Rep. Kathleen A. Ryg

Filed: 5/29/2008

 

 


 

 


 
09500SB2400ham002 LRB095 19768 RPM 51599 a

1
AMENDMENT TO SENATE BILL 2400

2     AMENDMENT NO. ______. Amend Senate Bill 2400 by replacing
3 everything after the enacting clause with the following:
 
4     "Section 1. Short title. This Act may be cited as the
5 Biometric Information Privacy Act.
 
6     Section 5. Legislative findings; intent. The General
7 Assembly finds all of the following:
8     (a) The use of biometrics is growing in the business and
9 security screening sectors and appears to promise streamlined
10 financial transactions and security screenings.
11     (b) Major national corporations have selected the City of
12 Chicago and other locations in this State as pilot testing
13 sites for new applications of biometric-facilitated financial
14 transactions, including finger-scan technologies at grocery
15 stores, gas stations, and school cafeterias.
16     (c) Biometrics are unlike other unique identifiers that are

 

 

09500SB2400ham002 - 2 - LRB095 19768 RPM 51599 a

1 used to access finances or other sensitive information. For
2 example, social security numbers, when compromised, can be
3 changed. Biometrics, however, are biologically unique to the
4 individual; therefore, once compromised, the individual has no
5 recourse, is at heightened risk for identity theft, and is
6 likely to withdraw from biometric-facilitated transactions.
7     (d) An overwhelming majority of members of the public are
8 weary of the use of biometrics when such information is tied to
9 finances and other personal information.
10     (e) Despite limited State law regulating the collection,
11 use, safeguarding, and storage of biometrics, many members of
12 the public are deterred from partaking in biometric
13 identifier-facilitated transactions.
14     (f) The full ramifications of biometric technology are not
15 fully known.
16     (g) The public welfare, security, and safety will be served
17 by regulating the collection, use, safeguarding, handling,
18 storage, retention, and destruction of biometric identifiers
19 and information.
 
20     Section 10. Definitions. In this Act:
21     "Biometric identifier" means a retina or iris scan,
22 fingerprint, voiceprint, or scan of hand or face geometry.
23 Biometric identifiers do not include writing samples, written
24 signatures, photographs, human biological samples used for
25 valid scientific testing or screening, demographic data,

 

 

09500SB2400ham002 - 3 - LRB095 19768 RPM 51599 a

1 tattoo descriptions, or physical descriptions such as height,
2 weight, hair color, or eye color. Biometric identifiers do not
3 include donated organs, tissues, or parts as defined in the
4 Illinois Anatomical Gift Act or blood or serum stored on behalf
5 of recipients or potential recipients of living or cadaveric
6 transplants and obtained or stored by a federally designated
7 organ procurement agency. Biometric identifiers do not include
8 biological materials regulated under the Genetic Information
9 Privacy Act. Biometric identifiers do not include information
10 captured from a patient in a health care setting or information
11 collected, used, or stored for health care treatment, payment,
12 or operations under the federal Health Insurance Portability
13 and Accountability Act of 1996. Biometric identifiers do not
14 include an X-ray, roentgen process, computed tomography, MRI,
15 PET scan, mammography, or other image or film of the human
16 anatomy used to diagnose, prognose, or treat an illness or
17 other medical condition or to further validate scientific
18 testing or screening.
19     "Biometric information" means any information, regardless
20 of how it is captured, converted, stored, or shared, based on
21 an individual's biometric identifier used to identify an
22 individual. Biometric information does not include information
23 derived from items or procedures excluded under the definition
24 of biometric identifiers.
25     "Confidential and sensitive information" means personal
26 information that can be used to uniquely identify an individual

 

 

09500SB2400ham002 - 4 - LRB095 19768 RPM 51599 a

1 or an individual's account or property. Examples of
2 confidential and sensitive information include, but are not
3 limited to, a genetic marker, genetic testing information, a
4 unique identifier number to locate an account or property, an
5 account number, a PIN number, a pass code, a driver's license
6 number, or a social security number.
7     "Private entity" means any individual, partnership,
8 corporation, limited liability company, association, or other
9 group, however organized. A private entity does not include a
10 State or local government agency. A private entity does not
11 include any court of Illinois, a clerk of the court, or a judge
12 or justice thereof.
13     "Written release" means informed written consent or, in the
14 context of employment, a release executed by an employee as a
15 condition of employment.
 
16     Section 15. Retention; collection; disclosure;
17 destruction.
18     (a) A private entity in possession of biometric identifiers
19 or biometric information must develop a written policy, made
20 available to the public, establishing a retention schedule and
21 guidelines for permanently destroying biometric identifiers
22 and biometric information when the initial purpose for
23 collecting or obtaining such identifiers or information has
24 been satisfied or within 3 years of the individual's last
25 interaction with the private entity, whichever occurs first.

 

 

09500SB2400ham002 - 5 - LRB095 19768 RPM 51599 a

1 Absent a valid warrant or subpoena issued by a court of
2 competent jurisdiction, a private entity in possession of
3 biometric identifiers or biometric information must comply
4 with its established retention schedule and destruction
5 guidelines.
6     (b) No private entity may collect, capture, purchase,
7 receive through trade, or otherwise obtain a person's or a
8 customer's biometric identifier or biometric information,
9 unless it first:
10         (1) informs the subject or the subject's legally
11     authorized representative in writing that a biometric
12     identifier or biometric information is being collected or
13     stored;
14         (2) informs the subject or the subject's legally
15     authorized representative in writing of the specific
16     purpose and length of term for which a biometric identifier
17     or biometric information is being collected, stored, and
18     used; and
19         (3) receives a written release executed by the subject
20     of the biometric identifier or biometric information or the
21     subject's legally authorized representative.
22     (c) No private entity in possession of a biometric
23 identifier or biometric information may sell, lease, trade, or
24 otherwise profit from a person's or a customer's biometric
25 identifier or biometric information.
26     (d) No private entity in possession of a biometric

 

 

09500SB2400ham002 - 6 - LRB095 19768 RPM 51599 a

1 identifier or biometric information may disclose, redisclose,
2 or otherwise disseminate a person's or a customer's biometric
3 identifier or biometric information unless:
4         (1) the subject of the biometric identifier or
5     biometric information or the subject's legally authorized
6     representative consents to the disclosure or redisclosure;
7         (2) the disclosure or redisclosure completes a
8     financial transaction requested or authorized by the
9     subject of the biometric identifier or the biometric
10     information or the subject's legally authorized
11     representative;
12         (3) the disclosure or redisclosure is required by State
13     or federal law or municipal ordinance; or
14         (4) the disclosure is required pursuant to a valid
15     warrant or subpoena issued by a court of competent
16     jurisdiction.
17     (e) A private entity in possession of a biometric
18 identifier or biometric information shall:
19         (1) store, transmit, and protect from disclosure all
20     biometric identifiers and biometric information using the
21     reasonable standard of care within the private entity's
22     industry; and
23         (2) store, transmit, and protect from disclosure all
24     biometric identifiers and biometric information in a
25     manner that is the same as or more protective than the
26     manner in which the private entity stores, transmits, and

 

 

09500SB2400ham002 - 7 - LRB095 19768 RPM 51599 a

1     protects other confidential and sensitive information.
 
2     Section 20. Right of action. Any person aggrieved by a
3 violation of this Act shall have a right of action in a State
4 circuit court or as a supplemental claim in federal district
5 court against an offending party. A prevailing party may
6 recover for each violation:
7         (1) against a private entity that negligently violates
8     a provision of this Act, liquidated damages of $1,000 or
9     actual damages, whichever is greater;
10         (2) against a private entity that intentionally or
11     recklessly violates a provision of this Act, liquidated
12     damages of $5,000 or actual damages, whichever is greater;
13         (3) reasonable attorneys' fees and costs, including
14     expert witness fees and other litigation expenses; and
15         (4) other relief, including an injunction, as the State
16     or federal court may deem appropriate.
 
17     Section 25. Construction.
18     (a) Nothing in this Act shall be construed to impact the
19 admission or discovery of biometric identifiers and biometric
20 information in any action of any kind in any court, or before
21 any tribunal, board, agency, or person.
22     (b) Nothing in this Act shall be construed to conflict with
23 the X-Ray Retention Act, the federal Health Insurance
24 Portability and Accountability Act of 1996 and the rules

 

 

09500SB2400ham002 - 8 - LRB095 19768 RPM 51599 a

1 promulgated under either Act.
2     (c) Nothing in this Act shall be deemed to apply in any
3 manner to a financial institution or an affiliate of a
4 financial institution that is subject to Title V of the federal
5 Gramm-Leach-Bliley Act of 1999 and the rules promulgated
6 thereunder.
7     (d) Nothing in this Act shall be construed to conflict with
8 the Private Detective, Private Alarm, Private Security,
9 Fingerprint Vendor, and Locksmith Act of 2004 and the rules
10 promulgated thereunder.
11     (e) Nothing in this Act shall be construed to apply to a
12 contractor, subcontractor, or agent of a State agency or local
13 unit of government when working for that State agency or local
14 unit of government.
 
15     Section 30. Biometric Information Privacy Study Committee.
16     (a) The Department of Human Services, in conjunction with
17 Central Management Services, subject to appropriation or other
18 funds made available for this purpose, shall create the
19 Biometric Information Privacy Study Committee, hereafter
20 referred to as the Committee. The Department of Human Services,
21 in conjunction with Central Management Services, shall provide
22 staff and administrative support to the Committee. The
23 Committee shall examine (i) current policies, procedures, and
24 practices used by State and local governments to protect an
25 individual against unauthorized disclosure of his or her

 

 

09500SB2400ham002 - 9 - LRB095 19768 RPM 51599 a

1 biometric identifiers and biometric information when State or
2 local government requires the individual to provide his or her
3 biometric identifiers to an officer or agency of the State or
4 local government; (ii) issues related to the collection,
5 destruction, security, and ramifications of biometric
6 identifiers, biometric information, and biometric technology;
7 and (iii) technical and procedural changes necessary in order
8 to implement and enforce reasonable, uniform biometric
9 safeguards by State and local government agencies.
10     (b) The Committee shall hold such public hearings as it
11 deems necessary and present a report of its findings and
12 recommendations to the General Assembly before January 1, 2009.
13 The Committee may begin to conduct business upon appointment of
14 a majority of its members. All appointments shall be completed
15 by 4 months prior to the release of the Committee's final
16 report. The Committee shall meet at least twice and at other
17 times at the call of the chair and may conduct meetings by
18 telecommunication, where possible, in order to minimize travel
19 expenses. The Committee shall consist of 27 members appointed
20 as follows:
21         (1) 2 members appointed by the President of the Senate;
22         (2) 2 members appointed by the Minority Leader of the
23     Senate;
24         (3) 2 members appointed by the Speaker of the House of
25     Representatives;
26         (4) 2 members appointed by the Minority Leader of the

 

 

09500SB2400ham002 - 10 - LRB095 19768 RPM 51599 a

1     House of Representatives;
2         (5) One member representing the Office of the Governor,
3     appointed by the Governor;
4         (6) One member, who shall serve as the chairperson of
5     the Committee, representing the Office of the Attorney
6     General, appointed by the Attorney General;
7         (7) One member representing the Office of the Secretary
8     of the State, appointed by the Secretary of State;
9         (8) One member from each of the following State
10     agencies appointed by their respective heads: Department
11     of Corrections, Department of Public Health, Department of
12     Human Services, Central Management Services, Illinois
13     Commerce Commission, Illinois State Police; Department of
14     Revenue;
15         (9) One member appointed by the chairperson of the
16     Committee, representing the interests of the City of
17     Chicago;
18         (10) 2 members appointed by the chairperson of the
19     Committee, representing the interests of other
20     municipalities;
21         (11) 2 members appointed by the chairperson of the
22     Committee, representing the interests of public hospitals;
23     and
24         (12) 4 public members appointed by the chairperson of
25     the Committee, representing the interests of the civil
26     liberties community, the electronic privacy community, and

 

 

09500SB2400ham002 - 11 - LRB095 19768 RPM 51599 a

1     government employees.
2     (c) This Section is repealed January 1, 2009.
 
3     Section 99. Effective date. This Act takes effect upon
4 becoming law.".