Full Text of SB2301 101st General Assembly
SB2301sam001 101ST GENERAL ASSEMBLY | Sen. Dan McConchie Filed: 5/29/2020
| | 10100SB2301sam001 | | LRB101 15374 JLS 72248 a |
|
| 1 | | AMENDMENT TO SENATE BILL 2301
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 2301 by replacing | 3 | | everything after the enacting clause with the following:
| 4 | | "Section 5. The Personal Information Protection Act is | 5 | | amended by changing Section 12 as follows: | 6 | | (815 ILCS 530/12) | 7 | | Sec. 12. Notice of breach; State agency. | 8 | | (a) Any State agency that collects personal information | 9 | | concerning an Illinois resident shall notify the
resident at no | 10 | | charge that there has been a breach of the security of the
| 11 | | system data or written material following discovery or | 12 | | notification of the breach.
The disclosure notification shall | 13 | | be made in the most
expedient time possible and without | 14 | | unreasonable delay,
consistent with any measures necessary to | 15 | | determine the
scope of the breach and restore the reasonable | 16 | | integrity,
security, and confidentiality of the data system. |
| | | 10100SB2301sam001 | - 2 - | LRB101 15374 JLS 72248 a |
|
| 1 | | The disclosure notification to an Illinois resident shall | 2 | | include, but need not be limited to information as follows: | 3 | | (1) With respect to personal information defined in | 4 | | Section 5 in paragraph (1) of the definition of "personal | 5 | | information": | 6 | | (i) the toll-free numbers and addresses for | 7 | | consumer reporting agencies; | 8 | | (ii) the toll-free number, address, and website | 9 | | address for the Federal Trade Commission; and | 10 | | (iii) a statement that the individual can obtain | 11 | | information from these sources about fraud alerts and | 12 | | security freezes. | 13 | | (2) With respect to personal information as defined in | 14 | | Section 5 in paragraph (2) of the definition of "personal | 15 | | information", notice may be provided in electronic or other | 16 | | form directing the Illinois resident whose personal | 17 | | information has been breached to promptly change his or her | 18 | | user name or password and security question or answer, as | 19 | | applicable, or to take other steps appropriate to protect | 20 | | all online accounts for which the resident uses the same | 21 | | user name or email address and password or security | 22 | | question and answer. | 23 | | The notification shall not, however, include information | 24 | | concerning the number of Illinois residents affected by the | 25 | | breach. | 26 | | (a-5) The notification to an Illinois resident required by |
| | | 10100SB2301sam001 | - 3 - | LRB101 15374 JLS 72248 a |
|
| 1 | | subsection (a) of this Section may be delayed if an appropriate | 2 | | law enforcement agency determines that notification will | 3 | | interfere with a criminal investigation and provides the State | 4 | | agency with a written request for the delay. However, the State | 5 | | agency must notify the Illinois resident as soon as | 6 | | notification will no longer interfere with the investigation. | 7 | | (b) For purposes of this Section, notice to residents may | 8 | | be provided by one of the following methods:
| 9 | | (1) written notice;
| 10 | | (2) electronic notice, if the notice provided is
| 11 | | consistent with the provisions regarding electronic
| 12 | | records and signatures for notices legally required to be
| 13 | | in writing as set forth in Section 7001 of Title 15 of the | 14 | | United States Code;
or
| 15 | | (3) substitute notice, if the State agency
| 16 | | demonstrates that the cost of providing notice would exceed
| 17 | | $250,000 or that the affected class of subject persons to | 18 | | be notified exceeds 500,000, or the State agency does not
| 19 | | have sufficient contact information. Substitute notice | 20 | | shall consist of all of the following: (i) email notice if | 21 | | the State agency has an email address for the subject | 22 | | persons; (ii) conspicuous posting of the notice on the | 23 | | State agency's web site page if the State agency maintains
| 24 | | one; and (iii) notification to major statewide media.
| 25 | | (c) Notwithstanding subsection (b), a State agency
that | 26 | | maintains its own notification procedures as part of an
|
| | | 10100SB2301sam001 | - 4 - | LRB101 15374 JLS 72248 a |
|
| 1 | | information security policy for the treatment of personal
| 2 | | information and is otherwise consistent with the timing | 3 | | requirements of this Act shall be deemed in compliance
with the | 4 | | notification requirements of this Section if the
State agency | 5 | | notifies subject persons in accordance with its policies in the | 6 | | event of a breach of the security of the system data or written | 7 | | material.
| 8 | | (d) If a State agency is required to notify more than 1,000 | 9 | | persons of a breach of security pursuant to this Section, the | 10 | | State agency shall also notify, without unreasonable delay, all | 11 | | consumer reporting agencies that compile and maintain files on | 12 | | consumers on a nationwide basis, as defined by 15 U.S.C. | 13 | | Section 1681a(p), of the timing, distribution, and content of | 14 | | the notices. Nothing in this subsection (d) shall be construed | 15 | | to require the State agency to provide to the consumer | 16 | | reporting agency the names or other personal identifying | 17 | | information of breach notice recipients.
| 18 | | (e) Notice to Attorney General. Any State agency that | 19 | | suffers a single breach of the security of the data concerning | 20 | | the personal information of more than 250 Illinois residents | 21 | | shall provide notice to the Attorney General of the breach, | 22 | | including: | 23 | | (A) The types of personal information compromised in | 24 | | the breach. | 25 | | (B) The number of Illinois residents affected by such | 26 | | incident at the time of notification. |
| | | 10100SB2301sam001 | - 5 - | LRB101 15374 JLS 72248 a |
|
| 1 | | (C) Any steps the State agency has taken or plans to | 2 | | take relating to notification of the breach to consumers. | 3 | | (D) The date and timeframe of the breach, if known at | 4 | | the time notification is provided. | 5 | | Such notification must be made within 45 days of the State | 6 | | agency's discovery of the security breach or when the State | 7 | | agency provides any notice to consumers required by this | 8 | | Section, whichever is sooner, unless the State agency has good | 9 | | cause for reasonable delay to determine the scope of the breach | 10 | | and restore the integrity, security, and confidentiality of the | 11 | | data system, or when law enforcement requests in writing to | 12 | | withhold disclosure of some or all of the information required | 13 | | in the notification under this Section. If the date or | 14 | | timeframe of the breach is unknown at the time the notice is | 15 | | sent to the Attorney General, the State agency shall send the | 16 | | Attorney General the date or timeframe of the breach as soon as | 17 | | possible. | 18 | | (f) In addition to the report required by Section 25 of | 19 | | this Act, if the State agency that suffers a breach determines | 20 | | the identity of the actor who perpetrated the breach, then the | 21 | | State agency shall report this information, within 5 days after | 22 | | the determination, to the General Assembly, provided that such | 23 | | report would not jeopardize the security of Illinois residents | 24 | | or compromise a security investigation. | 25 | | (g) A State agency directly responsible to the Governor | 26 | | that has been subject to or has reason to believe it has been |
| | | 10100SB2301sam001 | - 6 - | LRB101 15374 JLS 72248 a |
|
| 1 | | subject to a single breach of the security of the data | 2 | | concerning the personal information of more than 250 Illinois | 3 | | residents or an instance of aggravated computer tampering, as | 4 | | defined in Section 17-53 of the Criminal Code of 2012, shall | 5 | | notify the Office of the Chief Information Security Officer of | 6 | | the Illinois Department of Innovation and Technology and the | 7 | | Attorney General regarding the breach or instance of aggravated | 8 | | computer tampering. The notification shall be made without | 9 | | delay, but no later than 72 hours following the discovery of | 10 | | the incident. | 11 | | Upon receiving notification of such incident, the Chief | 12 | | Information Security Officer shall without delay take | 13 | | necessary and reasonable actions to: | 14 | | (i) assess the incident to determine the potential | 15 | | impact on the overall confidentiality, security, and | 16 | | availability of State of Illinois data and information | 17 | | systems; | 18 | | (ii) ensure the security incident is contained to | 19 | | minimize additional impact and risk to the State; | 20 | | (iii) identify the root cause of the incident; | 21 | | (iv) provide recommendations to the impacted State | 22 | | agency to assist with eradicating the threat and removing | 23 | | and mitigating any vulnerabilities to reduce the risk of | 24 | | further compromise; and | 25 | | (v) assist the impacted State agency in any necessary | 26 | | recovery efforts to ensure effective return to a state of |
| | | 10100SB2301sam001 | - 7 - | LRB101 15374 JLS 72248 a |
|
| 1 | | normal operations. | 2 | | The Department of Innovation and Technology may agree to | 3 | | submit the reports required in subsections (e) and (f) of this | 4 | | Section and in Section 25 in lieu of the impacted agency. | 5 | | (h) Upon receiving notification from a State agency of a | 6 | | breach of personal information or from the Department of | 7 | | Innovation and Technology in lieu of the impacted agency, the | 8 | | Attorney General may publish the name of the State agency that | 9 | | suffered the breach, the types of personal information | 10 | | compromised in the breach, and the date range of the breach. | 11 | | (i) A State agency that is required to provide notification | 12 | | of a breach of security under subsection (a) shall offer, at no | 13 | | charge to the affected resident, credit monitoring for 12 | 14 | | months from the date of the notification to residents of the | 15 | | State whose personal information has been breached. A State | 16 | | agency may procure credit monitoring services by (1) procuring | 17 | | credit monitoring services through a contract with the agency, | 18 | | (2) procuring credit monitoring services pursuant to an | 19 | | intergovernmental agreement with one or more other State | 20 | | agencies entering into a master contract for credit monitoring | 21 | | services, or (3) procuring cyber security insurance coverage | 22 | | through the Department of Innovation and Technology. If a State | 23 | | agency does not have sufficient appropriation authority to pay | 24 | | for credit monitoring, the 12-month period does not begin until | 25 | | sufficient appropriation authority is obtained. A State agency | 26 | | shall immediately notify the Governor, the Governor's Office of |
| | | 10100SB2301sam001 | - 8 - | LRB101 15374 JLS 72248 a |
|
| 1 | | Management and Budget, the Commission on Government | 2 | | Forecasting and Accountability, and the General Assembly of the | 3 | | need for additional appropriation authority to pay for the | 4 | | costs of credit monitoring. | 5 | | (Source: P.A. 99-503, eff. 1-1-17; 100-412, eff. 8-25-17.)
| 6 | | Section 99. Effective date. This Act takes effect upon | 7 | | becoming law.".
|
|