Full Text of SB2400 95th General Assembly
SB2400ham002 95TH GENERAL ASSEMBLY
|
Rep. Kathleen A. Ryg
Filed: 5/29/2008
|
|
09500SB2400ham002 |
|
LRB095 19768 RPM 51599 a |
|
| 1 |
| AMENDMENT TO SENATE BILL 2400
| 2 |
| AMENDMENT NO. ______. Amend Senate Bill 2400 by replacing | 3 |
| everything after the enacting clause with the following:
| 4 |
| "Section 1. Short title. This Act may be cited as the | 5 |
| Biometric Information Privacy Act. | 6 |
| Section 5. Legislative findings; intent. The General | 7 |
| Assembly finds all of the following: | 8 |
| (a) The use of biometrics is growing in the business and | 9 |
| security screening sectors and appears to promise streamlined | 10 |
| financial transactions and security screenings. | 11 |
| (b) Major national corporations have selected the City of | 12 |
| Chicago and other locations in this State as pilot testing | 13 |
| sites for new applications of biometric-facilitated financial | 14 |
| transactions, including finger-scan technologies at grocery | 15 |
| stores, gas stations, and school cafeterias. | 16 |
| (c) Biometrics are unlike other unique identifiers that are |
|
|
|
09500SB2400ham002 |
- 2 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| used to access finances or other sensitive information. For | 2 |
| example, social security numbers, when compromised, can be | 3 |
| changed. Biometrics, however, are biologically unique to the | 4 |
| individual; therefore, once compromised, the individual has no | 5 |
| recourse, is at heightened risk for identity theft, and is | 6 |
| likely to withdraw from biometric-facilitated transactions. | 7 |
| (d) An overwhelming majority of members of the public are | 8 |
| weary of the use of biometrics when such information is tied to | 9 |
| finances and other personal information. | 10 |
| (e) Despite limited State law regulating the collection, | 11 |
| use, safeguarding, and storage of biometrics, many members of | 12 |
| the public are deterred from partaking in biometric | 13 |
| identifier-facilitated transactions. | 14 |
| (f) The full ramifications of biometric technology are not | 15 |
| fully known. | 16 |
| (g) The public welfare, security, and safety will be served | 17 |
| by regulating the collection, use, safeguarding, handling, | 18 |
| storage, retention, and destruction of biometric identifiers | 19 |
| and information.
| 20 |
| Section 10. Definitions. In this Act: | 21 |
| "Biometric identifier" means a retina or iris scan, | 22 |
| fingerprint, voiceprint, or scan of hand or face geometry. | 23 |
| Biometric identifiers do not include writing samples, written | 24 |
| signatures, photographs, human biological samples used for | 25 |
| valid scientific testing or screening, demographic data, |
|
|
|
09500SB2400ham002 |
- 3 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| tattoo descriptions, or physical descriptions such as height, | 2 |
| weight, hair color, or eye color. Biometric identifiers do not | 3 |
| include donated organs, tissues, or parts as defined in the | 4 |
| Illinois Anatomical Gift Act or blood or serum stored on behalf | 5 |
| of recipients or potential recipients of living or cadaveric | 6 |
| transplants and obtained or stored by a federally designated | 7 |
| organ procurement agency. Biometric identifiers do not include | 8 |
| biological materials regulated under the Genetic Information | 9 |
| Privacy Act. Biometric identifiers do not include information | 10 |
| captured from a patient in a health care setting or information | 11 |
| collected, used, or stored for health care treatment, payment, | 12 |
| or operations under the federal Health Insurance Portability | 13 |
| and Accountability Act of 1996. Biometric identifiers do not | 14 |
| include an X-ray, roentgen process, computed tomography, MRI, | 15 |
| PET scan, mammography, or other image or film of the human | 16 |
| anatomy used to diagnose, prognose, or treat an illness or | 17 |
| other medical condition or to further validate scientific | 18 |
| testing or screening. | 19 |
| "Biometric information" means any information, regardless | 20 |
| of how it is captured, converted, stored, or shared, based on | 21 |
| an individual's biometric identifier used to identify an | 22 |
| individual. Biometric information does not include information | 23 |
| derived from items or procedures excluded under the definition | 24 |
| of biometric identifiers. | 25 |
| "Confidential and sensitive information" means personal | 26 |
| information that can be used to uniquely identify an individual |
|
|
|
09500SB2400ham002 |
- 4 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| or an individual's account or property. Examples of | 2 |
| confidential and sensitive information include, but are not | 3 |
| limited to, a genetic marker, genetic testing information, a | 4 |
| unique identifier number to locate an account or property, an | 5 |
| account number, a PIN number, a pass code, a driver's license | 6 |
| number, or a social security number. | 7 |
| "Private entity" means any individual, partnership, | 8 |
| corporation, limited liability company, association, or other | 9 |
| group, however organized.
A private entity does not include a | 10 |
| State or local government agency. A private entity does not | 11 |
| include any court of Illinois, a clerk of the court, or a judge | 12 |
| or justice thereof. | 13 |
| "Written release" means informed written consent or, in the | 14 |
| context of employment, a release executed by an employee as a | 15 |
| condition of employment. | 16 |
| Section 15. Retention; collection; disclosure; | 17 |
| destruction. | 18 |
| (a) A private entity in possession of biometric identifiers | 19 |
| or biometric information must develop a written policy, made | 20 |
| available to the public, establishing a retention schedule and | 21 |
| guidelines for permanently destroying biometric identifiers | 22 |
| and biometric information when the initial purpose for | 23 |
| collecting or obtaining such identifiers or information has | 24 |
| been satisfied or within 3 years of the individual's last | 25 |
| interaction with the private entity, whichever occurs first. |
|
|
|
09500SB2400ham002 |
- 5 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| Absent a valid warrant or subpoena issued by a court of | 2 |
| competent jurisdiction, a private entity in possession of | 3 |
| biometric identifiers or biometric information must comply | 4 |
| with its established retention schedule and destruction | 5 |
| guidelines. | 6 |
| (b) No private entity may collect, capture, purchase, | 7 |
| receive through trade, or otherwise obtain a person's or a | 8 |
| customer's biometric identifier or biometric information, | 9 |
| unless it first: | 10 |
| (1) informs the subject or the subject's legally | 11 |
| authorized representative in writing that a biometric | 12 |
| identifier or biometric information is being collected or | 13 |
| stored; | 14 |
| (2) informs the subject or the subject's legally | 15 |
| authorized representative in writing of the specific | 16 |
| purpose and length of term for which a biometric identifier | 17 |
| or biometric information is being collected, stored, and | 18 |
| used; and | 19 |
| (3) receives a written release executed by the subject | 20 |
| of the biometric identifier or biometric information or the | 21 |
| subject's legally authorized representative.
| 22 |
| (c) No private entity in possession of a biometric | 23 |
| identifier or biometric information may sell, lease, trade, or | 24 |
| otherwise profit from a person's or a customer's biometric | 25 |
| identifier or biometric information. | 26 |
| (d) No private entity in possession of a biometric |
|
|
|
09500SB2400ham002 |
- 6 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| identifier or biometric information may disclose, redisclose, | 2 |
| or otherwise disseminate a person's or a customer's biometric | 3 |
| identifier or biometric information
unless: | 4 |
| (1) the subject of the biometric identifier or
| 5 |
| biometric information or the subject's legally authorized
| 6 |
| representative consents to the disclosure or redisclosure; | 7 |
| (2) the disclosure or redisclosure completes a | 8 |
| financial transaction requested or authorized by the | 9 |
| subject of the biometric identifier or the biometric | 10 |
| information or the subject's legally authorized | 11 |
| representative; | 12 |
| (3) the disclosure or redisclosure is required by State | 13 |
| or federal law or municipal ordinance; or | 14 |
| (4) the disclosure is required pursuant to a valid | 15 |
| warrant or subpoena issued by a court of competent | 16 |
| jurisdiction.
| 17 |
| (e) A private entity in possession of a biometric | 18 |
| identifier or biometric information shall: | 19 |
| (1) store, transmit, and protect from disclosure all | 20 |
| biometric identifiers and biometric information using the | 21 |
| reasonable standard of care within the private entity's | 22 |
| industry; and
| 23 |
| (2) store, transmit, and protect from disclosure all | 24 |
| biometric identifiers and biometric information in a | 25 |
| manner that is the same as or more protective than the | 26 |
| manner in which the private entity stores, transmits, and |
|
|
|
09500SB2400ham002 |
- 7 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| protects other confidential and sensitive information.
| 2 |
| Section 20. Right of action. Any person aggrieved by a | 3 |
| violation of this Act shall have a right of action in a State | 4 |
| circuit court or as a supplemental claim in federal district | 5 |
| court against an offending party. A prevailing party may | 6 |
| recover for each violation: | 7 |
| (1) against a private entity that negligently violates | 8 |
| a provision of this Act, liquidated damages of $1,000 or | 9 |
| actual damages, whichever is greater; | 10 |
| (2) against a private entity that intentionally or | 11 |
| recklessly violates a provision of this Act, liquidated | 12 |
| damages of $5,000 or actual damages, whichever is greater; | 13 |
| (3) reasonable attorneys' fees and costs, including | 14 |
| expert witness fees and other litigation expenses; and | 15 |
| (4) other relief, including an injunction, as the State | 16 |
| or federal court may deem appropriate.
| 17 |
| Section 25. Construction. | 18 |
| (a) Nothing in this Act shall be construed to impact the | 19 |
| admission or discovery of biometric identifiers and biometric | 20 |
| information in any action of any kind in any court, or before | 21 |
| any tribunal, board, agency, or person. | 22 |
| (b) Nothing in this Act shall be construed to conflict with | 23 |
| the X-Ray Retention Act, the federal Health Insurance | 24 |
| Portability and Accountability Act of 1996 and the rules |
|
|
|
09500SB2400ham002 |
- 8 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| promulgated under either Act. | 2 |
| (c) Nothing in this Act shall be deemed to apply in any | 3 |
| manner to a financial institution or an affiliate of a | 4 |
| financial institution that is subject to Title V of the federal | 5 |
| Gramm-Leach-Bliley Act of 1999 and the rules promulgated | 6 |
| thereunder. | 7 |
| (d) Nothing in this Act shall be construed to conflict with | 8 |
| the Private Detective, Private Alarm, Private Security, | 9 |
| Fingerprint Vendor, and Locksmith Act of 2004 and the rules | 10 |
| promulgated thereunder. | 11 |
| (e) Nothing in this Act shall be construed to apply to a | 12 |
| contractor, subcontractor, or agent of a State agency or local | 13 |
| unit of government when working for that State agency or local | 14 |
| unit of government.
| 15 |
| Section 30. Biometric Information Privacy Study Committee. | 16 |
| (a) The Department of Human Services, in conjunction with | 17 |
| Central Management Services, subject to appropriation or other | 18 |
| funds made available for this purpose, shall create the | 19 |
| Biometric Information Privacy Study Committee, hereafter | 20 |
| referred to as the Committee. The Department of Human Services, | 21 |
| in conjunction with Central Management Services, shall provide | 22 |
| staff and administrative support to the Committee. The | 23 |
| Committee shall examine (i) current policies, procedures, and | 24 |
| practices used by State and local governments to protect an | 25 |
| individual against unauthorized disclosure of his or her |
|
|
|
09500SB2400ham002 |
- 9 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| biometric identifiers and biometric information when State or | 2 |
| local government requires the individual to provide his or her | 3 |
| biometric identifiers to an officer or agency of the State or | 4 |
| local government; (ii) issues related to the collection, | 5 |
| destruction, security, and ramifications of biometric | 6 |
| identifiers, biometric information, and biometric technology; | 7 |
| and (iii) technical and procedural changes necessary in order | 8 |
| to implement and enforce reasonable, uniform biometric | 9 |
| safeguards by State and local government agencies. | 10 |
| (b) The Committee shall hold such public hearings as it | 11 |
| deems necessary and present a report of its findings and | 12 |
| recommendations to the General Assembly before January 1, 2009. | 13 |
| The Committee may begin to conduct business upon appointment of | 14 |
| a majority of its members. All appointments shall be completed | 15 |
| by 4 months prior to the release of the Committee's final | 16 |
| report. The Committee shall meet at least twice and at other | 17 |
| times at the call of the chair and may conduct meetings by | 18 |
| telecommunication, where possible, in order to minimize travel | 19 |
| expenses. The Committee shall consist of 27 members appointed | 20 |
| as follows: | 21 |
| (1) 2 members appointed by the President of the Senate; | 22 |
| (2) 2 members appointed by the Minority Leader of the | 23 |
| Senate; | 24 |
| (3) 2 members appointed by the Speaker of the House of | 25 |
| Representatives; | 26 |
| (4) 2 members appointed by the Minority Leader of the |
|
|
|
09500SB2400ham002 |
- 10 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| House of Representatives; | 2 |
| (5) One member representing the Office of the Governor, | 3 |
| appointed by the Governor; | 4 |
| (6) One member, who shall serve as the chairperson of | 5 |
| the Committee, representing the Office of the Attorney | 6 |
| General, appointed by the Attorney General; | 7 |
| (7) One member representing the Office of the Secretary | 8 |
| of the State, appointed by the Secretary of State; | 9 |
| (8) One member from each of the following State | 10 |
| agencies appointed by their respective heads: Department | 11 |
| of Corrections, Department of Public Health, Department of | 12 |
| Human Services, Central Management Services, Illinois | 13 |
| Commerce Commission, Illinois State Police; Department of | 14 |
| Revenue; | 15 |
| (9) One member appointed by the chairperson of the | 16 |
| Committee, representing the interests of the City of | 17 |
| Chicago; | 18 |
| (10) 2 members appointed by the chairperson of the | 19 |
| Committee, representing the interests of other | 20 |
| municipalities; | 21 |
| (11) 2 members appointed by the chairperson of the | 22 |
| Committee, representing the interests of public hospitals; | 23 |
| and | 24 |
| (12) 4 public members appointed by the chairperson of | 25 |
| the Committee, representing the interests of the civil | 26 |
| liberties community, the electronic privacy community, and |
|
|
|
09500SB2400ham002 |
- 11 - |
LRB095 19768 RPM 51599 a |
|
| 1 |
| government employees. | 2 |
| (c) This Section is repealed January 1, 2009. | 3 |
| Section 99. Effective date. This Act takes effect upon | 4 |
| becoming law.".
|
|