|  |
Public Act 099-0503
Public Act 0503 99TH GENERAL ASSEMBLY
|
Public Act 099-0503
| | HB1260 Enrolled | LRB099 05116 JLS 25145 b |
|
| AN ACT concerning business.
| Be it enacted by the People of the State of Illinois, | represented in the General Assembly:
| Section 5. The Personal Information Protection Act is | amended by changing Sections 5, 10, and 12 and adding Sections | 45 and 50 as follows:
| (815 ILCS 530/5)
| Sec. 5. Definitions. In this Act: | "Data Collector" may include, but is not limited to,
| government agencies, public and private universities,
| privately and publicly held corporations, financial
| institutions, retail operators, and any other entity that, for | any purpose, handles, collects, disseminates, or otherwise
| deals with nonpublic personal information.
| "Breach of the security of the system data" or "breach" | means
unauthorized acquisition of computerized data that | compromises the security, confidentiality, or integrity of | personal information maintained by the data collector. "Breach | of the security of the system data" does not include good faith
| acquisition of personal information by an employee or agent of
| the data collector for a legitimate purpose of the data
| collector, provided that the personal information is not used
| for a purpose unrelated to the data collector's business or
|
| subject to further unauthorized disclosure.
| "Health insurance information" means an individual's | health insurance policy number or subscriber identification | number, any unique identifier used by a health insurer to | identify the individual, or any medical information in an | individual's health insurance application and claims history, | including any appeals records. | "Medical information" means any information regarding an | individual's medical history, mental or physical condition, or | medical treatment or diagnosis by a healthcare professional, | including such information provided to a website or mobile | application. | "Personal information" means either of the following: | (1) an individual's first name or first initial and | last name in combination with any one or more
of the | following data elements, when either the name or the data | elements are not encrypted or redacted or are encrypted or | redacted but the keys to unencrypt or unredact or otherwise | read the name or data elements have been acquired without | authorization through the breach of security:
| (A) (1) Social Security number. | (B) (2) Driver's license number or State | identification
card number.
| (C) (3) Account number or credit or debit card | number, or an
account number or credit card number in | combination with
any required security code, access |
| code, or password that
would permit access to an | individual's financial account.
| (D) Medical information. | (E) Health insurance information. | (F) Unique biometric data generated from | measurements or technical analysis of human body | characteristics used by the owner or licensee to | authenticate an individual, such as a fingerprint, | retina or iris image, or other unique physical | representation or digital representation of biometric | data. | (2) user name or email address, in combination with a | password or security question and answer that would permit | access to an online account, when either the user name or | email address or password or security question and answer | are not encrypted or redacted or are encrypted or redacted | but the keys to unencrypt or unredact or otherwise read the | data elements have been obtained through the breach of | security. | "Personal information" does not include publicly available
| information that is lawfully made available to the general
| public from federal, State, or local government records.
| (Source: P.A. 97-483, eff. 1-1-12.)
| (815 ILCS 530/10)
| Sec. 10. Notice of Breach. |
| (a) Any data collector that owns or licenses personal | information concerning an Illinois resident shall notify the
| resident at no charge that there has been a breach of the | security of the
system data following discovery or notification | of the breach.
The disclosure notification shall be made in the | most
expedient time possible and without unreasonable delay,
| consistent with any measures necessary to determine the
scope | of the breach and restore the reasonable integrity,
security, | and confidentiality of the data system. The disclosure | notification to an Illinois resident shall include, but need | not be limited to, information as follows: | (1) With respect to personal information as defined in | Section 5 in paragraph (1) of the definition of "personal | information": | (A) (i) the toll-free numbers and addresses for | consumer reporting agencies; , | (B) (ii) the toll-free number, address, and | website address for the Federal Trade Commission; , and | (C) (iii) a statement that the individual can | obtain information from these sources about fraud | alerts and security freezes. | The notification shall not, however, include information | concerning the number of Illinois residents affected by the | breach. | (2) With respect to personal information defined in | Section 5 in paragraph (2) of the definition of "personal |
| information", notice may be provided in electronic or other | form directing the Illinois resident whose personal | information has been breached to promptly change his or her | user name or password and security question or answer, as | applicable, or to take other steps appropriate to protect | all online accounts for which the resident uses the same | user name or email address and password or security | question and answer. | (b) Any data collector that maintains or stores, but does | not own or license, computerized data that
includes personal | information that the data collector does not own or license | shall notify the owner or licensee of the information of any | breach of the security of the data immediately following | discovery, if the personal information was, or is reasonably | believed to have been, acquired by
an unauthorized person. In | addition to providing such notification to the owner or | licensee, the data collector shall cooperate with the owner or | licensee in matters relating to the breach. That cooperation | shall include, but need not be limited to, (i) informing the | owner or licensee of the breach, including giving notice of the | date or approximate date of the breach and the nature of the | breach, and (ii) informing the owner or licensee of any steps | the data collector has taken or plans to take relating to the | breach. The data collector's cooperation shall not, however, be | deemed to require either the disclosure of confidential | business information or trade secrets or the notification of an |
| Illinois resident who may have been affected by the breach.
| (b-5) The notification to an Illinois resident required by | subsection (a) of this Section may be delayed if an appropriate | law enforcement agency determines that notification will | interfere with a criminal investigation and provides the data | collector with a written request for the delay. However, the | data collector must notify the Illinois resident as soon as | notification will no longer interfere with the investigation.
| (c) For purposes of this Section, notice to consumers may | be provided by one of the following methods:
| (1) written notice; | (2) electronic notice, if the notice provided is
| consistent with the provisions regarding electronic
| records and signatures for notices legally required to be
| in writing as set forth in Section 7001 of Title 15 of the | United States Code;
or | (3) substitute notice, if the data collector
| demonstrates that the cost of providing notice would exceed
| $250,000 or that the affected class of subject persons to | be notified exceeds 500,000, or the data collector does not
| have sufficient contact information. Substitute notice | shall consist of all of the following: (i) email notice if | the data collector has an email address for the subject | persons; (ii) conspicuous posting of the notice on the data
| collector's web site page if the data collector maintains
| one; and (iii) notification to major statewide media or, if |
| the breach impacts residents in one geographic area, to | prominent local media in areas where affected individuals | are likely to reside if such notice is reasonably | calculated to give actual notice to persons whom notice is | required. | (d) Notwithstanding any other subsection in this Section, a | data collector
that maintains its own notification procedures | as part of an
information security policy for the treatment of | personal
information and is otherwise consistent with the | timing requirements of this Act, shall be deemed in compliance
| with the notification requirements of this Section if the
data | collector notifies subject persons in accordance with its | policies in the event of a breach of the security of the system | data.
| (Source: P.A. 97-483, eff. 1-1-12.)
| (815 ILCS 530/12)
| Sec. 12. Notice of breach; State agency. | (a) Any State agency that collects personal information | concerning an Illinois resident shall notify the
resident at no | charge that there has been a breach of the security of the
| system data or written material following discovery or | notification of the breach.
The disclosure notification shall | be made in the most
expedient time possible and without | unreasonable delay,
consistent with any measures necessary to | determine the
scope of the breach and restore the reasonable |
| integrity,
security, and confidentiality of the data system. | The disclosure notification to an Illinois resident shall | include, but need not be limited to information as follows: | (1) With respect to personal information defined in | Section 5 in paragraph (1) of the definition of "personal | information": , | (i) the toll-free numbers and addresses for | consumer reporting agencies; , | (ii) the toll-free number, address, and website | address for the Federal Trade Commission; , and | (iii) a statement that the individual can obtain | information from these sources about fraud alerts and | security freezes. | (2) With respect to personal information as defined in | Section 5 in paragraph (2) of the definition of "personal | information", notice may be provided in electronic or other | form directing the Illinois resident whose personal | information has been breached to promptly change his or her | user name or password and security question or answer, as | applicable, or to take other steps appropriate to protect | all online accounts for which the resident uses the same | user name or email address and password or security | question and answer. | The notification shall not, however, include information | concerning the number of Illinois residents affected by the | breach. |
| (a-5) The notification to an Illinois resident required by | subsection (a) of this Section may be delayed if an appropriate | law enforcement agency determines that notification will | interfere with a criminal investigation and provides the State | agency with a written request for the delay. However, the State | agency must notify the Illinois resident as soon as | notification will no longer interfere with the investigation. | (b) For purposes of this Section, notice to residents may | be provided by one of the following methods:
| (1) written notice;
| (2) electronic notice, if the notice provided is
| consistent with the provisions regarding electronic
| records and signatures for notices legally required to be
| in writing as set forth in Section 7001 of Title 15 of the | United States Code;
or
| (3) substitute notice, if the State agency
| demonstrates that the cost of providing notice would exceed
| $250,000 or that the affected class of subject persons to | be notified exceeds 500,000, or the State agency does not
| have sufficient contact information. Substitute notice | shall consist of all of the following: (i) email notice if | the State agency has an email address for the subject | persons; (ii) conspicuous posting of the notice on the | State agency's web site page if the State agency maintains
| one; and (iii) notification to major statewide media.
| (c) Notwithstanding subsection (b), a State agency
that |
| maintains its own notification procedures as part of an
| information security policy for the treatment of personal
| information and is otherwise consistent with the timing | requirements of this Act shall be deemed in compliance
with the | notification requirements of this Section if the
State agency | notifies subject persons in accordance with its policies in the | event of a breach of the security of the system data or written | material.
| (d) If a State agency is required to notify more than 1,000 | persons of a breach of security pursuant to this Section, the | State agency shall also notify, without unreasonable delay, all | consumer reporting agencies that compile and maintain files on | consumers on a nationwide basis, as defined by 15 U.S.C. | Section 1681a(p), of the timing, distribution, and content of | the notices. Nothing in this subsection (d) shall be construed | to require the State agency to provide to the consumer | reporting agency the names or other personal identifying | information of breach notice recipients.
| (e) Notice to Attorney General. Any State agency that | suffers a single breach of the security of the data concerning | the personal information of more than 250 Illinois residents | shall provide notice to the Attorney General of the breach, | including: | (A) The types of personal information compromised in | the breach. | (B) The number of Illinois residents affected by such |
| incident at the time of notification. | (C) Any steps the State agency has taken or plans to | take relating to notification of the breach to consumers. | (D) The date and timeframe of the breach, if known at | the time notification is provided. | Such notification must be made within 45 days of the State | agency's discovery of the security breach or when the State | agency provides any notice to consumers required by this | Section, whichever is sooner, unless the State agency has good | cause for reasonable delay to determine the scope of the breach | and restore the integrity, security, and confidentiality of the | data system, or when law enforcement requests in writing to | withhold disclosure of some or all of the information required | in the notification under this Section. If the date or | timeframe of the breach is unknown at the time the notice is | sent to the Attorney General, the State agency shall send the | Attorney General the date or timeframe of the breach as soon as | possible. | (Source: P.A. 97-483, eff. 1-1-12.)
| (815 ILCS 530/45 new) | Sec. 45. Data security. | (a) A data collector that owns or licenses, or maintains or | stores but does not own or license, records that contain | personal information concerning an Illinois resident shall | implement and maintain reasonable security measures to protect |
| those records from unauthorized access, acquisition, | destruction, use, modification, or disclosure. | (b) A contract for the disclosure of personal information | concerning an Illinois resident that is maintained by a data | collector must include a provision requiring the person to whom | the information is disclosed to implement and maintain | reasonable security measures to protect those records from | unauthorized access, acquisition, destruction, use, | modification, or disclosure. | (c) If a state or federal law requires a data collector to | provide greater protection to records that contain personal | information concerning an Illinois resident that are | maintained by the data collector and the data collector is in | compliance with the provisions of that state or federal law, | the data collector shall be deemed to be in compliance with the | provisions of this Section. | (d) A data collector that is subject to and in compliance | with the standards established pursuant to Section 501(b) of | the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, | shall be deemed to be in compliance with the provisions of this | Section.
| (815 ILCS 530/50 new) | Sec. 50. Entities subject to the federal Health Insurance | Portability and Accountability Act of 1996. Any covered entity | or business associate that is subject to and in compliance with |
| the privacy and security standards for the protection of | electronic health information established pursuant to the | federal Health Insurance Portability and Accountability Act of | 1996 and the Health Information Technology for Economic and | Clinical Health Act shall be deemed to be in compliance with | the provisions of this Act, provided that any covered entity or | business associate required to provide notification of a breach | to the Secretary of Health and Human Services pursuant to the | Health Information Technology for Economic and Clinical Health | Act also provides such notification to the Attorney General | within 5 business days of notifying the Secretary.
|
Effective Date: 1/1/2017
|
|
|
|
Translate
