Full Text of HB2871 101st General Assembly
HB2871 101ST GENERAL ASSEMBLY
|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB2871 Introduced , by Rep. Celina Villanueva SYNOPSIS AS INTRODUCED:
|
| |
Creates the Data Broker Registration Act. Requires a data broker to annually register with the Secretary of State. Defines "data broker" as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Provides registration requirements, the duties a data broker has to protect personally identifiable information, and the requirements for an information security program. Effective January 1, 2020.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | |
| | A BILL FOR |
|
| | | HB2871 | | LRB101 08512 JRG 53589 b |
|
| | 1 | | AN ACT concerning regulation.
| | 2 | | Be it enacted by the People of the State of Illinois,
| | 3 | | represented in the General Assembly:
| | 4 | | Section 1. Short title. This Act may be cited as the Data | | 5 | | Broker Registration Act.
| | 6 | | Section 5. Definitions. | | 7 | | "Brokered personal information" means one or more of the | | 8 | | following computerized data elements about a consumer, if | | 9 | | categorized or organized for dissemination to third parties: | | 10 | | (1) name; | | 11 | | (2) address; | | 12 | | (3) date of birth; | | 13 | | (4) place of birth; | | 14 | | (5) mother's maiden name; | | 15 | | (6) unique biometric data generated from measurements | | 16 | | or technical analysis of human body characteristics used by | | 17 | | the owner or licensee of the data to identify or | | 18 | | authenticate the consumer, such as a fingerprint, retina or | | 19 | | iris image, or other unique physical representation or | | 20 | | digital representation of biometric data; | | 21 | | (7) name or address of a member of the consumer's | | 22 | | immediate family or household; | | 23 | | (8) social security number or other government-issued |
| | | HB2871 | - 2 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | identification number; or | | 2 | | (9) other information that, alone or in combination | | 3 | | with the other information sold or licensed, would allow a | | 4 | | reasonable person to identify the consumer with reasonable | | 5 | | certainty. | | 6 | | "Brokered personal information" does not include publicly | | 7 | | available information to the extent that it is related to a | | 8 | | consumer's business or profession. | | 9 | | "Data broker" means a business or unit of a business, | | 10 | | separately or together, that knowingly collects and sells or | | 11 | | licenses to third parties the brokered personal information of | | 12 | | a consumer with whom the business does not have a direct | | 13 | | relationship. | | 14 | | "Data broker security breach" means an unauthorized | | 15 | | acquisition or a reasonable belief of an unauthorized | | 16 | | acquisition of more than one element of brokered personal | | 17 | | information maintained by a data broker when the brokered | | 18 | | personal information is not encrypted, redacted, or protected | | 19 | | by another method that renders the information unreadable or | | 20 | | unusable by an unauthorized person. "Data broker security | | 21 | | breach" does not include good faith but unauthorized | | 22 | | acquisition of brokered personal information by an employee or | | 23 | | agent of the data broker for a legitimate purpose of the data | | 24 | | broker if the brokered personal information is not used for a | | 25 | | purpose unrelated to the data broker's business or subject to | | 26 | | further unauthorized disclosure.
|
| | | HB2871 | - 3 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | Section 10. Annual registration. | | 2 | | (a) Annually, on or before January 31 following a year in | | 3 | | which a person meets the definition of "data broker", a data | | 4 | | broker shall: | | 5 | | (1) register with the Secretary of State; | | 6 | | (2) pay a registration fee of $100; and | | 7 | | (3) provide the following information: | | 8 | | (A) the name and primary physical, email, and | | 9 | | Internet addresses of the data broker; | | 10 | | (B) if the data broker permits a consumer to opt | | 11 | | out of the data broker's collection of brokered | | 12 | | personal information, opt out of its databases, or opt | | 13 | | out of certain sales of data: | | 14 | | (i) the method for requesting an opt-out; | | 15 | | (ii) if the opt-out applies to only certain | | 16 | | activities or sales, which ones; and | | 17 | | (iii) whether the data broker permits a | | 18 | | consumer to authorize a third party to perform the | | 19 | | opt-out on the consumer's behalf; | | 20 | | (C) a statement specifying the data collection, | | 21 | | databases, or sales activities from which a consumer | | 22 | | may not opt out; | | 23 | | (D) a statement whether the data broker implements | | 24 | | a purchaser credentialing process; | | 25 | | (E) the number of data broker security breaches |
| | | HB2871 | - 4 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | that the data broker has experienced during the prior | | 2 | | year, and if known, the total number of consumers | | 3 | | affected by the breaches; | | 4 | | (F) where the data broker has actual knowledge that | | 5 | | it possesses the brokered personal information of | | 6 | | minors, a separate statement detailing the data | | 7 | | collection practices, databases, sales activities, and | | 8 | | opt-out policies that are applicable to the brokered | | 9 | | personal information of minors; and | | 10 | | (G) any additional information or explanation the | | 11 | | data broker chooses to provide concerning its data | | 12 | | collection practices. | | 13 | | (b) A data broker that fails to register under subsection | | 14 | | (a) is liable to the State for: | | 15 | | (1) a civil penalty of $50 for each day, not to exceed | | 16 | | a total of $10,000 for each year, it fails to register | | 17 | | under this Section; | | 18 | | (2) an amount equal to the fees due under this Section | | 19 | | during the period it failed to register under this Section; | | 20 | | and | | 21 | | (3) other penalties imposed by law. | | 22 | | (c) The Attorney General may maintain an action in circuit | | 23 | | court to collect the penalties imposed in this Section and to | | 24 | | seek appropriate injunctive relief.
| | 25 | | Section 15. Duty to protect personally identifiable |
| | | HB2871 | - 5 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | information. | | 2 | | (a) A data broker shall develop, implement, and maintain a | | 3 | | comprehensive information security program that is written in | | 4 | | one or more readily accessible parts and contains | | 5 | | administrative, technical, and physical safeguards that are | | 6 | | appropriate to: | | 7 | | (1) the size, scope, and type of business of the data | | 8 | | broker obligated to safeguard the personally identifiable | | 9 | | information under such comprehensive information security | | 10 | | program; | | 11 | | (2) the amount of resources available to the data | | 12 | | broker; | | 13 | | (3) the amount of stored data; and | | 14 | | (4) the need for security and confidentiality of | | 15 | | personally identifiable information. | | 16 | | (b) A data broker subject to this Section shall adopt | | 17 | | safeguards in the comprehensive security program that are | | 18 | | consistent with the safeguards for protection of personally | | 19 | | identifiable information and information of a similar | | 20 | | character set forth in other State rules or federal regulations | | 21 | | applicable to the data broker.
| | 22 | | Section 20. Information security program; minimum | | 23 | | features. A comprehensive information security program shall, | | 24 | | at minimum, have the following features: | | 25 | | (1) designation of one or more employees to maintain |
| | | HB2871 | - 6 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | the program; | | 2 | | (2) identification and assessment of reasonably | | 3 | | foreseeable internal and external risks to the security, | | 4 | | confidentiality, and integrity of any electronic, paper, | | 5 | | or other records containing personally identifiable | | 6 | | information and a process for evaluating and improving, | | 7 | | where necessary, the effectiveness of the current | | 8 | | safeguards for limiting such risks, including: | | 9 | | (A) ongoing employee training, including training | | 10 | | for temporary and contract employees; | | 11 | | (B) employee compliance with policies and | | 12 | | procedures; and | | 13 | | (C) means for detecting and preventing security | | 14 | | system failures; | | 15 | | (3) security policies for employees relating to the | | 16 | | storage, access, and transportation of records containing | | 17 | | personally identifiable information outside business | | 18 | | premises; | | 19 | | (4) disciplinary measures for violations of the | | 20 | | comprehensive information security program rules; | | 21 | | (5) measures that prevent terminated employees from | | 22 | | accessing records containing personally identifiable | | 23 | | information; | | 24 | | (6) supervision of service providers by: | | 25 | | (A) taking reasonable steps to select and retain | | 26 | | third-party service providers that are capable of |
| | | HB2871 | - 7 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | maintaining appropriate security measures to protect | | 2 | | personally identifiable information consistent with | | 3 | | applicable law; and | | 4 | | (B) requiring third-party service providers by | | 5 | | contract to implement and maintain appropriate | | 6 | | security measures for personally identifiable | | 7 | | information; | | 8 | | (7) reasonable restrictions upon physical access to | | 9 | | records containing personally identifiable information and | | 10 | | storage of the records and data in locked facilities, | | 11 | | storage areas, or containers; | | 12 | | (8) regular monitoring to ensure that the | | 13 | | comprehensive information security program is operating in | | 14 | | a manner reasonably calculated to prevent unauthorized | | 15 | | access to or unauthorized use of personally identifiable | | 16 | | information; and upgrading information safeguards as | | 17 | | necessary to limit risks; | | 18 | | (9) regular review of the scope of the security | | 19 | | measures: | | 20 | | (A) at least annually; or | | 21 | | (B) whenever there is a material change in business | | 22 | | practices that may reasonably implicate the security | | 23 | | or integrity of records containing personally | | 24 | | identifiable information; and | | 25 | | (10) documentation of responsive actions taken in | | 26 | | connection with any incident involving a breach of |
| | | HB2871 | - 8 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | security; and mandatory post-incident review of events and | | 2 | | actions taken, if any, to make changes in business | | 3 | | practices relating to protection of personally | | 4 | | identifiable information.
| | 5 | | Section 25. Information security program; computer system | | 6 | | security requirements. A comprehensive information security | | 7 | | program required by this Act shall, at minimum, and to the | | 8 | | extent technically feasible, have the following elements: | | 9 | | (1) secure user authentication protocols, as follows: | | 10 | | (A) an authentication protocol that has the | | 11 | | following features: | | 12 | | (i) control of user IDs and other identifiers; | | 13 | | (ii) a reasonably secure method of assigning | | 14 | | and selecting passwords or use of unique | | 15 | | identifier technologies, such as biometrics or | | 16 | | token devices; | | 17 | | (iii) control of data security passwords to | | 18 | | ensure that such passwords are kept in a location | | 19 | | and format that do not compromise the security of | | 20 | | the data they protect; | | 21 | | (iv) restricting access to only active users | | 22 | | and active user accounts; and | | 23 | | (v) blocking access to user identification | | 24 | | after multiple unsuccessful attempts to gain | | 25 | | access; or |
| | | HB2871 | - 9 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | (B) an authentication protocol that provides a | | 2 | | higher level of security than the features specified in | | 3 | | subparagraph (A). | | 4 | | (2) secure access control measures that: | | 5 | | (A) restrict access to records and files | | 6 | | containing personally identifiable information to | | 7 | | those who need such information to perform their job | | 8 | | duties; and | | 9 | | (B) assign to each person with computer access | | 10 | | unique identifications plus passwords, which are not | | 11 | | vendor-supplied default passwords, that are reasonably | | 12 | | designed to maintain the integrity of the security of | | 13 | | the access controls or a protocol that provides a | | 14 | | higher degree of security; | | 15 | | (3) encryption of all transmitted records and files | | 16 | | containing personally identifiable information that will | | 17 | | travel across public networks and encryption of all data | | 18 | | containing personally identifiable information to be | | 19 | | transmitted wirelessly or a protocol that provides a higher | | 20 | | degree of security; | | 21 | | (4) reasonable monitoring of systems for unauthorized | | 22 | | use of or access to personally identifiable information; | | 23 | | (5) encryption of all personally identifiable | | 24 | | information stored on laptops or other portable devices or | | 25 | | a protocol that provides a higher degree of security; | | 26 | | (6) for files containing personally identifiable |
| | | HB2871 | - 10 - | LRB101 08512 JRG 53589 b |
|
| | 1 | | information on a system that is connected to the Internet, | | 2 | | reasonably up-to-date firewall protection and operating | | 3 | | system security patches that are reasonably designed to | | 4 | | maintain the integrity of the personally identifiable | | 5 | | information or a protocol that provides a higher degree of | | 6 | | security; | | 7 | | (7) reasonably up-to-date versions of system security | | 8 | | agent software that must include malware protection and | | 9 | | reasonably up-to-date patches and virus definitions, or a | | 10 | | version of such software that can still be supported with | | 11 | | up-to-date patches and virus definitions and is set to | | 12 | | receive the most current security updates on a regular | | 13 | | basis or a protocol that provides a higher degree of | | 14 | | security; and | | 15 | | (8) education and training of employees on the proper | | 16 | | use of the computer security system and the importance of | | 17 | | personally identifiable information security.
| | 18 | | Section 99. Effective date. This Act takes effect January | | 19 | | 1, 2020.
|
|
Translate
