SB1833 EnrolledLRB099 09064 JLS 31312 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Personal Information Protection Act is
5amended by changing Sections 5, 10, and 12 and adding Sections
645, 50, and 55 as follows:
 
7    (815 ILCS 530/5)
8    Sec. 5. Definitions. In this Act:
9    "Data Collector" may include, but is not limited to,
10government agencies, public and private universities,
11privately and publicly held corporations, financial
12institutions, retail operators, and any other entity that, for
13any purpose, handles, collects, disseminates, or otherwise
14deals with nonpublic personal information.
15    "Breach of the security of the system data" or "breach"
16means unauthorized acquisition of computerized data that
17compromises the security, confidentiality, or integrity of
18personal information maintained by the data collector. "Breach
19of the security of the system data" does not include good faith
20acquisition of personal information by an employee or agent of
21the data collector for a legitimate purpose of the data
22collector, provided that the personal information is not used
23for a purpose unrelated to the data collector's business or

 

 

SB1833 Enrolled- 2 -LRB099 09064 JLS 31312 b

1subject to further unauthorized disclosure.
2    "Consumer marketing information" means information related
3to a consumer's online browsing history, online search history,
4or purchasing history, including, but not limited to, consumer
5profiles that are based upon the information. "Consumer
6marketing information" does not include information related to
7a consumer's online browsing history, online search history, or
8purchasing history held by a data collector that has a direct
9relationship with the consumer.
10    "Geolocation information" means information generated or
11derived from the operation or use of an electronic
12communications device that is stored and sufficient to identify
13the street name and name of the city or town in which an
14individual is located and the information is likely to enable
15someone to determine an individual's regular pattern of
16behavior. "Geolocation information" does not include the
17contents of an electronic communication.
18    "Health insurance information" means an individual's
19health insurance policy number or subscriber identification
20number, any unique identifier used by a health insurer to
21identify the individual, or any information in an individual's
22health insurance application and claims history, including any
23appeals records.
24    "Medical information" means any information regarding an
25individual's medical history, mental or physical condition, or
26medical treatment or diagnosis by a healthcare professional,

 

 

SB1833 Enrolled- 3 -LRB099 09064 JLS 31312 b

1including health information provided to a website or mobile
2application.
3    "Personal information" means either of the following:
4        (1) an individual's first name or first initial and
5    last name in combination with any one or more of the
6    following data elements, when either the name or the data
7    elements are not encrypted or redacted or are encrypted or
8    redacted but the keys to unencrypt or unredact or otherwise
9    read the name or data elements have been acquired without
10    authorization through the breach of security:
11            (A) (1) Social Security number.
12            (B) (2) Driver's license number or State
13        identification card number.
14            (C) (3) Account number or credit or debit card
15        number, or an account number or credit card number in
16        combination with any required security code, access
17        code, or password that would permit access to an
18        individual's financial account.
19            (D) Medical information.
20            (E) Health insurance information.
21            (F) Unique biometric data generated from
22        measurements or technical analysis of human body
23        characteristics that could be used to identify an
24        individual, such as a fingerprint, retina or iris
25        image, or other unique physical representation or
26        digital representation of biometric data.

 

 

SB1833 Enrolled- 4 -LRB099 09064 JLS 31312 b

1            (G) Geolocation information.
2            (H) Consumer marketing information.
3            (I) Home address, telephone number, and email
4        address in combination with either:
5                (i) mother's maiden name when not part of an
6            individual's surname; or
7                (ii) month, day, and year of birth.
8        (2) user name or email address, in combination with a
9    password or security question and answer that would permit
10    access to an online account, when either the user name or
11    email address or password or security question and answer
12    are not encrypted or redacted or are encrypted or redacted
13    but the keys to unencrypt or unredact or otherwise read the
14    data elements have been obtained through the breach of
15    security.
16    "Personal information" does not include publicly available
17information that is lawfully made available to the general
18public from federal, State, or local government records.
19(Source: P.A. 97-483, eff. 1-1-12.)
 
20    (815 ILCS 530/10)
21    Sec. 10. Notice of Breach.
22    (a) Any data collector that owns or licenses personal
23information, excluding geolocation information and consumer
24marketing information, concerning an Illinois resident shall
25notify the resident at no charge that there has been a breach

 

 

SB1833 Enrolled- 5 -LRB099 09064 JLS 31312 b

1of the security of the system data following discovery or
2notification of the breach. The disclosure notification shall
3be made in the most expedient time possible and without
4unreasonable delay, consistent with any measures necessary to
5determine the scope of the breach and restore the reasonable
6integrity, security, and confidentiality of the data system.
7The disclosure notification to an Illinois resident shall
8include, but need not be limited to, information as follows:
9        (1) With respect to personal information as defined in
10    Section 5 in paragraph (1) of the definition of "personal
11    information", excluding geolocation information and
12    consumer marketing information:
13            (A) (i) the toll-free numbers and addresses for
14        consumer reporting agencies; ,
15            (B) (ii) the toll-free number, address, and
16        website address for the Federal Trade Commission; , and
17            (C) (iii) a statement that the individual can
18        obtain information from these sources about fraud
19        alerts and security freezes.
20    The notification shall not, however, include information
21concerning the number of Illinois residents affected by the
22breach.
23        (2) With respect to personal information defined in
24    Section 5 in paragraph (2) of the definition of "personal
25    information", notice may be provided in electronic or other
26    form directing the Illinois resident whose personal

 

 

SB1833 Enrolled- 6 -LRB099 09064 JLS 31312 b

1    information has been breached to promptly change his or her
2    username or password and security question or answer, as
3    applicable, or to take other steps appropriate to protect
4    all online accounts for which the resident uses the same
5    user name or email address and password or security
6    question and answer.
7    (b) Any data collector that maintains or stores, but does
8not own or license, computerized data that includes personal
9information that the data collector does not own or license
10shall notify the owner or licensee of the information of any
11breach of the security of the data immediately following
12discovery, if the personal information was, or is reasonably
13believed to have been, acquired by an unauthorized person. In
14addition to providing such notification to the owner or
15licensee, the data collector shall cooperate with the owner or
16licensee in matters relating to the breach. That cooperation
17shall include, but need not be limited to, (i) informing the
18owner or licensee of the breach, including giving notice of the
19date or approximate date of the breach and the nature of the
20breach, and (ii) informing the owner or licensee of any steps
21the data collector has taken or plans to take relating to the
22breach. The data collector's cooperation shall not, however, be
23deemed to require either the disclosure of confidential
24business information or trade secrets or the notification of an
25Illinois resident who may have been affected by the breach.
26    (b-5) The notification to an Illinois resident required by

 

 

SB1833 Enrolled- 7 -LRB099 09064 JLS 31312 b

1subsection (a) of this Section may be delayed if an appropriate
2law enforcement agency determines that notification will
3interfere with a criminal investigation and provides the data
4collector with a written request for the delay. However, the
5data collector must notify the Illinois resident as soon as
6notification will no longer interfere with the investigation.
7    (c) For purposes of this Section, notice to consumers may
8be provided by one of the following methods:
9        (1) written notice;
10        (2) electronic notice, if the notice provided is
11    consistent with the provisions regarding electronic
12    records and signatures for notices legally required to be
13    in writing as set forth in Section 7001 of Title 15 of the
14    United States Code; or
15        (3) substitute notice, if the data collector
16    demonstrates that the cost of providing notice would exceed
17    $250,000 or that the affected class of subject persons to
18    be notified exceeds 500,000, or the data collector does not
19    have sufficient contact information. Substitute notice
20    shall consist of all of the following: (i) email notice if
21    the data collector has an email address for the subject
22    persons; (ii) conspicuous posting of the notice on the data
23    collector's web site page if the data collector maintains
24    one; and (iii) notification to major statewide media or, if
25    the breach impacts residents in one geographic area, to
26    prominent local media in areas where affected individuals

 

 

SB1833 Enrolled- 8 -LRB099 09064 JLS 31312 b

1    are likely to reside if such notice is reasonably
2    calculated to give actual notice to persons whom notice is
3    required.
4    (d) Notwithstanding any other subsection in this Section, a
5data collector that maintains its own notification procedures
6as part of an information security policy for the treatment of
7personal information and is otherwise consistent with the
8timing requirements of this Act, shall be deemed in compliance
9with the notification requirements of this Section if the data
10collector notifies subject persons in accordance with its
11policies in the event of a breach of the security of the system
12data.
13    (e) Notice to Attorney General.
14        (1) Any data collector that owns or licenses personal
15    information and suffers a single breach of the security of
16    the data concerning the personal information of more than
17    250 Illinois residents shall provide notice to the Attorney
18    General of the breach, including:
19            (A) The types of personal information compromised
20        in the breach.
21            (B) The number of Illinois residents affected by
22        such incident at the time of notification.
23            (C) Any steps the data collector has taken or plans
24        to take relating to notification of the breach to
25        consumers.
26            (D) The date and timeframe of the breach, if known

 

 

SB1833 Enrolled- 9 -LRB099 09064 JLS 31312 b

1        at the time notification is provided.
2        Such notification must be made within 30 business days
3    of the data collector's discovery of the security breach or
4    when the data collector provides any notice to consumers
5    required by this Section, whichever is sooner, unless the
6    data collector has good cause for reasonable delay to
7    determine the scope of the breach and restore the
8    integrity, security, and confidentiality of the data
9    system, or when law enforcement requests in writing to
10    withhold disclosure of some or all of the information
11    required in the notification under this Section. If the
12    date or timeframe of the breach is unknown at the time the
13    notice is sent to the Attorney General, the data collector
14    shall send the Attorney General the date or timeframe of
15    the breach as soon as possible.
16        (2) Any data collector that maintains or stores, but
17    does not own or license, computerized data that includes
18    personal information that suffers a single breach of the
19    security of the data concerning the personal information of
20    more than 250 Illinois residents shall notify the Attorney
21    General of the following:
22            (A) The types of personal information compromised
23        in the breach.
24            (B) The number of Illinois residents affected by
25        such incident at the time of notification.
26            (C) Any steps the data collector has taken or plans

 

 

SB1833 Enrolled- 10 -LRB099 09064 JLS 31312 b

1        to take relating to notification of the owner or
2        licensee of the breach and what measures, if any, the
3        data collector has taken to notify Illinois residents.
4            (D) The date and timeframe of the breach, if known
5        at the time notification is provided.
6        Such notification must be made within 30 business days
7    of the data collector's discovery of the security breach or
8    when the data collector provides notice to the owner or
9    licensee of the information pursuant to this Section,
10    whichever is sooner, unless the data collector has good
11    cause for reasonable delay to determine the scope of the
12    breach and restore the integrity, security, and
13    confidentiality of the data system, or when law enforcement
14    requests in writing to withhold disclosure of some or all
15    of the information required in the notification under this
16    Section. If the date or timeframe of the breach is unknown
17    at the time the notice is sent to the Attorney General, the
18    data collector shall send the Attorney General the date or
19    timeframe of the breach as soon as possible.
20    (f) Upon receiving notification from a data collector of a
21breach of personal information, the Attorney General may
22publish the name of the data collector that suffered the
23breach, the types of personal information compromised in the
24breach, and the date range of the breach.
25(Source: P.A. 97-483, eff. 1-1-12.)
 

 

 

SB1833 Enrolled- 11 -LRB099 09064 JLS 31312 b

1    (815 ILCS 530/12)
2    Sec. 12. Notice of breach; State agency.
3    (a) Any State agency that collects personal information,
4excluding geolocation and consumer marketing information,
5concerning an Illinois resident shall notify the resident at no
6charge that there has been a breach of the security of the
7system data or written material following discovery or
8notification of the breach. The disclosure notification shall
9be made in the most expedient time possible and without
10unreasonable delay, consistent with any measures necessary to
11determine the scope of the breach and restore the reasonable
12integrity, security, and confidentiality of the data system.
13The disclosure notification to an Illinois resident shall
14include, but need not be limited to information as follows:
15        (1) With respect to personal information defined in
16    Section 5 in paragraph (1) of the definition of "personal
17    information": ,
18            (i) the toll-free numbers and addresses for
19        consumer reporting agencies; ,
20            (ii) the toll-free number, address, and website
21        address for the Federal Trade Commission; , and
22            (iii) a statement that the individual can obtain
23        information from these sources about fraud alerts and
24        security freezes.
25        (2) With respect to personal information as defined in
26    Section 5 in paragraph (2) of the definition of "personal

 

 

SB1833 Enrolled- 12 -LRB099 09064 JLS 31312 b

1    information", notice may be provided in electronic or other
2    form directing the Illinois resident whose personal
3    information has been breached to promptly change his or her
4    user name or password and security question or answer, as
5    applicable, or to take other steps appropriate to protect
6    all online accounts for which the resident uses the same
7    user name or email address and password or security
8    question and answer.
9    The notification shall not, however, include information
10concerning the number of Illinois residents affected by the
11breach.
12    (a-5) The notification to an Illinois resident required by
13subsection (a) of this Section may be delayed if an appropriate
14law enforcement agency determines that notification will
15interfere with a criminal investigation and provides the State
16agency with a written request for the delay. However, the State
17agency must notify the Illinois resident as soon as
18notification will no longer interfere with the investigation.
19    (b) For purposes of this Section, notice to residents may
20be provided by one of the following methods:
21        (1) written notice;
22        (2) electronic notice, if the notice provided is
23    consistent with the provisions regarding electronic
24    records and signatures for notices legally required to be
25    in writing as set forth in Section 7001 of Title 15 of the
26    United States Code; or

 

 

SB1833 Enrolled- 13 -LRB099 09064 JLS 31312 b

1        (3) substitute notice, if the State agency
2    demonstrates that the cost of providing notice would exceed
3    $250,000 or that the affected class of subject persons to
4    be notified exceeds 500,000, or the State agency does not
5    have sufficient contact information. Substitute notice
6    shall consist of all of the following: (i) email notice if
7    the State agency has an email address for the subject
8    persons; (ii) conspicuous posting of the notice on the
9    State agency's web site page if the State agency maintains
10    one; and (iii) notification to major statewide media.
11    (c) Notwithstanding subsection (b), a State agency that
12maintains its own notification procedures as part of an
13information security policy for the treatment of personal
14information and is otherwise consistent with the timing
15requirements of this Act shall be deemed in compliance with the
16notification requirements of this Section if the State agency
17notifies subject persons in accordance with its policies in the
18event of a breach of the security of the system data or written
19material.
20    (d) If a State agency is required to notify more than 1,000
21persons of a breach of security pursuant to this Section, the
22State agency shall also notify, without unreasonable delay, all
23consumer reporting agencies that compile and maintain files on
24consumers on a nationwide basis, as defined by 15 U.S.C.
25Section 1681a(p), of the timing, distribution, and content of
26the notices. Nothing in this subsection (d) shall be construed

 

 

SB1833 Enrolled- 14 -LRB099 09064 JLS 31312 b

1to require the State agency to provide to the consumer
2reporting agency the names or other personal identifying
3information of breach notice recipients.
4    (e) Notice to Attorney General.
5        (1) Any State agency that suffers a single breach of
6    the security of the data concerning the personal
7    information of more than 250 Illinois residents shall
8    provide notice to the Attorney General of the breach,
9    including:
10            (A) The types of personal information compromised
11        in the breach.
12            (B) The number of Illinois residents affected by
13        such incident at the time of notification.
14            (C) Any steps the State agency has taken or plans
15        to take relating to notification of the breach to
16        consumers.
17            (D) The date and timeframe of the breach, if known
18        at the time notification is provided.
19        Such notification must be made within 30 business days
20    of the State agency's discovery of the security breach or
21    when the State agency provides any notice to consumers
22    required by this Section, whichever is sooner, unless the
23    State agency has good cause for reasonable delay to
24    determine the scope of the breach and restore the
25    integrity, security, and confidentiality of the data
26    system, or when law enforcement requests in writing to

 

 

SB1833 Enrolled- 15 -LRB099 09064 JLS 31312 b

1    withhold disclosure of some or all of the information
2    required in the notification under this Section. If the
3    date or timeframe of the breach is unknown at the time the
4    notice is sent to the Attorney General, the State agency
5    shall send the Attorney General the date or timeframe of
6    the breach as soon as possible.
7(Source: P.A. 97-483, eff. 1-1-12.)
 
8    (815 ILCS 530/45 new)
9    Sec. 45. Data security.
10    (a) A data collector that owns or licenses, or maintains or
11stores but does not own or license, records that contain
12personal information concerning an Illinois resident shall
13implement and maintain reasonable security measures to protect
14those records from unauthorized access, acquisition,
15destruction, use, modification, or disclosure.
16    (b) A contract for the disclosure of personal information
17concerning an Illinois resident that is maintained by a data
18collector must include a provision requiring the person to whom
19the information is disclosed to implement and maintain
20reasonable security measures to protect those records from
21unauthorized access, acquisition, destruction, use,
22modification, or disclosure.
23    (c) If a state or federal law requires a data collector to
24provide greater protection to records that contain personal
25information concerning an Illinois resident that are

 

 

SB1833 Enrolled- 16 -LRB099 09064 JLS 31312 b

1maintained by the data collector and the data collector is in
2compliance with the provisions of that state or federal law,
3the data collector shall be deemed to be in compliance with the
4provisions of this Section.
5    (d) A data collector that is subject to and in compliance
6with the standards established pursuant to Section 501(b) of
7the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801,
8shall be deemed to be in compliance with the provisions of this
9Section.
 
10    (815 ILCS 530/50 new)
11    Sec. 50. Posting of privacy policy.
12    (a) As used in this Section:
13    "Conspicuously post" means posting the privacy policy
14through any of the following:
15        (1) A Web page on which the actual privacy policy is
16    posted if the Web page is the homepage or first significant
17    page after entering the Web site.
18        (2) An icon that hyperlinks to a Web page on which the
19    actual privacy policy is posted, if the icon is located on
20    the homepage or the first significant page after entering
21    the Web site, and if the icon contains the word "privacy".
22    The icon shall also use a color that contrasts with the
23    background color of the Web page or is otherwise
24    distinguishable.
25        (3) A text link that hyperlinks to a Web page on which

 

 

SB1833 Enrolled- 17 -LRB099 09064 JLS 31312 b

1    the actual privacy policy is posted, if the text link is
2    located on the homepage or first significant page after
3    entering the Web site, and if the text link does one of the
4    following:
5            (A) Includes the word "privacy".
6            (B) Is written in capital letters equal to or
7        greater in size than the surrounding text.
8            (C) Is written in larger type than the surrounding
9        text, or in contrasting type, font, or color to the
10        surrounding text of the same size, or set off from the
11        surrounding text of the same size by symbols or other
12        marks that call attention to the language.
13        (4) Any other functional hyperlink that is displayed in
14    a noticeable manner.
15        (5) In the case of an online service, any other
16    reasonably accessible means of making the privacy policy
17    available for a consumer of the online service.
18    "Operator" means any person or entity that owns a Web site
19located on the Internet or an online service that collects and
20maintains personal information from a consumer residing in
21Illinois who uses or visits the Web site or online service if
22the Web site or online service is operated for commercial
23purposes. It does not include any third party that operates,
24hosts, or manages, but does not own, a Web site or online
25service on the owner's behalf or by processing information on
26behalf of the owner.

 

 

SB1833 Enrolled- 18 -LRB099 09064 JLS 31312 b

1    (b) An operator of a commercial Web site or online service
2that collects personal information through the Internet about
3individual consumers residing in Illinois who use or visit its
4commercial Web site or online service shall conspicuously post
5its privacy policy on its Web site or, in the case of an
6operator of an online service, make the policy available in
7accordance with paragraph (5) of subsection (a) of this
8Section. An operator shall be in violation of this subdivision
9only if the operator fails to post its policy within 30 days
10after being notified of noncompliance.
11    (c) The privacy policy required by subsection (b) shall, at
12a minimum, do the following:
13        (1) Identify the categories of personal information
14    that the operator collects through the Web site or online
15    service about individual consumers who use or visit its
16    commercial Web site or online service and the categories of
17    third-party persons or entities with whom the operator may
18    share that personal information.
19        (2) If the operator maintains a process for an
20    individual consumer who uses or visits its commercial Web
21    site or online service to review and request changes to any
22    of his or her personal information that is collected
23    through the Web site or online service, provide a
24    description of that process.
25        (3) Describe the process by which the operator notifies
26    consumers who use or visit its commercial Web site or

 

 

SB1833 Enrolled- 19 -LRB099 09064 JLS 31312 b

1    online service of material changes to the operator's
2    privacy policy for that Web site or online service.
3        (4) Identify its effective date.
4        (5) Disclose how the operator responds to Web browser
5    "do not track" signals or other mechanisms that provide
6    consumers the ability to exercise choice regarding the
7    collection of personal information about an individual
8    consumer's online activities over time and across
9    third-party Web sites or online services, if the operator
10    engages in that collection.
11        (6) Disclose whether other parties may collect
12    personal information about an individual consumer's online
13    activities over time and across different Web sites or
14    online services when a consumer uses the operator's Web
15    site or online service.
16    An operator may satisfy the requirement of paragraph (5) by
17providing a clear and conspicuous hyperlink in the operator's
18privacy policy to an online location containing a description,
19including the effects, of any program or protocol the operator
20follows that offers the consumer that choice.
 
21    (815 ILCS 530/55 new)
22    Sec. 55. Entities subject to the federal Health Insurance
23Portability and Accountability Act of 1996. Any covered entity
24or business associate that is subject to and in compliance with
25the privacy and security standards for the protection of

 

 

SB1833 Enrolled- 20 -LRB099 09064 JLS 31312 b

1electronic health information established pursuant to the
2federal Health Insurance Portability and Accountability Act of
31996 and the Health Information Technology for Economic and
4Clinical Health Act shall be deemed to be in compliance with
5the provisions of this Act, provided that any covered entity or
6business associate required to provide notification of a breach
7to the Secretary of Health and Human Services pursuant to the
8Health Information Technology for Economic and Clinical Health
9Act also provides such notification to the Attorney General
10within 5 business days of notifying the Secretary.