Full Text of HB3743 94th General Assembly
HB3743 94TH GENERAL ASSEMBLY
|
|
|
94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006 HB3743
Introduced 2/24/2005, by Rep. Rosemary Mulligan SYNOPSIS AS INTRODUCED: |
|
|
Creates the Security Breach Notification Act. Requires any person or business conducting business in the State, and that owns or licenses computerized data that includes personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person or business that maintains computerized data that includes personal information that the person or business does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery of such breach, if the personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; (2) electronic notice; or (3) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Provides a private right of action for a violation of the Act.
|
| |
|
|
A BILL FOR
|
|
|
|
|
HB3743 |
|
LRB094 11457 RXD 42382 b |
|
| 1 |
| AN ACT concerning security.
| 2 |
| Be it enacted by the People of the State of Illinois,
| 3 |
| represented in the General Assembly:
| 4 |
| Section 1. Short title. This Act may be cited as the | 5 |
| Security Breach Notification Act. | 6 |
| Section 5. Definitions. In this Act: | 7 |
| "Breach of the security of the system" means unauthorized | 8 |
| acquisition of computerized data that compromises the | 9 |
| security, confidentiality, or integrity of personal | 10 |
| information maintained by a person or business. "Breach of the | 11 |
| security of the system" does not include good faith acquisition | 12 |
| of personal information by an employee or agent of the person | 13 |
| or business, provided that the personal information is not used | 14 |
| or subject to further unauthorized disclosure. | 15 |
| "Personal information" means an individual's first name or | 16 |
| first initial and last name in combination with any one or more | 17 |
| of the following data elements, when either the name or the | 18 |
| data elements are not encrypted: | 19 |
| (1) Social security number. | 20 |
| (2) Driver's license number or Illinois State | 21 |
| Identification Card number. | 22 |
| (3) Account number, credit or debit card number, in | 23 |
| combination with any
required security code, access code, | 24 |
| or password that would permit access to an individual's | 25 |
| financial account.
| 26 |
| "Personal information" does not include publicly available | 27 |
| information that is lawfully made available to the general | 28 |
| public from federal, State, or local government records.
| 29 |
| Section 10. Security breach; notification. | 30 |
| (a) Any person or business that conducts business in the | 31 |
| State, and that owns or licenses computerized data that |
|
|
|
HB3743 |
- 2 - |
LRB094 11457 RXD 42382 b |
|
| 1 |
| includes personal information, shall disclose any breach of the | 2 |
| security of the system following discovery or notification of | 3 |
| the breach in the security of the data to any person whose | 4 |
| unencrypted personal information was, or is reasonably | 5 |
| believed to have been acquired by an unauthorized person. | 6 |
| Disclosure shall be made in the most expedient time possible | 7 |
| and without unreasonable delay, consistent with the legitimate | 8 |
| needs of the law enforcement agency, as provided in subsection | 9 |
| (b), or any measures necessary to determine the scope of the | 10 |
| breach and restore the reasonable integrity of the data system. | 11 |
| (b) Any person or business that maintains computerized data | 12 |
| that includes personal information that the person or business | 13 |
| does not own, shall notify the owner or licensee of the | 14 |
| information of any breach of the security of the data | 15 |
| immediately following discovery, if the personal information | 16 |
| was, or is reasonably believed to have been acquired by an | 17 |
| unauthorized person. | 18 |
| (1) Notice may be provided by one of the following | 19 |
| methods: | 20 |
| (A) written notice; | 21 |
| (B) electronic notice, if the notice provided is | 22 |
| consistent with the provisions regarding electronic | 23 |
| records and signatures set forth in Section 7001 of | 24 |
| Title 15 of the United States Code; or | 25 |
| (C) substitute notice, if the person or business | 26 |
| demonstrates that the cost of providing notice would | 27 |
| exceed $250,000, or the affected class of persons to be | 28 |
| notified exceeds 500,000, or the person or business | 29 |
| does not have sufficient contact information. | 30 |
| Substitute notice shall consist of all of the | 31 |
| following: (i) email notification if the person or | 32 |
| business has an email address for the person to be | 33 |
| notified; (ii) conspicuous posting of the notice on the | 34 |
| web site page of the person or business, if the person | 35 |
| or business maintains a web site page; and (iii) | 36 |
| notification to major statewide media outlets. |
|
|
|
HB3743 |
- 3 - |
LRB094 11457 RXD 42382 b |
|
| 1 |
| (2) The notification required by this subsection (b) | 2 |
| may be delayed if a law enforcement agency determines that | 3 |
| the notification will impede a criminal investigation. | 4 |
| Notification shall be made after the law enforcement agency | 5 |
| determines that it will not compromise its investigation.
| 6 |
| Section 15. Notification; compliance. Notwithstanding | 7 |
| subsection (b) of Section 10, a person or business that | 8 |
| maintains its own notification procedures as part of an | 9 |
| information security policy for the treatment of personal | 10 |
| information and is otherwise consistent with the timing | 11 |
| requirements of this Act, shall be deemed to be in compliance | 12 |
| with the notification requirements provided under Section 10 of | 13 |
| this Act if the person or business notifies persons in | 14 |
| accordance with its policies in the event of a breach of | 15 |
| security of the system. | 16 |
| Section 20. Waiver. Any waiver of the provisions of this | 17 |
| Act is contrary to public policy and is void and unenforceable. | 18 |
| Section 25. Penalty. | 19 |
| (a) Any customer injured by a violation of this Act may | 20 |
| institute a civil action to recover damages. | 21 |
| (b) Any individual personally affected by repeated | 22 |
| violations may institute, in a circuit court, an action to | 23 |
| enjoin violations of this Act. | 24 |
| (c) The rights and remedies available under this Section | 25 |
| are cumulative to each other and to any other rights and | 26 |
| remedies available under law.
|
|