HB4449 Engrossed LRB094 17445 LCT 52740 b

1     AN ACT concerning consumer fraud.
 
2     Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
 
4     Section 5. The Personal Information Protection Act is
5 amended by changing Section 10 and by adding Sections 12, 25,
6 and 30 as follows:
 
7     (815 ILCS 530/10)
8     Sec. 10. Notice of Breach.
9     (a) Any data collector that owns or licenses personal
10 information concerning an Illinois resident shall notify the
11 resident at no charge that there has been a breach of the
12 security of the system data following discovery or notification
13 of the breach. The disclosure notification shall be made in the
14 most expedient time possible and without unreasonable delay,
15 consistent with any measures necessary to determine the scope
16 of the breach and restore the reasonable integrity, security,
17 and confidentiality of the data system.
18     (b) Any data collector that maintains computerized data
19 that includes personal information that the data collector does
20 not own or license shall notify the owner or licensee of the
21 information of any breach of the security of the data
22 immediately following discovery, if the personal information
23 was, or is reasonably believed to have been, acquired by an
24 unauthorized person.
25     (b-5) The notification required by this Section may be
26 delayed upon a request by law enforcement if a law enforcement
27 agency determines that the notification will impede a criminal
28 investigation. The notification time period required by this
29 Section shall commence after the data collector receives notice
30 from the law enforcement agency that the notification will not
31 compromise the investigation.
32     (c) For purposes of this Section, notice to consumers may

 

 

HB4449 Engrossed - 2 - LRB094 17445 LCT 52740 b

1 be provided by one of the following methods:
2         (1) written notice;
3         (2) electronic notice, if the notice provided is
4     consistent with the provisions regarding electronic
5     records and signatures for notices legally required to be
6     in writing as set forth in Section 7001 of Title 15 of the
7     United States Code; or
8         (3) substitute notice, if the data collector
9     demonstrates that the cost of providing notice would exceed
10     $250,000 or that the affected class of subject persons to
11     be notified exceeds 500,000, or the data collector does not
12     have sufficient contact information. Substitute notice
13     shall consist of all of the following: (i) email notice if
14     the data collector has an email address for the subject
15     persons; (ii) conspicuous posting of the notice on the data
16     collector's web site page if the data collector maintains
17     one; and (iii) notification to major statewide media.
18     (d) Notwithstanding subsection (c), a data collector that
19 maintains its own notification procedures as part of an
20 information security policy for the treatment of personal
21 information and is otherwise consistent with the timing
22 requirements of this Act, shall be deemed in compliance with
23 the notification requirements of this Section if the data
24 collector notifies subject persons in accordance with its
25 policies in the event of a breach of the security of the system
26 data.
27 (Source: P.A. 94-36, eff. 1-1-06.)
 
28     (815 ILCS 530/12 new)
29     Sec. 12. Notice of breach; State agency.
30     (a) Any State agency that collects personal information
31 concerning an Illinois resident shall notify the resident at no
32 charge that there has been a breach of the security of the
33 system data or written material following discovery or
34 notification of the breach. The disclosure notification shall
35 be made in the most expedient time possible and without

 

 

HB4449 Engrossed - 3 - LRB094 17445 LCT 52740 b

1 unreasonable delay, consistent with any measures necessary to
2 determine the scope of the breach and restore the reasonable
3 integrity, security, and confidentiality of the data system.
4     (b) For purposes of this Section, notice to residents may
5 be provided by one of the following methods:
6         (1) written notice;
7         (2) electronic notice, if the notice provided is
8     consistent with the provisions regarding electronic
9     records and signatures for notices legally required to be
10     in writing as set forth in Section 7001 of Title 15 of the
11     United States Code; or
12         (3) substitute notice, if the State agency
13     demonstrates that the cost of providing notice would exceed
14     $250,000 or that the affected class of subject persons to
15     be notified exceeds 500,000, or the State agency does not
16     have sufficient contact information. Substitute notice
17     shall consist of all of the following: (i) email notice if
18     the State agency has an email address for the subject
19     persons; (ii) conspicuous posting of the notice on the
20     State agency's web site page if the State agency maintains
21     one; and (iii) notification to major statewide media.
22     (c) Notwithstanding subsection (b), a State agency that
23 maintains its own notification procedures as part of an
24 information security policy for the treatment of personal
25 information and is otherwise consistent with the timing
26 requirements of this Act shall be deemed in compliance with the
27 notification requirements of this Section if the State agency
28 notifies subject persons in accordance with its policies in the
29 event of a breach of the security of the system data or written
30 material.
31     (d) If a State agency is required to notify more than 1,000
32 persons of a breach of security pursuant to this Section, the
33 State agency shall also notify, without unreasonable delay, all
34 consumer reporting agencies that compile and maintain files on
35 consumers on a nationwide basis, as defined by 15 U.S.C.
36 Section 1681a(p), of the timing, distribution, and content of

 

 

HB4449 Engrossed - 4 - LRB094 17445 LCT 52740 b

1 the notices. Nothing in this subsection (d) shall be construed
2 to require the State agency to provide to the consumer
3 reporting agency the names or other personal identifying
4 information of breach notice recipients.
 
5     (815 ILCS 530/25 new)
6     Sec. 25. Annual reporting. Any State agency that collects
7 personal data and has had a breach of security of the system
8 data or written material shall submit a report within 5
9 business days of the discovery or notification of the breach to
10 the General Assembly listing the breaches and outlining any
11 corrective measures that have been taken to prevent future
12 breaches of the security of the system data or written
13 material. Any State agency that has submitted a report under
14 this Section shall submit an annual report listing all breaches
15 of security of the system data or written materials and the
16 corrective measures that have been taken to prevent future
17 breaches.
 
18     (815 ILCS 530/30 new)
19     Sec. 30. Safe disposal of information. Any State agency
20 that collects personal data that is no longer needed or stored
21 at the agency shall dispose of the personal data or written
22 material it has collected in such a manner as to ensure the
23 security and confidentiality of the material.
 
24     Section 99. Effective date. This Act takes effect upon
25 becoming law.