Rep. Ann Williams

Filed: 5/15/2015

 

 


 

 


 
09900SB1833ham002LRB099 09064 JLS 35574 a

1
AMENDMENT TO SENATE BILL 1833

2    AMENDMENT NO. ______. Amend Senate Bill 1833 on page 1 by
3replacing line 5 with the following:
4"amended by changing Sections 5, 10, and 12 and adding Sections
545,"; and
 
6on page 1, line 6, by changing "and 50" to "50, and 55"; and
 
7on page 2, line 4, by changing "history." to "history,
8including, but not limited to, consumer profiles that are based
9upon the information. "Consumer marketing information" does
10not include information related to a consumer's online browsing
11history, online search history, or purchasing history held by a
12data collector that has a direct relationship with the
13consumer."; and
 
14on page 2, line 7, by changing "is" to "is stored and"; and
 

 

 

09900SB1833ham002- 2 -LRB099 09064 JLS 35574 a

1on page 2, line 8, by changing "the device" to "an individual";
2and
 
3on page 2, line 9, by changing "located" to "located and the
4information is likely to enable someone to determine an
5individual's regular pattern of behavior"; and
 
6on page 3, line 14, by changing "data" to "data generated from
7measurements or technical analysis of human body
8characteristics that could be used to identify an individual";
9and
 
10on page 3 by replacing lines 20 through 24 with the following:
11            "(I) Home address, telephone number, and email
12        address in combination with either:
13                (i) mother's maiden name when not part of an
14            individual's surname; or
15                (ii) month, day, and year of birth."; and
 
16on page 5, line 2, by changing "information"" to "information",
17excluding geolocation information and consumer marketing
18information"; and
 
19on page 8, line 4, by changing "that" to "that owns or licenses
20personal information and"; and
 

 

 

09900SB1833ham002- 3 -LRB099 09064 JLS 35574 a

1on page 8, line 9, by changing "A description of the" to "The
2types of"; and
 
3on page 8, line 20, by changing "2 days before" to "when"; and
 
4on page 9, line 12, by changing "A description of the" to "The
5types of"; and
 
6on page 10 by replacing lines 10 through 18 with the following:
7    "(f) Upon receiving notification from a data collector of a
8breach of personal information, the Attorney General may
9publish the name of the data collector that suffered the
10breach, the types of personal information compromised in the
11breach, and the date range of the breach."; and
 
12on page 10 by inserting immediately below line 19 the
13following:
 
14    "(815 ILCS 530/12)
15    Sec. 12. Notice of breach; State agency.
16    (a) Any State agency that collects personal information,
17excluding geolocation and consumer marketing information,
18concerning an Illinois resident shall notify the resident at no
19charge that there has been a breach of the security of the
20system data or written material following discovery or
21notification of the breach. The disclosure notification shall

 

 

09900SB1833ham002- 4 -LRB099 09064 JLS 35574 a

1be made in the most expedient time possible and without
2unreasonable delay, consistent with any measures necessary to
3determine the scope of the breach and restore the reasonable
4integrity, security, and confidentiality of the data system.
5The disclosure notification to an Illinois resident shall
6include, but need not be limited to information as follows:
7        (1) With respect to personal information defined in
8    Section 5 in paragraph (1) of the definition of "personal
9    information": ,
10            (i) the toll-free numbers and addresses for
11        consumer reporting agencies; ,
12            (ii) the toll-free number, address, and website
13        address for the Federal Trade Commission; , and
14            (iii) a statement that the individual can obtain
15        information from these sources about fraud alerts and
16        security freezes.
17        (2) With respect to personal information as defined in
18    Section 5 in paragraph (2) of the definition of "personal
19    information", notice may be provided in electronic or other
20    form directing the Illinois resident whose personal
21    information has been breached to promptly change his or her
22    user name or password and security question or answer, as
23    applicable, or to take other steps appropriate to protect
24    all online accounts for which the resident uses the same
25    user name or email address and password or security
26    question and answer.

 

 

09900SB1833ham002- 5 -LRB099 09064 JLS 35574 a

1    The notification shall not, however, include information
2concerning the number of Illinois residents affected by the
3breach.
4    (a-5) The notification to an Illinois resident required by
5subsection (a) of this Section may be delayed if an appropriate
6law enforcement agency determines that notification will
7interfere with a criminal investigation and provides the State
8agency with a written request for the delay. However, the State
9agency must notify the Illinois resident as soon as
10notification will no longer interfere with the investigation.
11    (b) For purposes of this Section, notice to residents may
12be provided by one of the following methods:
13        (1) written notice;
14        (2) electronic notice, if the notice provided is
15    consistent with the provisions regarding electronic
16    records and signatures for notices legally required to be
17    in writing as set forth in Section 7001 of Title 15 of the
18    United States Code; or
19        (3) substitute notice, if the State agency
20    demonstrates that the cost of providing notice would exceed
21    $250,000 or that the affected class of subject persons to
22    be notified exceeds 500,000, or the State agency does not
23    have sufficient contact information. Substitute notice
24    shall consist of all of the following: (i) email notice if
25    the State agency has an email address for the subject
26    persons; (ii) conspicuous posting of the notice on the

 

 

09900SB1833ham002- 6 -LRB099 09064 JLS 35574 a

1    State agency's web site page if the State agency maintains
2    one; and (iii) notification to major statewide media.
3    (c) Notwithstanding subsection (b), a State agency that
4maintains its own notification procedures as part of an
5information security policy for the treatment of personal
6information and is otherwise consistent with the timing
7requirements of this Act shall be deemed in compliance with the
8notification requirements of this Section if the State agency
9notifies subject persons in accordance with its policies in the
10event of a breach of the security of the system data or written
11material.
12    (d) If a State agency is required to notify more than 1,000
13persons of a breach of security pursuant to this Section, the
14State agency shall also notify, without unreasonable delay, all
15consumer reporting agencies that compile and maintain files on
16consumers on a nationwide basis, as defined by 15 U.S.C.
17Section 1681a(p), of the timing, distribution, and content of
18the notices. Nothing in this subsection (d) shall be construed
19to require the State agency to provide to the consumer
20reporting agency the names or other personal identifying
21information of breach notice recipients.
22    (e) Notice to Attorney General.
23        (1) Any State agency that suffers a single breach of
24    the security of the data concerning the personal
25    information of more than 250 Illinois residents shall
26    provide notice to the Attorney General of the breach,

 

 

09900SB1833ham002- 7 -LRB099 09064 JLS 35574 a

1    including:
2            (A) The types of personal information compromised
3        in the breach.
4            (B) The number of Illinois residents affected by
5        such incident at the time of notification.
6            (C) Any steps the State agency has taken or plans
7        to take relating to notification of the breach to
8        consumers.
9            (D) The date and timeframe of the breach, if known
10        at the time notification is provided.
11        Such notification must be made within 30 business days
12    of the State agency's discovery of the security breach or
13    when the State agency provides any notice to consumers
14    required by this Section, whichever is sooner, unless the
15    State agency has good cause for reasonable delay to
16    determine the scope of the breach and restore the
17    integrity, security, and confidentiality of the data
18    system, or when law enforcement requests in writing to
19    withhold disclosure of some or all of the information
20    required in the notification under this Section. If the
21    date or timeframe of the breach is unknown at the time the
22    notice is sent to the Attorney General, the State agency
23    shall send the Attorney General the date or timeframe of
24    the breach as soon as possible.
25(Source: P.A. 97-483, eff. 1-1-12.)"; and
 

 

 

09900SB1833ham002- 8 -LRB099 09064 JLS 35574 a

1on page 11 by deleting lines 17 through 22; and
 
2on page 11, line 23, by changing "(e)" to "(d)"; and
 
3on page 13, line 23, by replacing "online service" with ", in
4the case of an operator of an online service, make the policy
5available in accordance with paragraph (5) of subsection (a) of
6this Section"; and
 
7on page 15 by inserting immediately below line 10 the
8following:
 
9    "(815 ILCS 530/55 new)
10    Sec. 55. Entities subject to the federal Health Insurance
11Portability and Accountability Act of 1996. Any covered entity
12or business associate that is subject to and in compliance with
13the privacy and security standards for the protection of
14electronic health information established pursuant to the
15federal Health Insurance Portability and Accountability Act of
161996 and the Health Information Technology for Economic and
17Clinical Health Act shall be deemed to be in compliance with
18the provisions of this Act, provided that any covered entity or
19business associate required to provide notification of a breach
20to the Secretary of Health and Human Services pursuant to the
21Health Information Technology for Economic and Clinical Health
22Act also provides such notification to the Attorney General

 

 

09900SB1833ham002- 9 -LRB099 09064 JLS 35574 a

1within 5 business days of notifying the Secretary.".