Rep. Ann Williams
Filed: 5/11/2015
| |||||||
| |||||||
| |||||||
| 1 | AMENDMENT TO SENATE BILL 1833
| ||||||
| 2 | AMENDMENT NO. ______. Amend Senate Bill 1833 on page 1 by | ||||||
| 3 | replacing line 5 with the following: | ||||||
| 4 | "amended by changing Sections 5, 10, and 12 and adding Sections | ||||||
| 5 | 45,"; and
| ||||||
| 6 | on page 1, line 6, by changing "and 50" to "50, and 55"; and
| ||||||
| 7 | on page 2, line 4, by changing "history." to "history, | ||||||
| 8 | including, but not limited to, consumer profiles that are based | ||||||
| 9 | upon the information. "Consumer marketing information" does | ||||||
| 10 | not include information related to a consumer's online browsing | ||||||
| 11 | history, online search history, or purchasing history held by a | ||||||
| 12 | data collector that has a direct relationship with the | ||||||
| 13 | consumer."; and
| ||||||
| 14 | on page 2, line 7, by changing "is" to "is stored and"; and
| ||||||
| |||||||
| |||||||
| 1 | on page 2, line 8, by changing "the device" to "an individual"; | ||||||
| 2 | and | ||||||
| 3 | on page 3, line 14, by changing "data" to "data generated from | ||||||
| 4 | measurements or analysis of human body characteristics that | ||||||
| 5 | could be used to identify an individual"; and | ||||||
| 6 | on page 3, line 23, by changing "name" to "name, when not part | ||||||
| 7 | of an individual's surname"; and | ||||||
| 8 | on page 5, line 2, by changing "information"" to "information", | ||||||
| 9 | excluding geolocation information and consumer marketing | ||||||
| 10 | information"; and
| ||||||
| 11 | on page 8, line 4, by changing "that" to "that owns or licenses | ||||||
| 12 | personal information and"; and
| ||||||
| 13 | on page 8, line 9, by changing "A description of the" to "The | ||||||
| 14 | types of"; and | ||||||
| 15 | on page 8, line 20, by changing "2 days before" to "when"; and | ||||||
| 16 | on page 9, line 12, by changing "A description of the" to "The | ||||||
| 17 | types of"; and
| ||||||
| 18 | on page 10 by replacing lines 10 through 18 with the following: | ||||||
| |||||||
| |||||||
| 1 | "(f) Upon receiving notification from a data collector of a | ||||||
| 2 | breach of personal information, the Attorney General may | ||||||
| 3 | publish the name of the data collector that suffered the | ||||||
| 4 | breach, the types of personal information compromised in the | ||||||
| 5 | breach, and the date range of the breach."; and | ||||||
| 6 | on page 10 by inserting immediately below line 19 the | ||||||
| 7 | following: | ||||||
| 8 | "(815 ILCS 530/12)
| ||||||
| 9 | Sec. 12. Notice of breach; State agency. | ||||||
| 10 | (a) Any State agency that collects personal information, | ||||||
| 11 | excluding geolocation and consumer marketing information, | ||||||
| 12 | concerning an Illinois resident shall notify the
resident at no | ||||||
| 13 | charge that there has been a breach of the security of the
| ||||||
| 14 | system data or written material following discovery or | ||||||
| 15 | notification of the breach.
The disclosure notification shall | ||||||
| 16 | be made in the most
expedient time possible and without | ||||||
| 17 | unreasonable delay,
consistent with any measures necessary to | ||||||
| 18 | determine the
scope of the breach and restore the reasonable | ||||||
| 19 | integrity,
security, and confidentiality of the data system. | ||||||
| 20 | The disclosure notification to an Illinois resident shall | ||||||
| 21 | include, but need not be limited to information as follows: | ||||||
| 22 | (1) With respect to personal information defined in | ||||||
| 23 | Section 5 in paragraph (1) of the definition of "personal | ||||||
| 24 | information": , | ||||||
| |||||||
| |||||||
| 1 | (i) the toll-free numbers and addresses for | ||||||
| 2 | consumer reporting agencies; , | ||||||
| 3 | (ii) the toll-free number, address, and website | ||||||
| 4 | address for the Federal Trade Commission; , and | ||||||
| 5 | (iii) a statement that the individual can obtain | ||||||
| 6 | information from these sources about fraud alerts and | ||||||
| 7 | security freezes. | ||||||
| 8 | (2) With respect to personal information as defined in | ||||||
| 9 | Section 5 in paragraph (2) of the definition of "personal | ||||||
| 10 | information", notice may be provided in electronic or other | ||||||
| 11 | form directing the Illinois resident whose personal | ||||||
| 12 | information has been breached to promptly change his or her | ||||||
| 13 | user name or password and security question or answer, as | ||||||
| 14 | applicable, or to take other steps appropriate to protect | ||||||
| 15 | all online accounts for which the resident uses the same | ||||||
| 16 | user name or email address and password or security | ||||||
| 17 | question and answer. | ||||||
| 18 | The notification shall not, however, include information | ||||||
| 19 | concerning the number of Illinois residents affected by the | ||||||
| 20 | breach. | ||||||
| 21 | (a-5) The notification to an Illinois resident required by | ||||||
| 22 | subsection (a) of this Section may be delayed if an appropriate | ||||||
| 23 | law enforcement agency determines that notification will | ||||||
| 24 | interfere with a criminal investigation and provides the State | ||||||
| 25 | agency with a written request for the delay. However, the State | ||||||
| 26 | agency must notify the Illinois resident as soon as | ||||||
| |||||||
| |||||||
| 1 | notification will no longer interfere with the investigation. | ||||||
| 2 | (b) For purposes of this Section, notice to residents may | ||||||
| 3 | be provided by one of the following methods:
| ||||||
| 4 | (1) written notice;
| ||||||
| 5 | (2) electronic notice, if the notice provided is
| ||||||
| 6 | consistent with the provisions regarding electronic
| ||||||
| 7 | records and signatures for notices legally required to be
| ||||||
| 8 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
| 9 | United States Code;
or
| ||||||
| 10 | (3) substitute notice, if the State agency
| ||||||
| 11 | demonstrates that the cost of providing notice would exceed
| ||||||
| 12 | $250,000 or that the affected class of subject persons to | ||||||
| 13 | be notified exceeds 500,000, or the State agency does not
| ||||||
| 14 | have sufficient contact information. Substitute notice | ||||||
| 15 | shall consist of all of the following: (i) email notice if | ||||||
| 16 | the State agency has an email address for the subject | ||||||
| 17 | persons; (ii) conspicuous posting of the notice on the | ||||||
| 18 | State agency's web site page if the State agency maintains
| ||||||
| 19 | one; and (iii) notification to major statewide media.
| ||||||
| 20 | (c) Notwithstanding subsection (b), a State agency
that | ||||||
| 21 | maintains its own notification procedures as part of an
| ||||||
| 22 | information security policy for the treatment of personal
| ||||||
| 23 | information and is otherwise consistent with the timing | ||||||
| 24 | requirements of this Act shall be deemed in compliance
with the | ||||||
| 25 | notification requirements of this Section if the
State agency | ||||||
| 26 | notifies subject persons in accordance with its policies in the | ||||||
| |||||||
| |||||||
| 1 | event of a breach of the security of the system data or written | ||||||
| 2 | material.
| ||||||
| 3 | (d) If a State agency is required to notify more than 1,000 | ||||||
| 4 | persons of a breach of security pursuant to this Section, the | ||||||
| 5 | State agency shall also notify, without unreasonable delay, all | ||||||
| 6 | consumer reporting agencies that compile and maintain files on | ||||||
| 7 | consumers on a nationwide basis, as defined by 15 U.S.C. | ||||||
| 8 | Section 1681a(p), of the timing, distribution, and content of | ||||||
| 9 | the notices. Nothing in this subsection (d) shall be construed | ||||||
| 10 | to require the State agency to provide to the consumer | ||||||
| 11 | reporting agency the names or other personal identifying | ||||||
| 12 | information of breach notice recipients.
| ||||||
| 13 | (e) Notice to Attorney General. | ||||||
| 14 | (1) Any State agency that suffers a single breach of | ||||||
| 15 | the security of the data concerning the personal | ||||||
| 16 | information of more than 250 Illinois residents shall | ||||||
| 17 | provide notice to the Attorney General of the breach, | ||||||
| 18 | including: | ||||||
| 19 | (A) The categories of personal information | ||||||
| 20 | compromised in the breach. | ||||||
| 21 | (B) The number of Illinois residents affected by | ||||||
| 22 | such incident at the time of notification. | ||||||
| 23 | (C) Any steps the State agency has taken or plans | ||||||
| 24 | to take relating to notification of the breach to | ||||||
| 25 | consumers. | ||||||
| 26 | (D) The date and timeframe of the breach, if known | ||||||
| |||||||
| |||||||
| 1 | at the time notification is provided. | ||||||
| 2 | Such notification must be made within 30 business days | ||||||
| 3 | of the State agency's discovery of the security breach or | ||||||
| 4 | when the State agency provides any notice to consumers | ||||||
| 5 | required by this Section, whichever is sooner, unless the | ||||||
| 6 | State agency has good cause for reasonable delay to | ||||||
| 7 | determine the scope of the breach and restore the | ||||||
| 8 | integrity, security, and confidentiality of the data | ||||||
| 9 | system, or when law enforcement requests in writing to | ||||||
| 10 | withhold disclosure of some or all of the information | ||||||
| 11 | required in the notification under this Section. If the | ||||||
| 12 | date or timeframe of the breach is unknown at the time the | ||||||
| 13 | notice is sent to the Attorney General, the State agency | ||||||
| 14 | shall send the Attorney General the date or timeframe of | ||||||
| 15 | the breach as soon as possible. | ||||||
| 16 | (Source: P.A. 97-483, eff. 1-1-12.)"; and
| ||||||
| 17 | on page 11 by deleting lines 17 through 22; and
| ||||||
| 18 | on page 11, line 23, by changing "(e)" to "(d)"; and | ||||||
| 19 | on page 13, line 23, by replacing "online service" with ", in | ||||||
| 20 | the case of an operator of an online service, make the policy | ||||||
| 21 | available in accordance with paragraph (5) of subsection (a) of | ||||||
| 22 | this Section"; and
| ||||||
| |||||||
| |||||||
| 1 | on page 15 by inserting immediately below line 10 the | ||||||
| 2 | following:
| ||||||
| 3 | "(815 ILCS 530/55 new) | ||||||
| 4 | Sec. 55. Entities subject to the federal Health Insurance | ||||||
| 5 | Portability and Accountability Act of 1996. Any covered entity | ||||||
| 6 | or business associate that is subject to and in compliance with | ||||||
| 7 | the privacy and security standards for the protection of | ||||||
| 8 | electronic health information established pursuant to the | ||||||
| 9 | federal Health Insurance Portability and Accountability Act of | ||||||
| 10 | 1996 and the Health Information Technology for Economic and | ||||||
| 11 | Clinical Health Act shall be deemed to be in compliance with | ||||||
| 12 | the provisions of this Act, provided that any covered entity or | ||||||
| 13 | business associate required to provide notification of a breach | ||||||
| 14 | to the Secretary of Health and Human Services pursuant to the | ||||||
| 15 | Health Information Technology for Economic and Clinical Health | ||||||
| 16 | Act also provides such notification to the Attorney General | ||||||
| 17 | within 5 business days of notifying the Secretary.".
| ||||||