Full Text of SB1624 101st General Assembly
SB1624 101ST GENERAL ASSEMBLY |
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020 SB1624 Introduced 2/15/2019, by Sen. Suzy Glowiak SYNOPSIS AS INTRODUCED: |
| 815 ILCS 530/10 | | 815 ILCS 530/55 new | |
|
Amends the Personal Information Protection Act. Provides that a data collector required to report breaches to more than 100 Illinois residents as a result of a single breach must also report to the Attorney General. Provides that the Attorney General shall report to the General Assembly specified information concerning breaches of data security by February 1 of each year.
|
| |
| | A BILL FOR |
|
| | | SB1624 | | LRB101 10546 JLS 55652 b |
|
| 1 | | AN ACT concerning business.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Personal Information Protection Act is | 5 | | amended by changing Section 10 and by adding Section 55 as | 6 | | follows: | 7 | | (815 ILCS 530/10) | 8 | | Sec. 10. Notice of breach ; notice to Attorney General . | 9 | | (a) Any data collector that owns or licenses personal | 10 | | information concerning an Illinois resident shall notify the
| 11 | | resident at no charge that there has been a breach of the | 12 | | security of the
system data following discovery or notification | 13 | | of the breach.
The disclosure notification shall be made in the | 14 | | most
expedient time possible and without unreasonable delay,
| 15 | | consistent with any measures necessary to determine the
scope | 16 | | of the breach and restore the reasonable integrity,
security, | 17 | | and confidentiality of the data system. The disclosure | 18 | | notification to an Illinois resident shall include, but need | 19 | | not be limited to, information as follows: | 20 | | (1) With respect to personal information as defined in | 21 | | Section 5 in paragraph (1) of the definition of "personal | 22 | | information": | 23 | | (A) the toll-free numbers and addresses for |
| | | SB1624 | - 2 - | LRB101 10546 JLS 55652 b |
|
| 1 | | consumer reporting agencies; | 2 | | (B) the toll-free number, address, and website | 3 | | address for the Federal Trade Commission; and | 4 | | (C) a statement that the individual can obtain | 5 | | information from these sources about fraud alerts and | 6 | | security freezes. | 7 | | (2) With respect to personal information defined in | 8 | | Section 5 in paragraph (2) of the definition of "personal | 9 | | information", notice may be provided in electronic or other | 10 | | form directing the Illinois resident whose personal | 11 | | information has been breached to promptly change his or her | 12 | | user name or password and security question or answer, as | 13 | | applicable, or to take other steps appropriate to protect | 14 | | all online accounts for which the resident uses the same | 15 | | user name or email address and password or security | 16 | | question and answer. | 17 | | The notification shall not, however, include information | 18 | | concerning the number of Illinois residents affected by the | 19 | | breach. | 20 | | (b) Any data collector that maintains or stores, but does | 21 | | not own or license, computerized data that
includes personal | 22 | | information that the data collector does not own or license | 23 | | shall notify the owner or licensee of the information of any | 24 | | breach of the security of the data immediately following | 25 | | discovery, if the personal information was, or is reasonably | 26 | | believed to have been, acquired by
an unauthorized person. In |
| | | SB1624 | - 3 - | LRB101 10546 JLS 55652 b |
|
| 1 | | addition to providing such notification to the owner or | 2 | | licensee, the data collector shall cooperate with the owner or | 3 | | licensee in matters relating to the breach. That cooperation | 4 | | shall include, but need not be limited to, (i) informing the | 5 | | owner or licensee of the breach, including giving notice of the | 6 | | date or approximate date of the breach and the nature of the | 7 | | breach, and (ii) informing the owner or licensee of any steps | 8 | | the data collector has taken or plans to take relating to the | 9 | | breach. The data collector's cooperation shall not, however, be | 10 | | deemed to require either the disclosure of confidential | 11 | | business information or trade secrets or the notification of an | 12 | | Illinois resident who may have been affected by the breach.
| 13 | | (b-5) The notification to an Illinois resident required by | 14 | | subsection (a) of this Section may be delayed if an appropriate | 15 | | law enforcement agency determines that notification will | 16 | | interfere with a criminal investigation and provides the data | 17 | | collector with a written request for the delay. However, the | 18 | | data collector must notify the Illinois resident as soon as | 19 | | notification will no longer interfere with the investigation.
| 20 | | (c) For purposes of this Section, notice to consumers may | 21 | | be provided by one of the following methods:
| 22 | | (1) written notice; | 23 | | (2) electronic notice, if the notice provided is
| 24 | | consistent with the provisions regarding electronic
| 25 | | records and signatures for notices legally required to be
| 26 | | in writing as set forth in Section 7001 of Title 15 of the |
| | | SB1624 | - 4 - | LRB101 10546 JLS 55652 b |
|
| 1 | | United States Code;
or | 2 | | (3) substitute notice, if the data collector
| 3 | | demonstrates that the cost of providing notice would exceed
| 4 | | $250,000 or that the affected class of subject persons to | 5 | | be notified exceeds 500,000, or the data collector does not
| 6 | | have sufficient contact information. Substitute notice | 7 | | shall consist of all of the following: (i) email notice if | 8 | | the data collector has an email address for the subject | 9 | | persons; (ii) conspicuous posting of the notice on the data
| 10 | | collector's web site page if the data collector maintains
| 11 | | one; and (iii) notification to major statewide media or, if | 12 | | the breach impacts residents in one geographic area, to | 13 | | prominent local media in areas where affected individuals | 14 | | are likely to reside if such notice is reasonably | 15 | | calculated to give actual notice to persons whom notice is | 16 | | required. | 17 | | (d) Notwithstanding any other subsection in this Section, a | 18 | | data collector
that maintains its own notification procedures | 19 | | as part of an
information security policy for the treatment of | 20 | | personal
information and is otherwise consistent with the | 21 | | timing requirements of this Act, shall be deemed in compliance
| 22 | | with the notification requirements of this Section if the
data | 23 | | collector notifies subject persons in accordance with its | 24 | | policies in the event of a breach of the security of the system | 25 | | data.
| 26 | | (e)(1) This subsection does not apply to data collectors |
| | | SB1624 | - 5 - | LRB101 10546 JLS 55652 b |
|
| 1 | | that are covered entities or business associates and are in | 2 | | compliance with Section 50. | 3 | | (2) Any data collector required to issue notice pursuant to | 4 | | this Section to more than 100 Illinois residents as a result of | 5 | | a single breach of the security system shall provide notice to | 6 | | the Attorney General of the breach, including: | 7 | | (A) A description of the nature of the breach of | 8 | | security or unauthorized acquisition
or use. | 9 | | (B) The number of Illinois residents affected by such | 10 | | incident at the time of notification. | 11 | | (C) Any steps the data collector has taken or plans to | 12 | | take relating to the incident. | 13 | | Such notification must be made within 14 business days of | 14 | | the data collector's discovery of the security breach, or when | 15 | | the data collector provides notice to consumers pursuant to | 16 | | this Section, whichever is sooner. If the date of the breach is | 17 | | unknown at the time the notice is sent to the Attorney General, | 18 | | the data collector shall send the Attorney General the date of | 19 | | the breach as soon as possible. | 20 | | (3) Any data collector that maintains or stores, but does | 21 | | not own or license, computerized data that includes personal | 22 | | information that is required to notify the owner or licensee of | 23 | | the information that there has been a breach of the security of | 24 | | the data, shall notify the Attorney General of the following: | 25 | | (A) A description of the nature of the breach of | 26 | | security or unauthorized acquisition or use. |
| | | SB1624 | - 6 - | LRB101 10546 JLS 55652 b |
|
| 1 | | (B) The number of Illinois residents affected by such | 2 | | incident at the time of notification. | 3 | | (C) Any steps the data collector has taken or plans to | 4 | | take relating to the incident, including the steps the data | 5 | | collector has taken to inform the owner or licensee of the | 6 | | breach and what measures, if any, the data collector has | 7 | | taken to notify Illinois residents. | 8 | | Such notification must be made within 14 business days of | 9 | | the data collector's discovery of the security breach, or when | 10 | | the data collector provides notice to the owner or licensee of | 11 | | the information pursuant to this section, whichever is sooner. | 12 | | If the date of the breach is unknown at the time the notice is | 13 | | sent to the Attorney General, the data collector shall send the | 14 | | Attorney General the date of the breach as soon as possible. | 15 | | (Source: P.A. 99-503, eff. 1-1-17; 100-201, eff. 8-18-17.) | 16 | | (815 ILCS 530/55 new) | 17 | | Sec. 55. Report to General Assembly. The Attorney General | 18 | | shall report to the General Assembly by February 1 of each year | 19 | | the following: | 20 | | (1) the total number of Illinois residents affected by | 21 | | a breach of security in the preceding calendar year; | 22 | | (2) the total number of breaches of security affecting | 23 | | more than 100 Illinois residents as a result of a single | 24 | | breach in the preceding calendar year; | 25 | | (3) the total number of records breached; |
| | | SB1624 | - 7 - | LRB101 10546 JLS 55652 b |
|
| 1 | | (4) the mean and median breach size; | 2 | | (5) the types of data most commonly breached including, | 3 | | but not limited to, social security numbers, drivers' | 4 | | license numbers, financial account numbers, medical or | 5 | | health insurance information, and credentials for online | 6 | | accounts; | 7 | | (6) the most common types of breaches including, but | 8 | | not limited to, malware, hacking, physical breaches, and | 9 | | breaches caused by error or misuse; | 10 | | (7) the industry sectors most affected by security | 11 | | breaches; | 12 | | (8) the number of breaches for which there was no | 13 | | compliance with the notice requirements of this Act; and | 14 | | (9) any other information the Attorney General deems | 15 | | relevant.
|
|