94TH GENERAL ASSEMBLY State of Illinois 2005 and 2006 HB4198   Introduced 11/7/2005, by Rep. John A. Fritchey   SYNOPSIS AS INTRODUCED:   815 ILCS 530/10     Amends the Personal Information Protection Act. Requires a data collector to disclose to a consumer, at no cost, the personal information obtained resulting in a breach of the security of the system data. LRB094 13810 RXD 48680 b     A BILL FOR
HB4198 LRB094 13810 RXD 48680 b
1		AN ACT concerning business.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 5. The Personal Information Protection Act is
5		amended by changing Section 10 as follows:
6		(815 ILCS 530/10)
7		Sec. 10. Notice of Breach.
8		(a) Any data collector that owns or licenses personal
9		information concerning an Illinois resident shall notify the
10		resident that there has been a breach of the security of the
11		system data following discovery or notification of the breach.
12		The disclosure notification shall be made in the most expedient
13		time possible and without unreasonable delay, consistent with
14		any measures necessary to determine the scope of the breach and
15		restore the reasonable integrity, security, and
16		confidentiality of the data system.
17		(b) Any data collector that maintains computerized data
18		that includes personal information that the data collector does
19		not own or license shall notify the owner or licensee of the
20		information of any breach of the security of the data
21		immediately following discovery, if the personal information
22		was, or is reasonably believed to have been, acquired by an
23		unauthorized person.
24		(c) For purposes of this Section, notice to consumers may
25		be provided by one of the following methods:
26		(1) written notice;
27		(2) electronic notice, if the notice provided is
28		consistent with the provisions regarding electronic
29		records and signatures for notices legally required to be
30		in writing as set forth in Section 7001 of Title 15 of the
31		United States Code; or
32		(3) substitute notice, if the data collector

HB4198 - 2 - LRB094 13810 RXD 48680 b
1		demonstrates that the cost of providing notice would exceed
2		$250,000 or that the affected class of subject persons to
3		be notified exceeds 500,000, or the data collector does not
4		have sufficient contact information. Substitute notice
5		shall consist of all of the following: (i) email notice if
6		the data collector has an email address for the subject
7		persons; (ii) conspicuous posting of the notice on the data
8		collector's web site page if the data collector maintains
9		one; and (iii) notification to major statewide media.
10		(d) Notwithstanding subsection (c), a data collector that
11		maintains its own notification procedures as part of an
12		information security policy for the treatment of personal
13		information and is otherwise consistent with the timing
14		requirements of this Act, shall be deemed in compliance with
15		the notification requirements of this Section if the data
16		collector notifies subject persons in accordance with its
17		policies in the event of a breach of the security of the system
18		data.
19		(e) For purposes of this Section, a data collector shall
20		disclose to a consumer, at no cost, the personal information
21		obtained resulting in a breach of the security of the system
22		data.
23		(Source: P.A. 94-36, eff. 1-1-06.)