Full Text of HB4449 94th General Assembly
HB4449ham001 94TH GENERAL ASSEMBLY
|
State Government Administration Committee
Adopted in House Comm. on Jan 25, 2006
|
|
09400HB4449ham001 |
|
LRB094 17445 LCT 54870 a |
|
| 1 |
| AMENDMENT TO HOUSE BILL 4449
| 2 |
| AMENDMENT NO. ______. Amend House Bill 4449 by replacing | 3 |
| everything after the enacting clause with the following:
| 4 |
| "Section 5. The Personal Information Protection Act is | 5 |
| amended by changing Section 10 and by adding Sections 12, 25, | 6 |
| and 30 as follows: | 7 |
| (815 ILCS 530/10)
| 8 |
| Sec. 10. Notice of Breach. | 9 |
| (a) Any data collector that owns or licenses personal | 10 |
| information concerning an Illinois resident shall notify the
| 11 |
| resident at no charge that there has been a breach of the | 12 |
| security of the
system data following discovery or notification | 13 |
| of the breach.
The disclosure notification shall be made in the | 14 |
| most
expedient time possible and without unreasonable delay,
| 15 |
| consistent with any measures necessary to determine the
scope | 16 |
| of the breach and restore the reasonable integrity,
security, | 17 |
| and confidentiality of the data system.
| 18 |
| (b) Any data collector that maintains computerized data | 19 |
| that
includes personal information that the data collector does | 20 |
| not own or license shall notify the owner or licensee of the | 21 |
| information of any breach of the security of the data | 22 |
| immediately following discovery, if the personal information | 23 |
| was, or is reasonably believed to have been, acquired by
an | 24 |
| unauthorized person.
|
|
|
|
09400HB4449ham001 |
- 2 - |
LRB094 17445 LCT 54870 a |
|
| 1 |
| (c) For purposes of this Section, notice to consumers may | 2 |
| be provided by one of the following methods:
| 3 |
| (1) written notice; | 4 |
| (2) electronic notice, if the notice provided is
| 5 |
| consistent with the provisions regarding electronic
| 6 |
| records and signatures for notices legally required to be
| 7 |
| in writing as set forth in Section 7001 of Title 15 of the | 8 |
| United States Code;
or | 9 |
| (3) substitute notice, if the data collector
| 10 |
| demonstrates that the cost of providing notice would exceed
| 11 |
| $250,000 or that the affected class of subject persons to | 12 |
| be notified exceeds 500,000, or the data collector does not
| 13 |
| have sufficient contact information. Substitute notice | 14 |
| shall consist of all of the following: (i) email notice if | 15 |
| the data collector has an email address for the subject | 16 |
| persons; (ii) conspicuous posting of the notice on the data
| 17 |
| collector's web site page if the data collector maintains
| 18 |
| one; and (iii) notification to major statewide media. | 19 |
| (d) Notwithstanding subsection (c), a data collector
that | 20 |
| maintains its own notification procedures as part of an
| 21 |
| information security policy for the treatment of personal
| 22 |
| information and is otherwise consistent with the timing | 23 |
| requirements of this Act, shall be deemed in compliance
with | 24 |
| the notification requirements of this Section if the
data | 25 |
| collector notifies subject persons in accordance with its | 26 |
| policies in the event of a breach of the security of the system | 27 |
| data.
| 28 |
| (Source: P.A. 94-36, eff. 1-1-06.) | 29 |
| (815 ILCS 530/12 new)
| 30 |
| Sec. 12. Notice of breach; State agency. | 31 |
| (a) Any State agency that collects personal information | 32 |
| concerning an Illinois resident shall notify the
resident at no | 33 |
| charge that there has been a breach of the security of the
|
|
|
|
09400HB4449ham001 |
- 3 - |
LRB094 17445 LCT 54870 a |
|
| 1 |
| system data or written material following discovery or | 2 |
| notification of the breach.
The disclosure notification shall | 3 |
| be made in the most
expedient time possible and without | 4 |
| unreasonable delay,
consistent with any measures necessary to | 5 |
| determine the
scope of the breach and restore the reasonable | 6 |
| integrity,
security, and confidentiality of the data system. | 7 |
| (b) For purposes of this Section, notice to residents may | 8 |
| be provided by one of the following methods:
| 9 |
| (1) written notice;
| 10 |
| (2) electronic notice, if the notice provided is
| 11 |
| consistent with the provisions regarding electronic
| 12 |
| records and signatures for notices legally required to be
| 13 |
| in writing as set forth in Section 7001 of Title 15 of the | 14 |
| United States Code;
or
| 15 |
| (3) substitute notice, if the State agency
| 16 |
| demonstrates that the cost of providing notice would exceed
| 17 |
| $250,000 or that the affected class of subject persons to | 18 |
| be notified exceeds 500,000, or the State agency does not
| 19 |
| have sufficient contact information. Substitute notice | 20 |
| shall consist of all of the following: (i) email notice if | 21 |
| the State agency has an email address for the subject | 22 |
| persons; (ii) conspicuous posting of the notice on the | 23 |
| State agency's web site page if the State agency maintains
| 24 |
| one; and (iii) notification to major statewide media.
| 25 |
| (c) Notwithstanding subsection (b), a State agency
that | 26 |
| maintains its own notification procedures as part of an
| 27 |
| information security policy for the treatment of personal
| 28 |
| information and is otherwise consistent with the timing | 29 |
| requirements of this Act shall be deemed in compliance
with the | 30 |
| notification requirements of this Section if the
State agency | 31 |
| notifies subject persons in accordance with its policies in the | 32 |
| event of a breach of the security of the system data or written | 33 |
| material.
| 34 |
| (d) If a State agency is required to notify more than 1,000 |
|
|
|
09400HB4449ham001 |
- 4 - |
LRB094 17445 LCT 54870 a |
|
| 1 |
| persons of a breach of security pursuant to this Section, the | 2 |
| State agency shall also notify, without unreasonable delay, all | 3 |
| consumer reporting agencies that compile and maintain files on | 4 |
| consumers on a nationwide basis, as defined by 15 U.S.C. | 5 |
| Section 1681a(p), of the timing, distribution, and content of | 6 |
| the notices. Nothing in this subsection (d) shall be construed | 7 |
| to require the State agency to provide to the consumer | 8 |
| reporting agency the names or other personal identifying | 9 |
| information of breach notice recipients.
| 10 |
| (815 ILCS 530/25 new)
| 11 |
| Sec. 25. Annual reporting. Any State agency that collects | 12 |
| personal data and has had a breach of security of the system | 13 |
| data or written material shall submit a report within 5 | 14 |
| business days of the discovery or notification of the breach to | 15 |
| the General Assembly listing the breaches and outlining any | 16 |
| corrective measures that have been taken to prevent future | 17 |
| breaches of the security of the system data or written | 18 |
| material. Any State agency that has submitted a report under | 19 |
| this Section shall submit an annual report listing all breaches | 20 |
| of security of the system data or written materials and the | 21 |
| corrective measures that have been taken to prevent future | 22 |
| breaches. | 23 |
| (815 ILCS 530/30 new)
| 24 |
| Sec. 30. Safe disposal of information. Any State agency | 25 |
| that collects personal data that is no longer needed or stored | 26 |
| at the agency shall dispose of the personal data or written | 27 |
| material it has collected in such a manner as to ensure the | 28 |
| security and confidentiality of the material.
| 29 |
| Section 99. Effective date. This Act takes effect upon | 30 |
| becoming law.".
|
|