94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB1798

 

Introduced 2/25/2005, by Sen. Peter J. Roskam

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Personal Information Protection Act. Requires any person, business, or State agency conducting business in the State, and that owns or licenses computerized data that includes vulnerable personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person, business, or State agency that maintains computerized data that includes vulnerable personal information that the person, business, or State agency does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the vulnerable personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; or (2) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.


LRB094 11157 RXD 41798 b

 

 

A BILL FOR

 

SB1798 LRB094 11157 RXD 41798 b

1     AN ACT concerning business.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 1. Short title. This Act may be cited as the
5 Personal Information Protection Act.
 
6     Section 5. Definitions. In this Act:
7     "Breach of the security of the system" means unauthorized
8 acquisition of computerized data that comprises the security,
9 confidentiality, or integrity of personal information
10 maintained by a person, business, or State agency. "Breach of
11 the security of the system" does not include good faith
12 acquisition of personal information by an employee or agent of
13 the person, business, or State agency, provided that the
14 personal information is not used or subject to further
15 unauthorized disclosure.
16     "Personal information" shall mean any information
17 concerning a natural person which, because of name, number,
18 personal mark, or other identifier can be used to identify the
19 natural person.
20     "Vulnerable personal information" means personal
21 information consisting of any information in combination with
22 any one or more of the following data elements, when either the
23 personal information or the data element is not encrypted:
24         (1) Social security number.
25         (2) Driver's license number.
26         (3) Account number, credit or debit card number, in
27     combination with any required security code, access code,
28     or password that would permit access to an individual's
29     financial account.
30 "Vulnerable personal information" does not include publicly
31 available information that is lawfully made available to the
32 general public from federal, State, or local government

 

 

SB1798 - 2 - LRB094 11157 RXD 41798 b

1 records.
 
2     Section 10. Security breach.
3     (a) Any person, business, or State agency that conducts
4 business in the State and owns or licenses computerized data
5 that includes vulnerable personal information shall disclose
6 any breach of the security of the system following discovery or
7 notification of the breach in the security of the data to any
8 resident of the State whose unencrypted personal information
9 was, or is reasonably believed to have been acquired by an
10 unauthorized person. Disclosure shall be made in the most
11 expedient time possible and without unreasonable delay,
12 consistent with the legitimate needs of the law enforcement
13 agency, as provided in subsection (b), or any measures
14 necessary to determine the scope of the breach and restore the
15 reasonable integrity of the data system.
16     (b) Any person, business, or State agency that maintains
17 computerized data that includes vulnerable personal
18 information that the person, business, or State agency does not
19 own, shall notify the owner or licensee of the information of
20 any breach of the security of the data immediately following
21 discovery, if the vulnerable personal information was, or is
22 reasonably believed to have been acquired by an unauthorized
23 person.
24         (1) Notice may be provided by one of the following
25     methods:
26             (A) written notice; or
27             (B) substitute notice, if a person, business, or
28         State agency demonstrates that the cost of the
29         providing notice would exceed $250,000, or the
30         affected class of persons to be notified exceeds
31         500,000, or the person, business, or State agency does
32         not have sufficient contact information. Substitute
33         notice shall consist of all of the following: (i) email
34         notification if the person, business, or State agency
35         has an email address for the person to be notified;

 

 

SB1798 - 3 - LRB094 11157 RXD 41798 b

1         (ii) conspicuous posting of the notice on a web site if
2         the person, business, or State agency maintains a web
3         site page; and (iii) notification to major statewide
4         media outlets.
5         (2) The notification required under this subsection
6     (b) may be delayed if a law enforcement agency determines
7     that the notification will impede a criminal
8     investigation. Notification shall be made after the law
9     enforcement agency determines that it will not compromise
10     its investigation.
 
11     Section 15. Violation; person or business.
12     (a) Any person or business found to have violated this Act,
13 knowingly or recklessly, shall be liable to the aggrieved user
14 for all actual damages sustained by the user as a direct result
15 of the violation, provided that any subscriber that prevails or
16 substantially prevails in any action brought under this
17 subsection (a) shall receive not less than $500,000 in damages,
18 regardless of the amount of actual damage proved, plus costs,
19 disbursements, and reasonable attorney's fees. An action
20 brought under this subsection (a) may be maintained as a class
21 action.
22     (b) Civil penalties under this Act are recoverable in an
23 action brought by the Attorney General on behalf of the State
24 in the circuit court. A circuit court may issue an injunction
25 to restrain any person or business from violating or continuing
26 to violate any provision of this Act.
27     (c) If the court determines that a grossly negligent
28 violation of this Act has occurred, the court may impose a
29 civil penalty of not more than $1,000 for the violation.
30     (d) The rights and remedies available under this Section
31 are cumulative to each other and to any other rights and
32 remedies available under law.