Public Act 094-0947
 
HB4449 Enrolled LRB094 17445 LCT 52740 b

    AN ACT concerning consumer fraud.
 
    Be it enacted by the People of the State of Illinois,
represented in the General Assembly:
 
    Section 5. The Personal Information Protection Act is
amended by changing Section 10 and by adding Sections 12, 25,
and 30 as follows:
 
    (815 ILCS 530/10)
    Sec. 10. Notice of Breach.
    (a) Any data collector that owns or licenses personal
information concerning an Illinois resident shall notify the
resident at no charge that there has been a breach of the
security of the system data following discovery or notification
of the breach. The disclosure notification shall be made in the
most expedient time possible and without unreasonable delay,
consistent with any measures necessary to determine the scope
of the breach and restore the reasonable integrity, security,
and confidentiality of the data system.
    (b) Any data collector that maintains computerized data
that includes personal information that the data collector does
not own or license shall notify the owner or licensee of the
information of any breach of the security of the data
immediately following discovery, if the personal information
was, or is reasonably believed to have been, acquired by an
unauthorized person.
    (b-5) The notification required by subsection (a) of this
Section may be delayed if an appropriate law enforcement agency
determines that notification will interfere with a criminal
investigation and provides the data collector with a written
request for the delay. However, the data collector must notify
the Illinois resident as soon as notification will no longer
interfere with the investigation.
    (c) For purposes of this Section, notice to consumers may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the data collector
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the data collector does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the data collector has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the data
    collector's web site page if the data collector maintains
    one; and (iii) notification to major statewide media.
    (d) Notwithstanding subsection (c), a data collector that
maintains its own notification procedures as part of an
information security policy for the treatment of personal
information and is otherwise consistent with the timing
requirements of this Act, shall be deemed in compliance with
the notification requirements of this Section if the data
collector notifies subject persons in accordance with its
policies in the event of a breach of the security of the system
data.
(Source: P.A. 94-36, eff. 1-1-06.)
 
    (815 ILCS 530/12 new)
    Sec. 12. Notice of breach; State agency.
    (a) Any State agency that collects personal information
concerning an Illinois resident shall notify the resident at no
charge that there has been a breach of the security of the
system data or written material following discovery or
notification of the breach. The disclosure notification shall
be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to
determine the scope of the breach and restore the reasonable
integrity, security, and confidentiality of the data system.
    (b) For purposes of this Section, notice to residents may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the State agency
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the State agency does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the State agency has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the
    State agency's web site page if the State agency maintains
    one; and (iii) notification to major statewide media.
    (c) Notwithstanding subsection (b), a State agency that
maintains its own notification procedures as part of an
information security policy for the treatment of personal
information and is otherwise consistent with the timing
requirements of this Act shall be deemed in compliance with the
notification requirements of this Section if the State agency
notifies subject persons in accordance with its policies in the
event of a breach of the security of the system data or written
material.
    (d) If a State agency is required to notify more than 1,000
persons of a breach of security pursuant to this Section, the
State agency shall also notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis, as defined by 15 U.S.C.
Section 1681a(p), of the timing, distribution, and content of
the notices. Nothing in this subsection (d) shall be construed
to require the State agency to provide to the consumer
reporting agency the names or other personal identifying
information of breach notice recipients.
 
    (815 ILCS 530/25 new)
    Sec. 25. Annual reporting. Any State agency that collects
personal data and has had a breach of security of the system
data or written material shall submit a report within 5
business days of the discovery or notification of the breach to
the General Assembly listing the breaches and outlining any
corrective measures that have been taken to prevent future
breaches of the security of the system data or written
material. Any State agency that has submitted a report under
this Section shall submit an annual report listing all breaches
of security of the system data or written materials and the
corrective measures that have been taken to prevent future
breaches.
 
    (815 ILCS 530/30 new)
    Sec. 30. Safe disposal of information. Any State agency
that collects personal data that is no longer needed or stored
at the agency shall dispose of the personal data or written
material it has collected in such a manner as to ensure the
security and confidentiality of the material.
 
    Section 99. Effective date. This Act takes effect upon
becoming law.