Executive Committee

Filed: 5/28/2008

 

 


 

 


 
09500SB2400ham001 LRB095 19768 RPM 51505 a

1
AMENDMENT TO SENATE BILL 2400

2     AMENDMENT NO. ______. Amend Senate Bill 2400 by replacing
3 everything after the enacting clause with the following:
 
4     "Section 1. Short title. This Act may be cited as the
5 Biometric Information Privacy Act.
 
6     Section 5. Legislative findings; intent. The General
7 Assembly finds all of the following:
8     (a) The use of biometrics is growing in the business and
9 security screening sectors and appears to promise streamlined
10 financial transactions and security screenings.
11     (b) Major national corporations have selected the City of
12 Chicago and other locations in this State as pilot testing
13 sites for new applications of biometric-facilitated financial
14 transactions, including finger-scan technologies at grocery
15 stores, gas stations, and school cafeterias.
16     (c) Biometrics are unlike other unique identifiers that are

 

 

09500SB2400ham001 - 2 - LRB095 19768 RPM 51505 a

1 used to access finances or other sensitive information. For
2 example, social security numbers, when compromised, can be
3 changed. Biometrics, however, are biologically unique to the
4 individual; therefore, once compromised, the individual has no
5 recourse, is at heightened risk for identity theft, and is
6 likely to withdraw from biometric-facilitated transactions.
7     (d) An overwhelming majority of members of the public are
8 weary of the use of biometrics when such information is tied to
9 finances and other personal information.
10     (e) Despite limited State law regulating the collection,
11 use, safeguarding, and storage of biometrics, many members of
12 the public are deterred from partaking in biometric
13 identifier-facilitated transactions.
14     (f) The full ramifications of biometric technology are not
15 fully known.
16     (g) The public welfare, security, and safety will be served
17 by regulating the collection, use, safeguarding, handling,
18 storage, retention, and destruction of biometric identifiers
19 and information.
 
20     Section 10. Definitions. In this Act:
21     "Biometric identifier" means a retina or iris scan,
22 fingerprint, voiceprint, or scan of hand or face geometry.
23 Biometric identifiers do not include writing samples, written
24 signatures, photographs, human biological samples used for
25 valid scientific testing or screening, demographic data,

 

 

09500SB2400ham001 - 3 - LRB095 19768 RPM 51505 a

1 tattoo descriptions, or physical descriptions such as height,
2 weight, hair color, or eye color. Biometric identifiers do not
3 include donated organs, tissues, or parts as defined in the
4 Illinois Anatomical Gift Act or blood or serum stored on behalf
5 of recipients or potential recipients of living or cadaveric
6 transplants and obtained or stored by a federally designated
7 organ procurement agency. Biometric identifiers do not include
8 biological materials regulated under the Genetic Information
9 Privacy Act. Biometric identifiers do not include information
10 captured from a patient in a health care setting or information
11 collected, used, or stored for health care treatment, payment,
12 or operations under the federal Health Insurance Portability
13 and Accountability Act of 1996. Biometric identifiers do not
14 include an X-ray, roentgen process, computed tomography, MRI,
15 PET scan, mammography, or other image or film of the human
16 anatomy used to diagnose, prognose, or treat an illness or
17 other medical condition or to further validate scientific
18 testing or screening.
19     "Biometric information" means any information, regardless
20 of how it is captured, converted, stored, or shared, based on
21 an individual's biometric identifier used to identify an
22 individual. Biometric information does not include information
23 derived from items or procedures excluded under the definition
24 of biometric identifiers.
25     "Confidential and sensitive information" means personal
26 information that can be used to uniquely identify an individual

 

 

09500SB2400ham001 - 4 - LRB095 19768 RPM 51505 a

1 or an individual's account or property. Examples of
2 confidential and sensitive information include, but are not
3 limited to, a genetic marker, genetic testing information, a
4 unique identifier number to locate an account or property, an
5 account number, a PIN number, a pass code, a driver's license
6 number, or a social security number.
7     "Private entity" means any individual, partnership,
8 corporation, limited liability company, association, or other
9 group, however organized. A private entity does not include a
10 State or local government agency. A private entity does not
11 include any court of Illinois, a clerk of the court, or a judge
12 or justice thereof.
13     "Written release" means informed written consent or, in the
14 context of employment, a release executed by an employee as a
15 condition of employment.
 
16     Section 15. Retention; collection; disclosure;
17 destruction.
18     (a) A private entity in possession of biometric identifiers
19 or biometric information must develop a written policy, made
20 available to the public, establishing a retention schedule and
21 guidelines for permanently destroying biometric identifiers
22 and biometric information when the initial purpose for
23 collecting or obtaining such identifiers or information has
24 been satisfied or within 3 years of the individual's last
25 interaction with the private entity, whichever occurs first.

 

 

09500SB2400ham001 - 5 - LRB095 19768 RPM 51505 a

1 Absent a valid warrant or subpoena issued by a court of
2 competent jurisdiction, a private entity in possession of
3 biometric identifiers or biometric information must comply
4 with its established retention schedule and destruction
5 guidelines.
6     (b) No private entity may collect, capture, purchase,
7 receive through trade, or otherwise obtain a person's or a
8 customer's biometric identifier or biometric information,
9 unless it first:
10         (1) informs the subject or the subject's legally
11     authorized representative in writing that a biometric
12     identifier or biometric information is being collected or
13     stored;
14         (2) informs the subject or the subject's legally
15     authorized representative in writing of the specific
16     purpose and length of term for which a biometric identifier
17     or biometric information is being collected, stored, and
18     used; and
19         (3) receives a written release executed by the subject
20     of the biometric identifier or biometric information or the
21     subject's legally authorized representative.
22     (c) No private entity in possession of a biometric
23 identifier or biometric information may sell, lease, trade, or
24 otherwise profit from a person's or a customer's biometric
25 identifier or biometric information.
26     (d) No private entity in possession of a biometric

 

 

09500SB2400ham001 - 6 - LRB095 19768 RPM 51505 a

1 identifier or biometric information may disclose, redisclose,
2 or otherwise disseminate a person's or a customer's biometric
3 identifier or biometric information unless:
4         (1) the subject of the biometric identifier or
5     biometric information or the subject's legally authorized
6     representative consents to the disclosure or redisclosure;
7         (2) the disclosure or redisclosure completes a
8     financial transaction requested or authorized by the
9     subject of the biometric identifier or the biometric
10     information or the subject's legally authorized
11     representative;
12         (3) the disclosure or redisclosure is required by State
13     or federal law or municipal ordinance; or
14         (4) the disclosure is required pursuant to a valid
15     warrant or subpoena issued by a court of competent
16     jurisdiction.
17     (e) A private entity in possession of a biometric
18 identifier or biometric information shall:
19         (1) store, transmit, and protect from disclosure all
20     biometric identifiers and biometric information using the
21     reasonable standard of care within the private entity's
22     industry; and
23         (2) store, transmit, and protect from disclosure all
24     biometric identifiers and biometric information in a
25     manner that is the same as or more protective than the
26     manner in which the private entity stores, transmits, and

 

 

09500SB2400ham001 - 7 - LRB095 19768 RPM 51505 a

1     protects other confidential and sensitive information.
 
2     Section 20. Right of action. Any person aggrieved by a
3 violation of this Act shall have a right of action in a State
4 circuit court or as a supplemental claim in federal district
5 court against an offending party. A prevailing party may
6 recover for each violation:
7         (1) against a private entity that negligently violates
8     a provision of this Act, liquidated damages of $1,000 or
9     actual damages, whichever is greater;
10         (2) against a private entity that intentionally or
11     recklessly violates a provision of this Act, liquidated
12     damages of $5,000 or actual damages, whichever is greater;
13         (3) reasonable attorneys' fees and costs, including
14     expert witness fees and other litigation expenses; and
15         (4) other relief, including an injunction, as the State
16     or federal court may deem appropriate.
 
17     Section 25. Construction.
18     (a) Nothing in this Act shall be construed to impact the
19 admission or discovery of biometric identifiers and biometric
20 information in any action of any kind in any court, or before
21 any tribunal, board, agency, or person.
22     (b) Nothing in this Act shall be construed to conflict with
23 the X-Ray Retention Act, the federal Health Insurance
24 Portability and Accountability Act of 1996 and the rules

 

 

09500SB2400ham001 - 8 - LRB095 19768 RPM 51505 a

1 promulgated under either Act.
2     (c) Nothing in this Act shall be deemed to apply in any
3 manner to a financial institution or an affiliate of a
4 financial institution that is subject to Title V of the federal
5 Gramm-Leach-Bliley Act of 1999 and the rules promulgated
6 thereunder.
7     (d) Nothing in this Act shall be construed to conflict with
8 the Private Detective, Private Alarm, Private Security,
9 Fingerprint Vendor, and Locksmith Act of 2004 and the rules
10 promulgated thereunder.
 
11     Section 30. Home rule. Any home rule unit of local
12 government, any non-home rule municipality, or any non-home
13 rule county within the unincorporated territory of the county
14 may enact ordinances, standards, rules, or regulations that
15 protect biometric identifiers and biometric information in a
16 manner or to an extent equal to or greater than the protection
17 provided in this Act. This Section is a limitation on the
18 concurrent exercise of home rule power under subsection (i) of
19 Section 6 of Article VII of the Illinois Constitution.
 
20     Section 35. Biometric Information Privacy Study Committee.
21     (a) The Department of Human Services, in conjunction with
22 Central Management Services, subject to appropriation or other
23 funds made available for this purpose, shall create the
24 Biometric Information Privacy Study Committee, hereafter

 

 

09500SB2400ham001 - 9 - LRB095 19768 RPM 51505 a

1 referred to as the Committee. The Department of Human Services,
2 in conjunction with Central Management Services, shall provide
3 staff and administrative support to the Committee. The
4 Committee shall examine (i) current policies, procedures, and
5 practices used by State and local governments to protect an
6 individual against unauthorized disclosure of his or her
7 biometric identifiers and biometric information when State or
8 local government requires the individual to provide his or her
9 biometric identifiers to an officer or agency of the State or
10 local government; (ii) issues related to the collection,
11 destruction, security, and ramifications of biometric
12 identifiers, biometric information, and biometric technology;
13 and (iii) technical and procedural changes necessary in order
14 to implement and enforce reasonable, uniform biometric
15 safeguards by State and local government agencies.
16     (b) The Committee shall hold such public hearings as it
17 deems necessary and present a report of its findings and
18 recommendations to the General Assembly before January 1, 2009.
19 The Committee may begin to conduct business upon appointment of
20 a majority of its members. All appointments shall be completed
21 by 4 months prior to the release of the Committee's final
22 report. The Committee shall meet at least twice and at other
23 times at the call of the chair and may conduct meetings by
24 telecommunication, where possible, in order to minimize travel
25 expenses. The Committee shall consist of 27 members appointed
26 as follows:

 

 

09500SB2400ham001 - 10 - LRB095 19768 RPM 51505 a

1         (1) 2 members appointed by the President of the Senate;
2         (2) 2 members appointed by the Minority Leader of the
3     Senate;
4         (3) 2 members appointed by the Speaker of the House of
5     Representatives;
6         (4) 2 members appointed by the Minority Leader of the
7     House of Representatives;
8         (5) One member representing the Office of the Governor,
9     appointed by the Governor;
10         (6) One member, who shall serve as the chairperson of
11     the Committee, representing the Office of the Attorney
12     General, appointed by the Attorney General;
13         (7) One member representing the Office of the Secretary
14     of the State, appointed by the Secretary of State;
15         (8) One member from each of the following State
16     agencies appointed by their respective heads: Department
17     of Corrections, Department of Public Health, Department of
18     Human Services, Central Management Services, Illinois
19     Commerce Commission, Illinois State Police; Department of
20     Revenue;
21         (9) One member appointed by the chairperson of the
22     Committee, representing the interests of the City of
23     Chicago;
24         (10) 2 members appointed by the chairperson of the
25     Committee, representing the interests of other
26     municipalities;

 

 

09500SB2400ham001 - 11 - LRB095 19768 RPM 51505 a

1         (11) 2 members appointed by the chairperson of the
2     Committee, representing the interests of public hospitals;
3     and
4         (12) 4 public members appointed by the chairperson of
5     the Committee, representing the interests of the civil
6     liberties community, the electronic privacy community, and
7     government employees.
8     (c) This Section is repealed January 1, 2009.
 
9     Section 99. Effective date. This Act takes effect upon
10 becoming law.".