of the data system.
| ||||||
| 18 | (b) Any data collector that maintains computerized data | ||||||
| 19 | that
includes personal information that the data collector does | ||||||
| 20 | not own or license shall notify the owner or licensee of the | ||||||
| 21 | information of any breach of the security of the data | ||||||
| 22 | immediately following discovery, if the personal information | ||||||
| 23 | was, or is reasonably believed to have been, acquired by
an | ||||||
| 24 | unauthorized person.
| ||||||
| 25 | (b-5) The notification required by this Section may be | ||||||
| 26 | delayed upon a request by law enforcement if a law enforcement | ||||||
| 27 | agency determines that the notification will impede a criminal | ||||||
| 28 | investigation. The notification time period required by this | ||||||
| 29 | Section shall commence after the data collector receives notice | ||||||
| 30 | from the law enforcement agency that the notification will not | ||||||
| 31 | compromise the investigation.
| ||||||
| 32 | (c) For purposes of this Section, notice to consumers may | ||||||
| |||||||
| |||||||
| 1 | be provided by one of the following methods:
| ||||||
| 2 | (1) written notice; | ||||||
| 3 | (2) electronic notice, if the notice provided is
| ||||||
| 4 | consistent with the provisions regarding electronic
| ||||||
| 5 | records and signatures for notices legally required to be
| ||||||
| 6 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 7 | United States Code;
or | ||||||
| 8 | (3) substitute notice, if the data collector
| ||||||
| 9 | demonstrates that the cost of providing notice would exceed
| ||||||
| 10 | $250,000 or that the affected class of subject persons to | ||||||
| 11 | be notified exceeds 500,000, or the data collector does not
| ||||||
| 12 | have sufficient contact information. Substitute notice | ||||||
| 13 | shall consist of all of the following: (i) email notice if | ||||||
| 14 | the data collector has an email address for the subject | ||||||
| 15 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
| 16 | collector's web site page if the data collector maintains
| ||||||
| 17 | one; and (iii) notification to major statewide media. | ||||||
| 18 | (d) Notwithstanding subsection (c), a data collector
that | ||||||
| 19 | maintains its own notification procedures as part of an
| ||||||
| 20 | information security policy for the treatment of personal
| ||||||
| 21 | information and is otherwise consistent with the timing | ||||||
| 22 | requirements of this Act, shall be deemed in compliance
with | ||||||
| 23 | the notification requirements of this Section if the
data | ||||||
| 24 | collector notifies subject persons in accordance with its | ||||||
| 25 | policies in the event of a breach of the security of the system | ||||||
| 26 | data.
| ||||||
| 27 | (Source: P.A. 94-36, eff. 1-1-06.) | ||||||
| 28 | (815 ILCS 530/12 new)
| ||||||
| 29 | Sec. 12. Notice of breach; State agency. | ||||||
| 30 | (a) Any State agency that collects personal information | ||||||
| 31 | concerning an Illinois resident shall notify the
resident at no | ||||||
| 32 | charge that there has been a breach of the security of the
| ||||||
| 33 | system data or written material following discovery or | ||||||
| 34 | notification of the breach.
The disclosure notification shall | ||||||
| 35 | be made in the most
expedient time possible and without | ||||||
| |||||||
| |||||||
| 1 | unreasonable delay,
consistent with any measures necessary to | ||||||
| 2 | determine the
scope of the breach and restore the reasonable | ||||||
| 3 | integrity,
security, and confidentiality of the data system. | ||||||
| 4 | (b) For purposes of this Section, notice to residents may | ||||||
| 5 | be provided by one of the following methods:
| ||||||
| 6 | (1) written notice;
| ||||||
| 7 | (2) electronic notice, if the notice provided is
| ||||||
| 8 | consistent with the provisions regarding electronic
| ||||||
| 9 | records and signatures for notices legally required to be
| ||||||
| 10 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 11 | United States Code;
or
| ||||||
| 12 | (3) substitute notice, if the State agency
| ||||||
| 13 | demonstrates that the cost of providing notice would exceed
| ||||||
| 14 | $250,000 or that the affected class of subject persons to | ||||||
| 15 | be notified exceeds 500,000, or the State agency does not
| ||||||
| 16 | have sufficient contact information. Substitute notice | ||||||
| 17 | shall consist of all of the following: (i) email notice if | ||||||
| 18 | the State agency has an email address for the subject | ||||||
| 19 | persons; (ii) conspicuous posting of the notice on the | ||||||
| 20 | State agency's web site page if the State agency maintains
| ||||||
| 21 | one; and (iii) notification to major statewide media.
| ||||||
| 22 | (c) Notwithstanding subsection (b), a State agency
that | ||||||
| 23 | maintains its own notification procedures as part of an
| ||||||
| 24 | information security policy for the treatment of personal
| ||||||
| 25 | information and is otherwise consistent with the timing | ||||||
| 26 | requirements of this Act shall be deemed in compliance
with the | ||||||
| 27 | notification requirements of this Section if the
State agency | ||||||
| 28 | notifies subject persons in accordance with its policies in the | ||||||
| 29 | event of a breach of the security of the system data or written | ||||||
| 30 | material.
| ||||||
| 31 | (d) If a State agency is required to notify more than 1,000 | ||||||
| 32 | persons of a breach of security pursuant to this Section, the | ||||||
| 33 | State agency shall also notify, without unreasonable delay, all | ||||||
| 34 | consumer reporting agencies that compile and maintain files on | ||||||
| 35 | consumers on a nationwide basis, as defined by 15 U.S.C. | ||||||
| 36 | Section 1681a(p), of the timing, distribution, and content of | ||||||
| |||||||
| |||||||
| 1 | the notices. Nothing in this subsection (d) shall be construed | ||||||
| 2 | to require the State agency to provide to the consumer | ||||||
| 3 | reporting agency the names or other personal identifying | ||||||
| 4 | information of breach notice recipients.
| ||||||
| 5 | (815 ILCS 530/25 new)
| ||||||
| 6 | Sec. 25. Annual reporting. Any State agency that collects | ||||||
| 7 | personal data and has had a breach of security of the system | ||||||
| 8 | data or written material shall submit a report within 5 | ||||||
| 9 | business days of the discovery or notification of the breach to | ||||||
| 10 | the General Assembly listing the breaches and outlining any | ||||||
| 11 | corrective measures that have been taken to prevent future | ||||||
| 12 | breaches of the security of the system data or written | ||||||
| 13 | material. Any State agency that has submitted a report under | ||||||
| 14 | this Section shall submit an annual report listing all breaches | ||||||
| 15 | of security of the system data or written materials and the | ||||||
| 16 | corrective measures that have been taken to prevent future | ||||||
| 17 | breaches. | ||||||
| 18 | (815 ILCS 530/30 new)
| ||||||
| 19 | Sec. 30. Safe disposal of information. Any State agency | ||||||
| 20 | that collects personal data that is no longer needed or stored | ||||||
| 21 | at the agency shall dispose of the personal data or written | ||||||
| 22 | material it has collected in such a manner as to ensure the | ||||||
| 23 | security and confidentiality of the material.
| ||||||
| 24 | Section 99. Effective date. This Act takes effect upon | ||||||
| 25 | becoming law.
| ||||||