94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB1479

 

Introduced 2/23/2005, by Sen. Ira I. Silverstein

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Identity Theft Notification Act. Requires any data collector that owns or uses personal information in any form that includes personal information concerning an Illinois resident, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data, without regard for whether the data has been accessed by an unauthorized third party for legal or illegal purposes. Provides that notice may be provided in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act.


LRB094 11200 RXD 41888 b

 

 

A BILL FOR

 

SB1479 LRB094 11200 RXD 41888 b

1     AN ACT concerning business.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Identity Theft Notification Act.
 
6     Section 5. Definitions. In this Act:
7     "Breach of the security of the system" means unauthorized
8 acquisition of computerized data that compromises the
9 security, confidentiality, or integrity of personal
10 information maintained by a data collector. "Breach of the
11 security of the system" does not include good faith acquisition
12 of personal information by an employee or agent of the data
13 collector, provided that the personal information is not used
14 for a purpose unrelated to the data collector's business or
15 subjected to further unauthorized disclosure.
16     "Breach of the security of non-computerized data" may
17 include, but is not limited to, unauthorized photocopying,
18 facsimiles, or other paper-based methods of transmitting
19 documents.
20     "Data collector" may include, but is not limited to,
21 government agencies, public and private universities,
22 privately and publicly held corporations, financial
23 institutions, retail operators, and any other entity which, for
24 any purpose, whether by automated collection or otherwise,
25 handles, collects, disseminates, or otherwise deals with
26 personal information.
27     "Personal information" means an individual's first name or
28 first initial and last name in combination with any one or more
29 of the following data elements, when either the name or the
30 data elements are not encrypted or redacted:
31         (1) Social security number.
32         (2) Driver's license number or Illinois State

 

 

SB1479 - 2 - LRB094 11200 RXD 41888 b

1     Identification Card number.
2         (3) Account number, credit or debit card number, if
3     circumstances exist where the number could be used without
4     additional identifying information, access code, or
5     password.
6         (4) Account passwords or personal identification
7     numbers or other access codes.
8         (5) Any item listed under paragraphs (1) through (4)
9     when not in connection with the individual's first name or
10     first initial and last name, if the information compromised
11     would be sufficient to perform or attempt to perform
12     identity theft against the person whose information was
13     compromised.
14 "Personal information" does not include publicly available
15 information that is lawfully made available to the general
16 public from federal, State, or local government records.
 
17     Section 10. Security breach; notification.
18     (a) Any data collector that owns or uses personal
19 information in any form that includes personal information
20 concerning an Illinois resident, shall disclose any breach of
21 the security of the system following discovery or notification
22 of the breach in the security of the data, without regard for
23 whether the data has been accessed by an unauthorized third
24 party for legal or illegal purposes. The disclosure
25 notification shall be made in the most expedient time possible
26 and without unreasonable delay, consistent with the legitimate
27 needs of the law enforcement agency, as provided in subsection
28 (b), or any measures necessary to determine the scope of the
29 breach and restore the reasonable integrity of the data system.
30     (b) Notice may be provided by one of the following methods:
31         (1) written notice;
32         (2) electronic notice, if the notice provided is
33     consistent with the provisions regarding electronic
34     records and signatures set forth in Section 7001 of Title
35     15 of the United States Code; or

 

 

SB1479 - 3 - LRB094 11200 RXD 41888 b

1         (3) substitute notice, if the person or business
2     demonstrates that the cost of providing notice would exceed
3     $250,000, or the affected class of persons to be notified
4     exceeds 500,000, or the person or business does not have
5     sufficient contact information. Substitute notice shall
6     consist of all of the following: (i) email notification if
7     the person or business has an email address for the person
8     to be notified; (ii) conspicuous posting of the notice on
9     the web site page of the person or business, if the person
10     or business maintains a web site page; and (iii)
11     notification to major statewide media outlets.
12     The notification required under this subsection (b) may be
13 delayed if a law enforcement agency determines that the
14 notification will impede a criminal investigation.
15 Notification shall be made after the law enforcement agency
16 determines that it will not compromise its investigation.
 
17     Section 15. Waiver. Any waiver of the provisions of this
18 Act is contrary to public policy and is void and unenforceable.
 
19     Section 20. Penalty.
20     (a) Any customer injured by a violation of this Act may
21 institute a civil action to recover damages.
22     (b) Any individual personally affected by repeated
23 violations may institute, in a circuit court, an action to
24 enjoin violations of this Act.
25     (c) The rights and remedies available under this Section
26 are cumulative to each other and to any other rights and
27 remedies available under law.