| ||||
Public Act 097-0483 | ||||
| ||||
| ||||
AN ACT concerning business.
| ||||
Be it enacted by the People of the State of Illinois,
| ||||
represented in the General Assembly:
| ||||
Section 5. The Personal Information Protection Act is | ||||
amended by changing Sections 5, 10, and 12 and by adding | ||||
Section 40 as follows: | ||||
(815 ILCS 530/5)
| ||||
Sec. 5. Definitions. In this Act: | ||||
"Data Collector" may include, but is not limited to,
| ||||
government agencies, public and private universities,
| ||||
privately and publicly held corporations, financial
| ||||
institutions, retail operators, and any other entity that, for | ||||
any purpose, handles, collects, disseminates, or otherwise
| ||||
deals with nonpublic personal information.
| ||||
"Breach of the security of the system data" or "breach" | ||||
means
unauthorized acquisition of computerized data that | ||||
compromises the security, confidentiality, or integrity of | ||||
personal information maintained by the data collector. "Breach | ||||
of the security of the system data" does not include good faith
| ||||
acquisition of personal information by an employee or agent of
| ||||
the data collector for a legitimate purpose of the data
| ||||
collector, provided that the personal information is not used
| ||||
for a purpose unrelated to the data collector's business or
|
subject to further unauthorized disclosure.
| ||
"Personal information" means an individual's first name or | ||
first initial and last name in combination with any one or more
| ||
of the following data elements, when either the name or the | ||
data elements are not encrypted or redacted:
| ||
(1) Social Security number. | ||
(2) Driver's license number or State identification
| ||
card number.
| ||
(3) Account number or credit or debit card number, or | ||
an
account number or credit card number in combination with
| ||
any required security code, access code, or password that
| ||
would permit access to an individual's financial account.
| ||
"Personal information" does not include publicly available
| ||
information that is lawfully made available to the general
| ||
public from federal, State, or local government records.
| ||
(Source: P.A. 94-36, eff. 1-1-06.) | ||
(815 ILCS 530/10)
| ||
Sec. 10. Notice of Breach. | ||
(a) Any data collector that owns or licenses personal | ||
information concerning an Illinois resident shall notify the
| ||
resident at no charge that there has been a breach of the | ||
security of the
system data following discovery or notification | ||
of the breach.
The disclosure notification shall be made in the | ||
most
expedient time possible and without unreasonable delay,
| ||
consistent with any measures necessary to determine the
scope |
of the breach and restore the reasonable integrity,
security, | ||
and confidentiality of the data system. The disclosure | ||
notification to an Illinois resident shall include, but need | ||
not be limited to, (i) the toll-free numbers and addresses for | ||
consumer reporting agencies, (ii) the toll-free number, | ||
address, and website address for the Federal Trade Commission, | ||
and (iii) a statement that the individual can obtain | ||
information from these sources about fraud alerts and security | ||
freezes. The notification shall not, however, include | ||
information concerning the number of Illinois residents | ||
affected by the breach. | ||
(b) Any data collector that maintains or stores, but does | ||
not own or license, computerized data that
includes personal | ||
information that the data collector does not own or license | ||
shall notify the owner or licensee of the information of any | ||
breach of the security of the data immediately following | ||
discovery, if the personal information was, or is reasonably | ||
believed to have been, acquired by
an unauthorized person. In | ||
addition to providing such notification to the owner or | ||
licensee, the data collector shall cooperate with the owner or | ||
licensee in matters relating to the breach. That cooperation | ||
shall include, but need not be limited to, (i) informing the | ||
owner or licensee of the breach, including giving notice of the | ||
date or approximate date of the breach and the nature of the | ||
breach, and (ii) informing the owner or licensee of any steps | ||
the data collector has taken or plans to take relating to the |
breach. The data collector's cooperation shall not, however, be | ||
deemed to require either the disclosure of confidential | ||
business information or trade secrets or the notification of an | ||
Illinois resident who may have been affected by the breach.
| ||
(b-5) The notification to an Illinois resident required by | ||
subsection (a) of this Section may be delayed if an appropriate | ||
law enforcement agency determines that notification will | ||
interfere with a criminal investigation and provides the data | ||
collector with a written request for the delay. However, the | ||
data collector must notify the Illinois resident as soon as | ||
notification will no longer interfere with the investigation.
| ||
(c) For purposes of this Section, notice to consumers may | ||
be provided by one of the following methods:
| ||
(1) written notice; | ||
(2) electronic notice, if the notice provided is
| ||
consistent with the provisions regarding electronic
| ||
records and signatures for notices legally required to be
| ||
in writing as set forth in Section 7001 of Title 15 of the | ||
United States Code;
or | ||
(3) substitute notice, if the data collector
| ||
demonstrates that the cost of providing notice would exceed
| ||
$250,000 or that the affected class of subject persons to | ||
be notified exceeds 500,000, or the data collector does not
| ||
have sufficient contact information. Substitute notice | ||
shall consist of all of the following: (i) email notice if | ||
the data collector has an email address for the subject |
persons; (ii) conspicuous posting of the notice on the data
| ||
collector's web site page if the data collector maintains
| ||
one; and (iii) notification to major statewide media. | ||
(d) Notwithstanding any other subsection in this Section | ||
(c) , a data collector
that maintains its own notification | ||
procedures as part of an
information security policy for the | ||
treatment of personal
information and is otherwise consistent | ||
with the timing requirements of this Act, shall be deemed in | ||
compliance
with the notification requirements of this Section | ||
if the
data collector notifies subject persons in accordance | ||
with its policies in the event of a breach of the security of | ||
the system data.
| ||
(Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.) | ||
(815 ILCS 530/12)
| ||
Sec. 12. Notice of breach; State agency. | ||
(a) Any State agency that collects personal information | ||
concerning an Illinois resident shall notify the
resident at no | ||
charge that there has been a breach of the security of the
| ||
system data or written material following discovery or | ||
notification of the breach.
The disclosure notification shall | ||
be made in the most
expedient time possible and without | ||
unreasonable delay,
consistent with any measures necessary to | ||
determine the
scope of the breach and restore the reasonable | ||
integrity,
security, and confidentiality of the data system. | ||
The disclosure notification to an Illinois resident shall |
include, but need not be limited to, (i) the toll-free numbers | ||
and addresses for consumer reporting agencies, (ii) the | ||
toll-free number, address, and website address for the Federal | ||
Trade Commission, and (iii) a statement that the individual can | ||
obtain information from these sources about fraud alerts and | ||
security freezes. The notification shall not, however, include | ||
information concerning the number of Illinois residents | ||
affected by the breach. | ||
(a-5) The notification to an Illinois resident required by | ||
subsection (a) of this Section may be delayed if an appropriate | ||
law enforcement agency determines that notification will | ||
interfere with a criminal investigation and provides the State | ||
agency with a written request for the delay. However, the State | ||
agency must notify the Illinois resident as soon as | ||
notification will no longer interfere with the investigation. | ||
(b) For purposes of this Section, notice to residents may | ||
be provided by one of the following methods:
| ||
(1) written notice;
| ||
(2) electronic notice, if the notice provided is
| ||
consistent with the provisions regarding electronic
| ||
records and signatures for notices legally required to be
| ||
in writing as set forth in Section 7001 of Title 15 of the | ||
United States Code;
or
| ||
(3) substitute notice, if the State agency
| ||
demonstrates that the cost of providing notice would exceed
| ||
$250,000 or that the affected class of subject persons to |
be notified exceeds 500,000, or the State agency does not
| ||
have sufficient contact information. Substitute notice | ||
shall consist of all of the following: (i) email notice if | ||
the State agency has an email address for the subject | ||
persons; (ii) conspicuous posting of the notice on the | ||
State agency's web site page if the State agency maintains
| ||
one; and (iii) notification to major statewide media.
| ||
(c) Notwithstanding subsection (b), a State agency
that | ||
maintains its own notification procedures as part of an
| ||
information security policy for the treatment of personal
| ||
information and is otherwise consistent with the timing | ||
requirements of this Act shall be deemed in compliance
with the | ||
notification requirements of this Section if the
State agency | ||
notifies subject persons in accordance with its policies in the | ||
event of a breach of the security of the system data or written | ||
material.
| ||
(d) If a State agency is required to notify more than 1,000 | ||
persons of a breach of security pursuant to this Section, the | ||
State agency shall also notify, without unreasonable delay, all | ||
consumer reporting agencies that compile and maintain files on | ||
consumers on a nationwide basis, as defined by 15 U.S.C. | ||
Section 1681a(p), of the timing, distribution, and content of | ||
the notices. Nothing in this subsection (d) shall be construed | ||
to require the State agency to provide to the consumer | ||
reporting agency the names or other personal identifying | ||
information of breach notice recipients.
|
(Source: P.A. 94-947, eff. 6-27-06.) | ||
(815 ILCS 530/40 new) | ||
Sec. 40. Disposal of materials containing personal | ||
information; Attorney General. | ||
(a) In this Section, "person" means: a natural person; a | ||
corporation, partnership, association, or other legal entity; | ||
a unit of local government or any agency, department, division, | ||
bureau, board, commission, or committee thereof; or the State | ||
of Illinois or any constitutional officer, agency, department, | ||
division, bureau, board, commission, or committee thereof. | ||
(b) A person must dispose of the materials containing | ||
personal information in a manner that renders the personal | ||
information unreadable, unusable, and undecipherable. Proper | ||
disposal methods include, but are not limited to, the | ||
following: | ||
(1) Paper documents containing personal information | ||
may be either redacted, burned, pulverized, or shredded so | ||
that personal information cannot practicably be read or | ||
reconstructed. | ||
(2) Electronic media and other non-paper media | ||
containing personal information may be destroyed or erased | ||
so that personal information cannot practicably be read or | ||
reconstructed. | ||
(c) Any person disposing of materials containing personal | ||
information may contract with a third party to dispose of such |
materials in accordance with this Section. Any third party that | ||
contracts with a person to dispose of materials containing | ||
personal information must implement and monitor compliance | ||
with policies and procedures that prohibit unauthorized access | ||
to or acquisition of or use of personal information during the | ||
collection, transportation, and disposal of materials | ||
containing personal information. | ||
(d) Any person, including but not limited to a third party | ||
referenced in subsection (c), who violates this Section is | ||
subject to a civil penalty of not more than $100 for each | ||
individual with respect to whom personal information is | ||
disposed of in violation of this Section. A civil penalty may | ||
not, however, exceed $50,000 for each instance of improper | ||
disposal of materials containing personal information. The | ||
Attorney General may impose a civil penalty after notice to the | ||
person accused of violating this Section and an opportunity for | ||
that person to be heard in the matter. The Attorney General may | ||
file a civil action in the circuit court to recover any penalty | ||
imposed under this Section. | ||
(e) In addition to the authority to impose a civil penalty | ||
under subsection (d), the Attorney General may bring an action | ||
in the circuit court to remedy a violation of this Section, | ||
seeking any appropriate relief. | ||
(f) A financial institution under 15 U.S.C. 6801 et. seq. | ||
or any person subject to 15 U.S.C. 1681w is exempt from this | ||
Section.
|