|  |
Full Text of HB1633
HB1633enr 94TH GENERAL ASSEMBLY
|
|
|
|
HB1633 Enrolled |
|
LRB094 07564 RXD 37732 b |
|
| | 1 |
| AN ACT concerning business.
| | 2 |
| Be it enacted by the People of the State of Illinois, | | 3 |
| represented in the General Assembly:
| | 4 |
| Section 1. Short title. This Act may be cited as the | | 5 |
| Personal Information Protection Act.
| | 6 |
| Section 5. Definitions. In this Act: | | 7 |
| "Data Collector" may include, but is not limited to,
| | 8 |
| government agencies, public and private universities,
| | 9 |
| privately and publicly held corporations, financial
| | 10 |
| institutions, retail operators, and any other entity that, for | | 11 |
| any purpose, handles, collects, disseminates, or otherwise
| | 12 |
| deals with nonpublic personal information.
| | 13 |
| "Breach of the security of the system data" means
| | 14 |
| unauthorized acquisition of computerized data that compromises | | 15 |
| the security, confidentiality, or integrity of personal | | 16 |
| information maintained by the data collector. "Breach of the | | 17 |
| security of the system data" does not include good faith
| | 18 |
| acquisition of personal information by an employee or agent of
| | 19 |
| the data collector for a legitimate purpose of the data
| | 20 |
| collector, provided that the personal information is not used
| | 21 |
| for a purpose unrelated to the data collector's business or
| | 22 |
| subject to further unauthorized disclosure.
| | 23 |
| "Personal information" means an individual's first name or | | 24 |
| first initial and last name in combination with any one or more
| | 25 |
| of the following data elements, when either the name or the | | 26 |
| data elements are not encrypted or redacted:
| | 27 |
| (1) Social Security number. | | 28 |
| (2) Driver's license number or State identification
| | 29 |
| card number.
| | 30 |
| (3) Account number or credit or debit card number, or | | 31 |
| an
account number or credit card number in combination with
| | 32 |
| any required security code, access code, or password that
|
|
|
|
HB1633 Enrolled |
- 2 - |
LRB094 07564 RXD 37732 b |
|
| | 1 |
| would permit access to an individual's financial account.
| | 2 |
| "Personal information" does not include publicly available
| | 3 |
| information that is lawfully made available to the general
| | 4 |
| public from federal, State, or local government records.
| | 5 |
| Section 10. Notice of Breach. | | 6 |
| (a) Any data collector that owns or licenses personal | | 7 |
| information concerning an Illinois resident shall notify the
| | 8 |
| resident that there has been a breach of the security of the
| | 9 |
| system data following discovery or notification of the breach.
| | 10 |
| The disclosure notification shall be made in the most
expedient | | 11 |
| time possible and without unreasonable delay,
consistent with | | 12 |
| any measures necessary to determine the
scope of the breach and | | 13 |
| restore the reasonable integrity,
security, and | | 14 |
| confidentiality of the data system.
| | 15 |
| (b) Any data collector that maintains computerized data | | 16 |
| that
includes personal information that the data collector does | | 17 |
| not own or license shall notify the owner or licensee of the | | 18 |
| information of any breach of the security of the data | | 19 |
| immediately following discovery, if the personal information | | 20 |
| was, or is reasonably believed to have been, acquired by
an | | 21 |
| unauthorized person.
| | 22 |
| (c) For purposes of this Section, notice to consumers may | | 23 |
| be provided by one of the following methods:
| | 24 |
| (1) written notice; | | 25 |
| (2) electronic notice, if the notice provided is
| | 26 |
| consistent with the provisions regarding electronic
| | 27 |
| records and signatures for notices legally required to be
| | 28 |
| in writing as set forth in Section 7001 of Title 15 of the | | 29 |
| United States Code;
or | | 30 |
| (3) substitute notice, if the data collector
| | 31 |
| demonstrates that the cost of providing notice would exceed
| | 32 |
| $250,000 or that the affected class of subject persons to | | 33 |
| be notified exceeds 500,000, or the data collector does not
| | 34 |
| have sufficient contact information. Substitute notice | | 35 |
| shall consist of all of the following: (i) email notice if |
|
|
|
HB1633 Enrolled |
- 3 - |
LRB094 07564 RXD 37732 b |
|
| | 1 |
| the data collector has an email address for the subject | | 2 |
| persons; (ii) conspicuous posting of the notice on the data
| | 3 |
| collector's web site page if the data collector maintains
| | 4 |
| one; and (iii) notification to major statewide media. | | 5 |
| (d) Notwithstanding subsection (c), a data collector
that | | 6 |
| maintains its own notification procedures as part of an
| | 7 |
| information security policy for the treatment of personal
| | 8 |
| information and is otherwise consistent with the timing | | 9 |
| requirements of this Act, shall be deemed in compliance
with | | 10 |
| the notification requirements of this Section if the
data | | 11 |
| collector notifies subject persons in accordance with its | | 12 |
| policies in the event of a breach of the security of the system | | 13 |
| data.
| | 14 |
| Section 15. Waiver. Any waiver of the provisions of this | | 15 |
| Act is
contrary to public policy and is void and unenforceable.
| | 16 |
| Section 20. Violation. A violation of this Act constitutes
| | 17 |
| an unlawful practice under the Consumer Fraud and Deceptive | | 18 |
| Business Practices Act.
| | 19 |
| Section 900. The Consumer Fraud and Deceptive Business | | 20 |
| Practices Act is amended by changing Section 2Z as follows:
| | 21 |
| (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| | 22 |
| Sec. 2Z. Violations of other Acts. Any person who knowingly | | 23 |
| violates
the Automotive Repair Act,
the Home Repair and | | 24 |
| Remodeling Act,
the Dance Studio Act,
the Physical Fitness | | 25 |
| Services Act,
the Hearing Instrument Consumer Protection Act,
| | 26 |
| the Illinois Union Label Act,
the Job Referral and Job Listing | | 27 |
| Services Consumer Protection Act,
the Travel Promotion | | 28 |
| Consumer Protection Act,
the Credit Services Organizations | | 29 |
| Act,
the Automatic Telephone Dialers Act,
the Pay-Per-Call | | 30 |
| Services Consumer Protection Act,
the Telephone Solicitations | | 31 |
| Act,
the Illinois Funeral or Burial Funds Act,
the Cemetery | | 32 |
| Care Act,
the Safe and Hygienic Bed Act,
the Pre-Need Cemetery |
|
|
|
HB1633 Enrolled |
- 4 - |
LRB094 07564 RXD 37732 b |
|
| | 1 |
| Sales Act,
the High Risk Home Loan Act, subsection (a) or (b) | | 2 |
| of Section 3-10 of the
Cigarette Tax Act, subsection
(a) or (b) | | 3 |
| of Section 3-10 of the Cigarette Use Tax Act, the Electronic
| | 4 |
| Mail Act, paragraph (6)
of
subsection (k) of Section 6-305 of | | 5 |
| the Illinois Vehicle Code, or the Automatic Contract Renewal | | 6 |
| Act, or the Personal Information Protection Act commits an | | 7 |
| unlawful practice within the meaning of this Act.
| | 8 |
| (Source: P.A. 92-426, eff. 1-1-02; 93-561, eff. 1-1-04; 93-950, | | 9 |
| eff. 1-1-05.)
|
|
|
|
|
