|
Rep. Ann Williams
Filed: 5/15/2015
| | 09900SB1833ham002 | | LRB099 09064 JLS 35574 a |
|
|
| 1 | | AMENDMENT TO SENATE BILL 1833
|
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 1833 on page 1 by |
| 3 | | replacing line 5 with the following: |
| 4 | | "amended by changing Sections 5, 10, and 12 and adding Sections |
| 5 | | 45,"; and
|
| 6 | | on page 1, line 6, by changing "and 50" to "50, and 55"; and
|
| 7 | | on page 2, line 4, by changing "history." to "history, |
| 8 | | including, but not limited to, consumer profiles that are based |
| 9 | | upon the information. "Consumer marketing information" does |
| 10 | | not include information related to a consumer's online browsing |
| 11 | | history, online search history, or purchasing history held by a |
| 12 | | data collector that has a direct relationship with the |
| 13 | | consumer."; and
|
| 14 | | on page 2, line 7, by changing "is" to "is stored and"; and
|
|
| | 09900SB1833ham002 | - 2 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | on page 2, line 8, by changing "the device" to "an individual"; |
| 2 | | and
|
| 3 | | on page 2, line 9, by changing "located" to "located and the |
| 4 | | information is likely to enable someone to determine an |
| 5 | | individual's regular pattern of behavior"; and
|
| 6 | | on page 3, line 14, by changing "data" to "data generated from |
| 7 | | measurements or technical analysis of human body |
| 8 | | characteristics that could be used to identify an individual"; |
| 9 | | and
|
| 10 | | on page 3 by replacing lines 20 through 24 with the following: |
| 11 | | "(I) Home address, telephone number, and email |
| 12 | | address in combination with either: |
| 13 | | (i) mother's maiden name when not part of an |
| 14 | | individual's surname; or |
| 15 | | (ii) month, day, and year of birth."; and
|
| 16 | | on page 5, line 2, by changing "information"" to "information", |
| 17 | | excluding geolocation information and consumer marketing |
| 18 | | information"; and
|
| 19 | | on page 8, line 4, by changing "that" to "that owns or licenses |
| 20 | | personal information and"; and
|
|
| | 09900SB1833ham002 | - 3 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | on page 8, line 9, by changing "A description of the" to "The |
| 2 | | types of"; and
|
| 3 | | on page 8, line 20, by changing "2 days before" to "when"; and
|
| 4 | | on page 9, line 12, by changing "A description of the" to "The |
| 5 | | types of"; and
|
| 6 | | on page 10 by replacing lines 10 through 18 with the following: |
| 7 | | "(f) Upon receiving notification from a data collector of a |
| 8 | | breach of personal information, the Attorney General may |
| 9 | | publish the name of the data collector that suffered the |
| 10 | | breach, the types of personal information compromised in the |
| 11 | | breach, and the date range of the breach."; and
|
| 12 | | on page 10 by inserting immediately below line 19 the |
| 13 | | following:
|
| 14 | | "(815 ILCS 530/12)
|
| 15 | | Sec. 12. Notice of breach; State agency. |
| 16 | | (a) Any State agency that collects personal information, |
| 17 | | excluding geolocation and consumer marketing information, |
| 18 | | concerning an Illinois resident shall notify the
resident at no |
| 19 | | charge that there has been a breach of the security of the
|
| 20 | | system data or written material following discovery or |
| 21 | | notification of the breach.
The disclosure notification shall |
|
| | 09900SB1833ham002 | - 4 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | be made in the most
expedient time possible and without |
| 2 | | unreasonable delay,
consistent with any measures necessary to |
| 3 | | determine the
scope of the breach and restore the reasonable |
| 4 | | integrity,
security, and confidentiality of the data system. |
| 5 | | The disclosure notification to an Illinois resident shall |
| 6 | | include, but need not be limited to information as follows: |
| 7 | | (1) With respect to personal information defined in |
| 8 | | Section 5 in paragraph (1) of the definition of "personal |
| 9 | | information": , |
| 10 | | (i) the toll-free numbers and addresses for |
| 11 | | consumer reporting agencies; , |
| 12 | | (ii) the toll-free number, address, and website |
| 13 | | address for the Federal Trade Commission; , and |
| 14 | | (iii) a statement that the individual can obtain |
| 15 | | information from these sources about fraud alerts and |
| 16 | | security freezes. |
| 17 | | (2) With respect to personal information as defined in |
| 18 | | Section 5 in paragraph (2) of the definition of "personal |
| 19 | | information", notice may be provided in electronic or other |
| 20 | | form directing the Illinois resident whose personal |
| 21 | | information has been breached to promptly change his or her |
| 22 | | user name or password and security question or answer, as |
| 23 | | applicable, or to take other steps appropriate to protect |
| 24 | | all online accounts for which the resident uses the same |
| 25 | | user name or email address and password or security |
| 26 | | question and answer. |
|
| | 09900SB1833ham002 | - 5 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | The notification shall not, however, include information |
| 2 | | concerning the number of Illinois residents affected by the |
| 3 | | breach. |
| 4 | | (a-5) The notification to an Illinois resident required by |
| 5 | | subsection (a) of this Section may be delayed if an appropriate |
| 6 | | law enforcement agency determines that notification will |
| 7 | | interfere with a criminal investigation and provides the State |
| 8 | | agency with a written request for the delay. However, the State |
| 9 | | agency must notify the Illinois resident as soon as |
| 10 | | notification will no longer interfere with the investigation. |
| 11 | | (b) For purposes of this Section, notice to residents may |
| 12 | | be provided by one of the following methods:
|
| 13 | | (1) written notice;
|
| 14 | | (2) electronic notice, if the notice provided is
|
| 15 | | consistent with the provisions regarding electronic
|
| 16 | | records and signatures for notices legally required to be
|
| 17 | | in writing as set forth in Section 7001 of Title 15 of the |
| 18 | | United States Code;
or
|
| 19 | | (3) substitute notice, if the State agency
|
| 20 | | demonstrates that the cost of providing notice would exceed
|
| 21 | | $250,000 or that the affected class of subject persons to |
| 22 | | be notified exceeds 500,000, or the State agency does not
|
| 23 | | have sufficient contact information. Substitute notice |
| 24 | | shall consist of all of the following: (i) email notice if |
| 25 | | the State agency has an email address for the subject |
| 26 | | persons; (ii) conspicuous posting of the notice on the |
|
| | 09900SB1833ham002 | - 6 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | State agency's web site page if the State agency maintains
|
| 2 | | one; and (iii) notification to major statewide media.
|
| 3 | | (c) Notwithstanding subsection (b), a State agency
that |
| 4 | | maintains its own notification procedures as part of an
|
| 5 | | information security policy for the treatment of personal
|
| 6 | | information and is otherwise consistent with the timing |
| 7 | | requirements of this Act shall be deemed in compliance
with the |
| 8 | | notification requirements of this Section if the
State agency |
| 9 | | notifies subject persons in accordance with its policies in the |
| 10 | | event of a breach of the security of the system data or written |
| 11 | | material.
|
| 12 | | (d) If a State agency is required to notify more than 1,000 |
| 13 | | persons of a breach of security pursuant to this Section, the |
| 14 | | State agency shall also notify, without unreasonable delay, all |
| 15 | | consumer reporting agencies that compile and maintain files on |
| 16 | | consumers on a nationwide basis, as defined by 15 U.S.C. |
| 17 | | Section 1681a(p), of the timing, distribution, and content of |
| 18 | | the notices. Nothing in this subsection (d) shall be construed |
| 19 | | to require the State agency to provide to the consumer |
| 20 | | reporting agency the names or other personal identifying |
| 21 | | information of breach notice recipients.
|
| 22 | | (e) Notice to Attorney General. |
| 23 | | (1) Any State agency that suffers a single breach of |
| 24 | | the security of the data concerning the personal |
| 25 | | information of more than 250 Illinois residents shall |
| 26 | | provide notice to the Attorney General of the breach, |
|
| | 09900SB1833ham002 | - 7 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | including: |
| 2 | | (A) The types of personal information compromised |
| 3 | | in the breach. |
| 4 | | (B) The number of Illinois residents affected by |
| 5 | | such incident at the time of notification. |
| 6 | | (C) Any steps the State agency has taken or plans |
| 7 | | to take relating to notification of the breach to |
| 8 | | consumers. |
| 9 | | (D) The date and timeframe of the breach, if known |
| 10 | | at the time notification is provided. |
| 11 | | Such notification must be made within 30 business days |
| 12 | | of the State agency's discovery of the security breach or |
| 13 | | when the State agency provides any notice to consumers |
| 14 | | required by this Section, whichever is sooner, unless the |
| 15 | | State agency has good cause for reasonable delay to |
| 16 | | determine the scope of the breach and restore the |
| 17 | | integrity, security, and confidentiality of the data |
| 18 | | system, or when law enforcement requests in writing to |
| 19 | | withhold disclosure of some or all of the information |
| 20 | | required in the notification under this Section. If the |
| 21 | | date or timeframe of the breach is unknown at the time the |
| 22 | | notice is sent to the Attorney General, the State agency |
| 23 | | shall send the Attorney General the date or timeframe of |
| 24 | | the breach as soon as possible. |
| 25 | | (Source: P.A. 97-483, eff. 1-1-12.)"; and
|
|
| | 09900SB1833ham002 | - 8 - | LRB099 09064 JLS 35574 a |
|
|
| 1 | | on page 11 by deleting lines 17 through 22; and
|
| 2 | | on page 11, line 23, by changing "(e)" to "(d)"; and
|
| 3 | | on page 13, line 23, by replacing "online service" with ", in |
| 4 | | the case of an operator of an online service, make the policy |
| 5 | | available in accordance with paragraph (5) of subsection (a) of |
| 6 | | this Section"; and
|
| 7 | | on page 15 by inserting immediately below line 10 the |
| 8 | | following:
|
| 9 | | "(815 ILCS 530/55 new) |
| 10 | | Sec. 55. Entities subject to the federal Health Insurance |
| 11 | | Portability and Accountability Act of 1996. Any covered entity |
| 12 | | or business associate that is subject to and in compliance with |
| 13 | | the privacy and security standards for the protection of |
| 14 | | electronic health information established pursuant to the |
| 15 | | federal Health Insurance Portability and Accountability Act of |
| 16 | | 1996 and the Health Information Technology for Economic and |
| 17 | | Clinical Health Act shall be deemed to be in compliance with |
| 18 | | the provisions of this Act, provided that any covered entity or |
| 19 | | business associate required to provide notification of a breach |
| 20 | | to the Secretary of Health and Human Services pursuant to the |
| 21 | | Health Information Technology for Economic and Clinical Health |
| 22 | | Act also provides such notification to the Attorney General |