Full Text of HB2871 101st General Assembly
HB2871 101ST GENERAL ASSEMBLY |
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020 HB2871 Introduced , by Rep. Celina Villanueva SYNOPSIS AS INTRODUCED: |
| |
Creates the Data Broker Registration Act. Requires a data broker to annually register with the Secretary of State. Defines "data broker" as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Provides registration requirements, the duties a data broker has to protect personally identifiable information, and the requirements for an information security program. Effective January 1, 2020.
|
| |
| | | FISCAL NOTE ACT MAY APPLY | |
| | A BILL FOR |
|
| | | HB2871 | | LRB101 08512 JRG 53589 b |
|
| 1 | | AN ACT concerning regulation.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 1. Short title. This Act may be cited as the Data | 5 | | Broker Registration Act. | 6 | | Section 5. Definitions. | 7 | | "Brokered personal information" means one or more of the | 8 | | following computerized data elements about a consumer, if | 9 | | categorized or organized for dissemination to third parties: | 10 | | (1) name; | 11 | | (2) address; | 12 | | (3) date of birth; | 13 | | (4) place of birth; | 14 | | (5) mother's maiden name; | 15 | | (6) unique biometric data generated from measurements | 16 | | or technical analysis of human body characteristics used by | 17 | | the owner or licensee of the data to identify or | 18 | | authenticate the consumer, such as a fingerprint, retina or | 19 | | iris image, or other unique physical representation or | 20 | | digital representation of biometric data; | 21 | | (7) name or address of a member of the consumer's | 22 | | immediate family or household; | 23 | | (8) social security number or other government-issued |
| | | HB2871 | - 2 - | LRB101 08512 JRG 53589 b |
|
| 1 | | identification number; or | 2 | | (9) other information that, alone or in combination | 3 | | with the other information sold or licensed, would allow a | 4 | | reasonable person to identify the consumer with reasonable | 5 | | certainty. | 6 | | "Brokered personal information" does not include publicly | 7 | | available information to the extent that it is related to a | 8 | | consumer's business or profession. | 9 | | "Data broker" means a business or unit of a business, | 10 | | separately or together, that knowingly collects and sells or | 11 | | licenses to third parties the brokered personal information of | 12 | | a consumer with whom the business does not have a direct | 13 | | relationship. | 14 | | "Data broker security breach" means an unauthorized | 15 | | acquisition or a reasonable belief of an unauthorized | 16 | | acquisition of more than one element of brokered personal | 17 | | information maintained by a data broker when the brokered | 18 | | personal information is not encrypted, redacted, or protected | 19 | | by another method that renders the information unreadable or | 20 | | unusable by an unauthorized person. "Data broker security | 21 | | breach" does not include good faith but unauthorized | 22 | | acquisition of brokered personal information by an employee or | 23 | | agent of the data broker for a legitimate purpose of the data | 24 | | broker if the brokered personal information is not used for a | 25 | | purpose unrelated to the data broker's business or subject to | 26 | | further unauthorized disclosure. |
| | | HB2871 | - 3 - | LRB101 08512 JRG 53589 b |
|
| 1 | | Section 10. Annual registration. | 2 | | (a) Annually, on or before January 31 following a year in | 3 | | which a person meets the definition of "data broker", a data | 4 | | broker shall: | 5 | | (1) register with the Secretary of State; | 6 | | (2) pay a registration fee of $100; and | 7 | | (3) provide the following information: | 8 | | (A) the name and primary physical, email, and | 9 | | Internet addresses of the data broker; | 10 | | (B) if the data broker permits a consumer to opt | 11 | | out of the data broker's collection of brokered | 12 | | personal information, opt out of its databases, or opt | 13 | | out of certain sales of data: | 14 | | (i) the method for requesting an opt-out; | 15 | | (ii) if the opt-out applies to only certain | 16 | | activities or sales, which ones; and | 17 | | (iii) whether the data broker permits a | 18 | | consumer to authorize a third party to perform the | 19 | | opt-out on the consumer's behalf; | 20 | | (C) a statement specifying the data collection, | 21 | | databases, or sales activities from which a consumer | 22 | | may not opt out; | 23 | | (D) a statement whether the data broker implements | 24 | | a purchaser credentialing process; | 25 | | (E) the number of data broker security breaches |
| | | HB2871 | - 4 - | LRB101 08512 JRG 53589 b |
|
| 1 | | that the data broker has experienced during the prior | 2 | | year, and if known, the total number of consumers | 3 | | affected by the breaches; | 4 | | (F) where the data broker has actual knowledge that | 5 | | it possesses the brokered personal information of | 6 | | minors, a separate statement detailing the data | 7 | | collection practices, databases, sales activities, and | 8 | | opt-out policies that are applicable to the brokered | 9 | | personal information of minors; and | 10 | | (G) any additional information or explanation the | 11 | | data broker chooses to provide concerning its data | 12 | | collection practices. | 13 | | (b) A data broker that fails to register under subsection | 14 | | (a) is liable to the State for: | 15 | | (1) a civil penalty of $50 for each day, not to exceed | 16 | | a total of $10,000 for each year, it fails to register | 17 | | under this Section; | 18 | | (2) an amount equal to the fees due under this Section | 19 | | during the period it failed to register under this Section; | 20 | | and | 21 | | (3) other penalties imposed by law. | 22 | | (c) The Attorney General may maintain an action in circuit | 23 | | court to collect the penalties imposed in this Section and to | 24 | | seek appropriate injunctive relief. | 25 | | Section 15. Duty to protect personally identifiable |
| | | HB2871 | - 5 - | LRB101 08512 JRG 53589 b |
|
| 1 | | information. | 2 | | (a) A data broker shall develop, implement, and maintain a | 3 | | comprehensive information security program that is written in | 4 | | one or more readily accessible parts and contains | 5 | | administrative, technical, and physical safeguards that are | 6 | | appropriate to: | 7 | | (1) the size, scope, and type of business of the data | 8 | | broker obligated to safeguard the personally identifiable | 9 | | information under such comprehensive information security | 10 | | program; | 11 | | (2) the amount of resources available to the data | 12 | | broker; | 13 | | (3) the amount of stored data; and | 14 | | (4) the need for security and confidentiality of | 15 | | personally identifiable information. | 16 | | (b) A data broker subject to this Section shall adopt | 17 | | safeguards in the comprehensive security program that are | 18 | | consistent with the safeguards for protection of personally | 19 | | identifiable information and information of a similar | 20 | | character set forth in other State rules or federal regulations | 21 | | applicable to the data broker. | 22 | | Section 20. Information security program; minimum | 23 | | features. A comprehensive information security program shall, | 24 | | at minimum, have the following features: | 25 | | (1) designation of one or more employees to maintain |
| | | HB2871 | - 6 - | LRB101 08512 JRG 53589 b |
|
| 1 | | the program; | 2 | | (2) identification and assessment of reasonably | 3 | | foreseeable internal and external risks to the security, | 4 | | confidentiality, and integrity of any electronic, paper, | 5 | | or other records containing personally identifiable | 6 | | information and a process for evaluating and improving, | 7 | | where necessary, the effectiveness of the current | 8 | | safeguards for limiting such risks, including: | 9 | | (A) ongoing employee training, including training | 10 | | for temporary and contract employees; | 11 | | (B) employee compliance with policies and | 12 | | procedures; and | 13 | | (C) means for detecting and preventing security | 14 | | system failures; | 15 | | (3) security policies for employees relating to the | 16 | | storage, access, and transportation of records containing | 17 | | personally identifiable information outside business | 18 | | premises; | 19 | | (4) disciplinary measures for violations of the | 20 | | comprehensive information security program rules; | 21 | | (5) measures that prevent terminated employees from | 22 | | accessing records containing personally identifiable | 23 | | information; | 24 | | (6) supervision of service providers by: | 25 | | (A) taking reasonable steps to select and retain | 26 | | third-party service providers that are capable of |
| | | HB2871 | - 7 - | LRB101 08512 JRG 53589 b |
|
| 1 | | maintaining appropriate security measures to protect | 2 | | personally identifiable information consistent with | 3 | | applicable law; and | 4 | | (B) requiring third-party service providers by | 5 | | contract to implement and maintain appropriate | 6 | | security measures for personally identifiable | 7 | | information; | 8 | | (7) reasonable restrictions upon physical access to | 9 | | records containing personally identifiable information and | 10 | | storage of the records and data in locked facilities, | 11 | | storage areas, or containers; | 12 | | (8) regular monitoring to ensure that the | 13 | | comprehensive information security program is operating in | 14 | | a manner reasonably calculated to prevent unauthorized | 15 | | access to or unauthorized use of personally identifiable | 16 | | information; and upgrading information safeguards as | 17 | | necessary to limit risks; | 18 | | (9) regular review of the scope of the security | 19 | | measures: | 20 | | (A) at least annually; or | 21 | | (B) whenever there is a material change in business | 22 | | practices that may reasonably implicate the security | 23 | | or integrity of records containing personally | 24 | | identifiable information; and | 25 | | (10) documentation of responsive actions taken in | 26 | | connection with any incident involving a breach of |
| | | HB2871 | - 8 - | LRB101 08512 JRG 53589 b |
|
| 1 | | security; and mandatory post-incident review of events and | 2 | | actions taken, if any, to make changes in business | 3 | | practices relating to protection of personally | 4 | | identifiable information. | 5 | | Section 25. Information security program; computer system | 6 | | security requirements. A comprehensive information security | 7 | | program required by this Act shall, at minimum, and to the | 8 | | extent technically feasible, have the following elements: | 9 | | (1) secure user authentication protocols, as follows: | 10 | | (A) an authentication protocol that has the | 11 | | following features: | 12 | | (i) control of user IDs and other identifiers; | 13 | | (ii) a reasonably secure method of assigning | 14 | | and selecting passwords or use of unique | 15 | | identifier technologies, such as biometrics or | 16 | | token devices; | 17 | | (iii) control of data security passwords to | 18 | | ensure that such passwords are kept in a location | 19 | | and format that do not compromise the security of | 20 | | the data they protect; | 21 | | (iv) restricting access to only active users | 22 | | and active user accounts; and | 23 | | (v) blocking access to user identification | 24 | | after multiple unsuccessful attempts to gain | 25 | | access; or |
| | | HB2871 | - 9 - | LRB101 08512 JRG 53589 b |
|
| 1 | | (B) an authentication protocol that provides a | 2 | | higher level of security than the features specified in | 3 | | subparagraph (A). | 4 | | (2) secure access control measures that: | 5 | | (A) restrict access to records and files | 6 | | containing personally identifiable information to | 7 | | those who need such information to perform their job | 8 | | duties; and | 9 | | (B) assign to each person with computer access | 10 | | unique identifications plus passwords, which are not | 11 | | vendor-supplied default passwords, that are reasonably | 12 | | designed to maintain the integrity of the security of | 13 | | the access controls or a protocol that provides a | 14 | | higher degree of security; | 15 | | (3) encryption of all transmitted records and files | 16 | | containing personally identifiable information that will | 17 | | travel across public networks and encryption of all data | 18 | | containing personally identifiable information to be | 19 | | transmitted wirelessly or a protocol that provides a higher | 20 | | degree of security; | 21 | | (4) reasonable monitoring of systems for unauthorized | 22 | | use of or access to personally identifiable information; | 23 | | (5) encryption of all personally identifiable | 24 | | information stored on laptops or other portable devices or | 25 | | a protocol that provides a higher degree of security; | 26 | | (6) for files containing personally identifiable |
| | | HB2871 | - 10 - | LRB101 08512 JRG 53589 b |
|
| 1 | | information on a system that is connected to the Internet, | 2 | | reasonably up-to-date firewall protection and operating | 3 | | system security patches that are reasonably designed to | 4 | | maintain the integrity of the personally identifiable | 5 | | information or a protocol that provides a higher degree of | 6 | | security; | 7 | | (7) reasonably up-to-date versions of system security | 8 | | agent software that must include malware protection and | 9 | | reasonably up-to-date patches and virus definitions, or a | 10 | | version of such software that can still be supported with | 11 | | up-to-date patches and virus definitions and is set to | 12 | | receive the most current security updates on a regular | 13 | | basis or a protocol that provides a higher degree of | 14 | | security; and | 15 | | (8) education and training of employees on the proper | 16 | | use of the computer security system and the importance of | 17 | | personally identifiable information security.
| 18 | | Section 99. Effective date. This Act takes effect January | 19 | | 1, 2020.
|
|