Rep. Kelly Burke

Filed: 4/8/2011

 

 


 

 


 
09700HB3025ham002LRB097 06857 AEK 53928 a

1
AMENDMENT TO HOUSE BILL 3025

2    AMENDMENT NO. ______. Amend House Bill 3025, AS AMENDED, by
3replacing everything after the enacting clause with the
4following:
 
5    "Section 5. The Personal Information Protection Act is
6amended by changing Sections 5, 10, and 12 and by adding
7Section 40 as follows:
 
8    (815 ILCS 530/5)
9    Sec. 5. Definitions. In this Act:
10    "Data Collector" may include, but is not limited to,
11government agencies, public and private universities,
12privately and publicly held corporations, financial
13institutions, retail operators, and any other entity that, for
14any purpose, handles, collects, disseminates, or otherwise
15deals with nonpublic personal information.
16    "Breach of the security of the system data" or "breach"

 

 

09700HB3025ham002- 2 -LRB097 06857 AEK 53928 a

1means unauthorized acquisition of computerized data that
2compromises the security, confidentiality, or integrity of
3personal information maintained by the data collector. "Breach
4of the security of the system data" does not include good faith
5acquisition of personal information by an employee or agent of
6the data collector for a legitimate purpose of the data
7collector, provided that the personal information is not used
8for a purpose unrelated to the data collector's business or
9subject to further unauthorized disclosure.
10    "Personal information" means an individual's first name or
11first initial and last name in combination with any one or more
12of the following data elements, when either the name or the
13data elements are not encrypted or redacted:
14        (1) Social Security number.
15        (2) Driver's license number or State identification
16    card number.
17        (3) Account number or credit or debit card number, or
18    an account number or credit card number in combination with
19    any required security code, access code, or password that
20    would permit access to an individual's financial account.
21"Personal information" does not include publicly available
22information that is lawfully made available to the general
23public from federal, State, or local government records.
24(Source: P.A. 94-36, eff. 1-1-06.)
 
25    (815 ILCS 530/10)

 

 

09700HB3025ham002- 3 -LRB097 06857 AEK 53928 a

1    Sec. 10. Notice of Breach.
2    (a) Any data collector that owns or licenses personal
3information concerning an Illinois resident shall notify the
4resident at no charge that there has been a breach of the
5security of the system data following discovery or notification
6of the breach. The disclosure notification shall be made in the
7most expedient time possible and without unreasonable delay,
8consistent with any measures necessary to determine the scope
9of the breach and restore the reasonable integrity, security,
10and confidentiality of the data system. The disclosure
11notification to an Illinois resident shall include, but need
12not be limited to, (i) the toll-free numbers and addresses for
13consumer reporting agencies, (ii) the toll-free number,
14address, and website address for the Federal Trade Commission,
15and (iii) a statement that the individual can obtain
16information from these sources about fraud alerts and security
17freezes. The notification shall not, however, include
18information concerning the number of Illinois residents
19affected by the breach.
20    (b) Any data collector that maintains or stores, but does
21not own or license, computerized data that includes personal
22information that the data collector does not own or license
23shall notify the owner or licensee of the information of any
24breach of the security of the data immediately following
25discovery, if the personal information was, or is reasonably
26believed to have been, acquired by an unauthorized person. In

 

 

09700HB3025ham002- 4 -LRB097 06857 AEK 53928 a

1addition to providing such notification to the owner or
2licensee, the data collector shall cooperate with the owner or
3licensee in matters relating to the breach. That cooperation
4shall include, but need not be limited to, (i) informing the
5owner or licensee of the breach, including giving notice of the
6date or approximate date of the breach and the nature of the
7breach, and (ii) informing the owner or licensee of any steps
8the data collector has taken or plans to take relating to the
9breach. The data collector's cooperation shall not, however, be
10deemed to require either the disclosure of confidential
11business information or trade secrets or the notification of an
12Illinois resident who may have been affected by the breach.
13    (b-5) The notification to an Illinois resident required by
14subsection (a) of this Section may be delayed if an appropriate
15law enforcement agency determines that notification will
16interfere with a criminal investigation and provides the data
17collector with a written request for the delay. However, the
18data collector must notify the Illinois resident as soon as
19notification will no longer interfere with the investigation.
20    (c) For purposes of this Section, notice to consumers may
21be provided by one of the following methods:
22        (1) written notice;
23        (2) electronic notice, if the notice provided is
24    consistent with the provisions regarding electronic
25    records and signatures for notices legally required to be
26    in writing as set forth in Section 7001 of Title 15 of the

 

 

09700HB3025ham002- 5 -LRB097 06857 AEK 53928 a

1    United States Code; or
2        (3) substitute notice, if the data collector
3    demonstrates that the cost of providing notice would exceed
4    $250,000 or that the affected class of subject persons to
5    be notified exceeds 500,000, or the data collector does not
6    have sufficient contact information. Substitute notice
7    shall consist of all of the following: (i) email notice if
8    the data collector has an email address for the subject
9    persons; (ii) conspicuous posting of the notice on the data
10    collector's web site page if the data collector maintains
11    one; and (iii) notification to major statewide media.
12    (d) Notwithstanding any other subsection in this Section
13(c), a data collector that maintains its own notification
14procedures as part of an information security policy for the
15treatment of personal information and is otherwise consistent
16with the timing requirements of this Act, shall be deemed in
17compliance with the notification requirements of this Section
18if the data collector notifies subject persons in accordance
19with its policies in the event of a breach of the security of
20the system data.
21(Source: P.A. 94-36, eff. 1-1-06; 94-947, eff. 6-27-06.)
 
22    (815 ILCS 530/12)
23    Sec. 12. Notice of breach; State agency.
24    (a) Any State agency that collects personal information
25concerning an Illinois resident shall notify the resident at no

 

 

09700HB3025ham002- 6 -LRB097 06857 AEK 53928 a

1charge that there has been a breach of the security of the
2system data or written material following discovery or
3notification of the breach. The disclosure notification shall
4be made in the most expedient time possible and without
5unreasonable delay, consistent with any measures necessary to
6determine the scope of the breach and restore the reasonable
7integrity, security, and confidentiality of the data system.
8The disclosure notification to an Illinois resident shall
9include, but need not be limited to, (i) the toll-free numbers
10and addresses for consumer reporting agencies, (ii) the
11toll-free number, address, and website address for the Federal
12Trade Commission, and (iii) a statement that the individual can
13obtain information from these sources about fraud alerts and
14security freezes. The notification shall not, however, include
15information concerning the number of Illinois residents
16affected by the breach.
17    (a-5) The notification to an Illinois resident required by
18subsection (a) of this Section may be delayed if an appropriate
19law enforcement agency determines that notification will
20interfere with a criminal investigation and provides the State
21agency with a written request for the delay. However, the State
22agency must notify the Illinois resident as soon as
23notification will no longer interfere with the investigation.
24    (b) For purposes of this Section, notice to residents may
25be provided by one of the following methods:
26        (1) written notice;

 

 

09700HB3025ham002- 7 -LRB097 06857 AEK 53928 a

1        (2) electronic notice, if the notice provided is
2    consistent with the provisions regarding electronic
3    records and signatures for notices legally required to be
4    in writing as set forth in Section 7001 of Title 15 of the
5    United States Code; or
6        (3) substitute notice, if the State agency
7    demonstrates that the cost of providing notice would exceed
8    $250,000 or that the affected class of subject persons to
9    be notified exceeds 500,000, or the State agency does not
10    have sufficient contact information. Substitute notice
11    shall consist of all of the following: (i) email notice if
12    the State agency has an email address for the subject
13    persons; (ii) conspicuous posting of the notice on the
14    State agency's web site page if the State agency maintains
15    one; and (iii) notification to major statewide media.
16    (c) Notwithstanding subsection (b), a State agency that
17maintains its own notification procedures as part of an
18information security policy for the treatment of personal
19information and is otherwise consistent with the timing
20requirements of this Act shall be deemed in compliance with the
21notification requirements of this Section if the State agency
22notifies subject persons in accordance with its policies in the
23event of a breach of the security of the system data or written
24material.
25    (d) If a State agency is required to notify more than 1,000
26persons of a breach of security pursuant to this Section, the

 

 

09700HB3025ham002- 8 -LRB097 06857 AEK 53928 a

1State agency shall also notify, without unreasonable delay, all
2consumer reporting agencies that compile and maintain files on
3consumers on a nationwide basis, as defined by 15 U.S.C.
4Section 1681a(p), of the timing, distribution, and content of
5the notices. Nothing in this subsection (d) shall be construed
6to require the State agency to provide to the consumer
7reporting agency the names or other personal identifying
8information of breach notice recipients.
9(Source: P.A. 94-947, eff. 6-27-06.)
 
10    (815 ILCS 530/40 new)
11    Sec. 40. Disposal of materials containing personal
12information; Attorney General.
13    (a) In this Section, "person" means: a natural person; a
14corporation, partnership, association, or other legal entity;
15a unit of local government or any agency, department, division,
16bureau, board, commission, or committee thereof; or the State
17of Illinois or any constitutional officer, agency, department,
18division, bureau, board, commission, or committee thereof.
19    (b) A person must dispose of the materials containing
20personal information in a manner that renders the personal
21information unreadable, unusable, and undecipherable. Proper
22disposal methods include, but are not limited to, the
23following:
24        (1) Paper documents containing personal information
25    may be either redacted, burned, pulverized, or shredded so

 

 

09700HB3025ham002- 9 -LRB097 06857 AEK 53928 a

1    that personal information cannot practicably be read or
2    reconstructed.
3        (2) Electronic media and other non-paper media
4    containing personal information may be destroyed or erased
5    so that personal information cannot practicably be read or
6    reconstructed.
7    (c) Any person disposing of materials containing personal
8information may contract with a third party to dispose of such
9materials in accordance with this Section. Any third party that
10contracts with a person to dispose of materials containing
11personal information must implement and monitor compliance
12with policies and procedures that prohibit unauthorized access
13to or acquisition of or use of personal information during the
14collection, transportation, and disposal of materials
15containing personal information.
16    (d) Any person, including but not limited to a third party
17referenced in subsection (c), who violates this Section is
18subject to a civil penalty of not more than $100 for each
19individual with respect to whom personal information is
20disposed of in violation of this Section. A civil penalty may
21not, however, exceed $50,000 for each instance of improper
22disposal of materials containing personal information. The
23Attorney General may impose a civil penalty after notice to the
24person accused of violating this Section and an opportunity for
25that person to be heard in the matter. The Attorney General may
26file a civil action in the circuit court to recover any penalty

 

 

09700HB3025ham002- 10 -LRB097 06857 AEK 53928 a

1imposed under this Section.
2    (e) In addition to the authority to impose a civil penalty
3under subsection (d), the Attorney General may bring an action
4in the circuit court to remedy a violation of this Section,
5seeking any appropriate relief.".