Full Text of HB4449 94th General Assembly
HB4449enr 94TH GENERAL ASSEMBLY
|
|
|
HB4449 Enrolled |
|
LRB094 17445 LCT 52740 b |
|
| 1 |
| AN ACT concerning consumer fraud.
| 2 |
| Be it enacted by the People of the State of Illinois,
| 3 |
| represented in the General Assembly:
| 4 |
| Section 5. The Personal Information Protection Act is | 5 |
| amended by changing Section 10 and by adding Sections 12, 25, | 6 |
| and 30 as follows: | 7 |
| (815 ILCS 530/10)
| 8 |
| Sec. 10. Notice of Breach. | 9 |
| (a) Any data collector that owns or licenses personal | 10 |
| information concerning an Illinois resident shall notify the
| 11 |
| resident at no charge that there has been a breach of the | 12 |
| security of the
system data following discovery or notification | 13 |
| of the breach.
The disclosure notification shall be made in the | 14 |
| most
expedient time possible and without unreasonable delay,
| 15 |
| consistent with any measures necessary to determine the
scope | 16 |
| of the breach and restore the reasonable integrity,
security, | 17 |
| and confidentiality of the data system.
| 18 |
| (b) Any data collector that maintains computerized data | 19 |
| that
includes personal information that the data collector does | 20 |
| not own or license shall notify the owner or licensee of the | 21 |
| information of any breach of the security of the data | 22 |
| immediately following discovery, if the personal information | 23 |
| was, or is reasonably believed to have been, acquired by
an | 24 |
| unauthorized person.
| 25 |
| (b-5) The notification required by subsection (a) of this | 26 |
| Section may be delayed if an appropriate law enforcement agency | 27 |
| determines that notification will interfere with a criminal | 28 |
| investigation and provides the data collector with a written | 29 |
| request for the delay. However, the data collector must notify | 30 |
| the Illinois resident as soon as notification will no longer | 31 |
| interfere with the investigation.
| 32 |
| (c) For purposes of this Section, notice to consumers may |
|
|
|
HB4449 Enrolled |
- 2 - |
LRB094 17445 LCT 52740 b |
|
| 1 |
| be provided by one of the following methods:
| 2 |
| (1) written notice; | 3 |
| (2) electronic notice, if the notice provided is
| 4 |
| consistent with the provisions regarding electronic
| 5 |
| records and signatures for notices legally required to be
| 6 |
| in writing as set forth in Section 7001 of Title 15 of the | 7 |
| United States Code;
or | 8 |
| (3) substitute notice, if the data collector
| 9 |
| demonstrates that the cost of providing notice would exceed
| 10 |
| $250,000 or that the affected class of subject persons to | 11 |
| be notified exceeds 500,000, or the data collector does not
| 12 |
| have sufficient contact information. Substitute notice | 13 |
| shall consist of all of the following: (i) email notice if | 14 |
| the data collector has an email address for the subject | 15 |
| persons; (ii) conspicuous posting of the notice on the data
| 16 |
| collector's web site page if the data collector maintains
| 17 |
| one; and (iii) notification to major statewide media. | 18 |
| (d) Notwithstanding subsection (c), a data collector
that | 19 |
| maintains its own notification procedures as part of an
| 20 |
| information security policy for the treatment of personal
| 21 |
| information and is otherwise consistent with the timing | 22 |
| requirements of this Act, shall be deemed in compliance
with | 23 |
| the notification requirements of this Section if the
data | 24 |
| collector notifies subject persons in accordance with its | 25 |
| policies in the event of a breach of the security of the system | 26 |
| data.
| 27 |
| (Source: P.A. 94-36, eff. 1-1-06.) | 28 |
| (815 ILCS 530/12 new)
| 29 |
| Sec. 12. Notice of breach; State agency. | 30 |
| (a) Any State agency that collects personal information | 31 |
| concerning an Illinois resident shall notify the
resident at no | 32 |
| charge that there has been a breach of the security of the
| 33 |
| system data or written material following discovery or | 34 |
| notification of the breach.
The disclosure notification shall | 35 |
| be made in the most
expedient time possible and without |
|
|
|
HB4449 Enrolled |
- 3 - |
LRB094 17445 LCT 52740 b |
|
| 1 |
| unreasonable delay,
consistent with any measures necessary to | 2 |
| determine the
scope of the breach and restore the reasonable | 3 |
| integrity,
security, and confidentiality of the data system. | 4 |
| (b) For purposes of this Section, notice to residents may | 5 |
| be provided by one of the following methods:
| 6 |
| (1) written notice;
| 7 |
| (2) electronic notice, if the notice provided is
| 8 |
| consistent with the provisions regarding electronic
| 9 |
| records and signatures for notices legally required to be
| 10 |
| in writing as set forth in Section 7001 of Title 15 of the | 11 |
| United States Code;
or
| 12 |
| (3) substitute notice, if the State agency
| 13 |
| demonstrates that the cost of providing notice would exceed
| 14 |
| $250,000 or that the affected class of subject persons to | 15 |
| be notified exceeds 500,000, or the State agency does not
| 16 |
| have sufficient contact information. Substitute notice | 17 |
| shall consist of all of the following: (i) email notice if | 18 |
| the State agency has an email address for the subject | 19 |
| persons; (ii) conspicuous posting of the notice on the | 20 |
| State agency's web site page if the State agency maintains
| 21 |
| one; and (iii) notification to major statewide media.
| 22 |
| (c) Notwithstanding subsection (b), a State agency
that | 23 |
| maintains its own notification procedures as part of an
| 24 |
| information security policy for the treatment of personal
| 25 |
| information and is otherwise consistent with the timing | 26 |
| requirements of this Act shall be deemed in compliance
with the | 27 |
| notification requirements of this Section if the
State agency | 28 |
| notifies subject persons in accordance with its policies in the | 29 |
| event of a breach of the security of the system data or written | 30 |
| material.
| 31 |
| (d) If a State agency is required to notify more than 1,000 | 32 |
| persons of a breach of security pursuant to this Section, the | 33 |
| State agency shall also notify, without unreasonable delay, all | 34 |
| consumer reporting agencies that compile and maintain files on | 35 |
| consumers on a nationwide basis, as defined by 15 U.S.C. | 36 |
| Section 1681a(p), of the timing, distribution, and content of |
|
|
|
HB4449 Enrolled |
- 4 - |
LRB094 17445 LCT 52740 b |
|
| 1 |
| the notices. Nothing in this subsection (d) shall be construed | 2 |
| to require the State agency to provide to the consumer | 3 |
| reporting agency the names or other personal identifying | 4 |
| information of breach notice recipients.
| 5 |
| (815 ILCS 530/25 new)
| 6 |
| Sec. 25. Annual reporting. Any State agency that collects | 7 |
| personal data and has had a breach of security of the system | 8 |
| data or written material shall submit a report within 5 | 9 |
| business days of the discovery or notification of the breach to | 10 |
| the General Assembly listing the breaches and outlining any | 11 |
| corrective measures that have been taken to prevent future | 12 |
| breaches of the security of the system data or written | 13 |
| material. Any State agency that has submitted a report under | 14 |
| this Section shall submit an annual report listing all breaches | 15 |
| of security of the system data or written materials and the | 16 |
| corrective measures that have been taken to prevent future | 17 |
| breaches. | 18 |
| (815 ILCS 530/30 new)
| 19 |
| Sec. 30. Safe disposal of information. Any State agency | 20 |
| that collects personal data that is no longer needed or stored | 21 |
| at the agency shall dispose of the personal data or written | 22 |
| material it has collected in such a manner as to ensure the | 23 |
| security and confidentiality of the material.
| 24 |
| Section 99. Effective date. This Act takes effect upon | 25 |
| becoming law.
|
|