Sen. Dan McConchie

Filed: 5/29/2020

 

 


 

 


 
10100SB2301sam001LRB101 15374 JLS 72248 a

1
AMENDMENT TO SENATE BILL 2301

2    AMENDMENT NO. ______. Amend Senate Bill 2301 by replacing
3everything after the enacting clause with the following:
 
4    "Section 5. The Personal Information Protection Act is
5amended by changing Section 12 as follows:
 
6    (815 ILCS 530/12)
7    Sec. 12. Notice of breach; State agency.
8    (a) Any State agency that collects personal information
9concerning an Illinois resident shall notify the resident at no
10charge that there has been a breach of the security of the
11system data or written material following discovery or
12notification of the breach. The disclosure notification shall
13be made in the most expedient time possible and without
14unreasonable delay, consistent with any measures necessary to
15determine the scope of the breach and restore the reasonable
16integrity, security, and confidentiality of the data system.

 

 

10100SB2301sam001- 2 -LRB101 15374 JLS 72248 a

1The disclosure notification to an Illinois resident shall
2include, but need not be limited to information as follows:
3        (1) With respect to personal information defined in
4    Section 5 in paragraph (1) of the definition of "personal
5    information":
6            (i) the toll-free numbers and addresses for
7        consumer reporting agencies;
8            (ii) the toll-free number, address, and website
9        address for the Federal Trade Commission; and
10            (iii) a statement that the individual can obtain
11        information from these sources about fraud alerts and
12        security freezes.
13        (2) With respect to personal information as defined in
14    Section 5 in paragraph (2) of the definition of "personal
15    information", notice may be provided in electronic or other
16    form directing the Illinois resident whose personal
17    information has been breached to promptly change his or her
18    user name or password and security question or answer, as
19    applicable, or to take other steps appropriate to protect
20    all online accounts for which the resident uses the same
21    user name or email address and password or security
22    question and answer.
23    The notification shall not, however, include information
24concerning the number of Illinois residents affected by the
25breach.
26    (a-5) The notification to an Illinois resident required by

 

 

10100SB2301sam001- 3 -LRB101 15374 JLS 72248 a

1subsection (a) of this Section may be delayed if an appropriate
2law enforcement agency determines that notification will
3interfere with a criminal investigation and provides the State
4agency with a written request for the delay. However, the State
5agency must notify the Illinois resident as soon as
6notification will no longer interfere with the investigation.
7    (b) For purposes of this Section, notice to residents may
8be provided by one of the following methods:
9        (1) written notice;
10        (2) electronic notice, if the notice provided is
11    consistent with the provisions regarding electronic
12    records and signatures for notices legally required to be
13    in writing as set forth in Section 7001 of Title 15 of the
14    United States Code; or
15        (3) substitute notice, if the State agency
16    demonstrates that the cost of providing notice would exceed
17    $250,000 or that the affected class of subject persons to
18    be notified exceeds 500,000, or the State agency does not
19    have sufficient contact information. Substitute notice
20    shall consist of all of the following: (i) email notice if
21    the State agency has an email address for the subject
22    persons; (ii) conspicuous posting of the notice on the
23    State agency's web site page if the State agency maintains
24    one; and (iii) notification to major statewide media.
25    (c) Notwithstanding subsection (b), a State agency that
26maintains its own notification procedures as part of an

 

 

10100SB2301sam001- 4 -LRB101 15374 JLS 72248 a

1information security policy for the treatment of personal
2information and is otherwise consistent with the timing
3requirements of this Act shall be deemed in compliance with the
4notification requirements of this Section if the State agency
5notifies subject persons in accordance with its policies in the
6event of a breach of the security of the system data or written
7material.
8    (d) If a State agency is required to notify more than 1,000
9persons of a breach of security pursuant to this Section, the
10State agency shall also notify, without unreasonable delay, all
11consumer reporting agencies that compile and maintain files on
12consumers on a nationwide basis, as defined by 15 U.S.C.
13Section 1681a(p), of the timing, distribution, and content of
14the notices. Nothing in this subsection (d) shall be construed
15to require the State agency to provide to the consumer
16reporting agency the names or other personal identifying
17information of breach notice recipients.
18    (e) Notice to Attorney General. Any State agency that
19suffers a single breach of the security of the data concerning
20the personal information of more than 250 Illinois residents
21shall provide notice to the Attorney General of the breach,
22including:
23        (A) The types of personal information compromised in
24    the breach.
25        (B) The number of Illinois residents affected by such
26    incident at the time of notification.

 

 

10100SB2301sam001- 5 -LRB101 15374 JLS 72248 a

1        (C) Any steps the State agency has taken or plans to
2    take relating to notification of the breach to consumers.
3        (D) The date and timeframe of the breach, if known at
4    the time notification is provided.
5    Such notification must be made within 45 days of the State
6agency's discovery of the security breach or when the State
7agency provides any notice to consumers required by this
8Section, whichever is sooner, unless the State agency has good
9cause for reasonable delay to determine the scope of the breach
10and restore the integrity, security, and confidentiality of the
11data system, or when law enforcement requests in writing to
12withhold disclosure of some or all of the information required
13in the notification under this Section. If the date or
14timeframe of the breach is unknown at the time the notice is
15sent to the Attorney General, the State agency shall send the
16Attorney General the date or timeframe of the breach as soon as
17possible.
18    (f) In addition to the report required by Section 25 of
19this Act, if the State agency that suffers a breach determines
20the identity of the actor who perpetrated the breach, then the
21State agency shall report this information, within 5 days after
22the determination, to the General Assembly, provided that such
23report would not jeopardize the security of Illinois residents
24or compromise a security investigation.
25    (g) A State agency directly responsible to the Governor
26that has been subject to or has reason to believe it has been

 

 

10100SB2301sam001- 6 -LRB101 15374 JLS 72248 a

1subject to a single breach of the security of the data
2concerning the personal information of more than 250 Illinois
3residents or an instance of aggravated computer tampering, as
4defined in Section 17-53 of the Criminal Code of 2012, shall
5notify the Office of the Chief Information Security Officer of
6the Illinois Department of Innovation and Technology and the
7Attorney General regarding the breach or instance of aggravated
8computer tampering. The notification shall be made without
9delay, but no later than 72 hours following the discovery of
10the incident.
11    Upon receiving notification of such incident, the Chief
12Information Security Officer shall without delay take
13necessary and reasonable actions to:
14        (i) assess the incident to determine the potential
15    impact on the overall confidentiality, security, and
16    availability of State of Illinois data and information
17    systems;
18        (ii) ensure the security incident is contained to
19    minimize additional impact and risk to the State;
20        (iii) identify the root cause of the incident;
21        (iv) provide recommendations to the impacted State
22    agency to assist with eradicating the threat and removing
23    and mitigating any vulnerabilities to reduce the risk of
24    further compromise; and
25        (v) assist the impacted State agency in any necessary
26    recovery efforts to ensure effective return to a state of

 

 

10100SB2301sam001- 7 -LRB101 15374 JLS 72248 a

1    normal operations.
2    The Department of Innovation and Technology may agree to
3submit the reports required in subsections (e) and (f) of this
4Section and in Section 25 in lieu of the impacted agency.
5    (h) Upon receiving notification from a State agency of a
6breach of personal information or from the Department of
7Innovation and Technology in lieu of the impacted agency, the
8Attorney General may publish the name of the State agency that
9suffered the breach, the types of personal information
10compromised in the breach, and the date range of the breach.
11    (i) A State agency that is required to provide notification
12of a breach of security under subsection (a) shall offer, at no
13charge to the affected resident, credit monitoring for 12
14months from the date of the notification to residents of the
15State whose personal information has been breached. A State
16agency may procure credit monitoring services by (1) procuring
17credit monitoring services through a contract with the agency,
18(2) procuring credit monitoring services pursuant to an
19intergovernmental agreement with one or more other State
20agencies entering into a master contract for credit monitoring
21services, or (3) procuring cyber security insurance coverage
22through the Department of Innovation and Technology. If a State
23agency does not have sufficient appropriation authority to pay
24for credit monitoring, the 12-month period does not begin until
25sufficient appropriation authority is obtained. A State agency
26shall immediately notify the Governor, the Governor's Office of

 

 

10100SB2301sam001- 8 -LRB101 15374 JLS 72248 a

1Management and Budget, the Commission on Government
2Forecasting and Accountability, and the General Assembly of the
3need for additional appropriation authority to pay for the
4costs of credit monitoring.
5(Source: P.A. 99-503, eff. 1-1-17; 100-412, eff. 8-25-17.)
 
6    Section 99. Effective date. This Act takes effect upon
7becoming law.".