State Government Administration Committee

Adopted in House Comm. on Jan 25, 2006

 

 


 

 


 
09400HB4449ham001 LRB094 17445 LCT 54870 a

1
AMENDMENT TO HOUSE BILL 4449

2     AMENDMENT NO. ______. Amend House Bill 4449 by replacing
3 everything after the enacting clause with the following:
 
4     "Section 5. The Personal Information Protection Act is
5 amended by changing Section 10 and by adding Sections 12, 25,
6 and 30 as follows:
 
7     (815 ILCS 530/10)
8     Sec. 10. Notice of Breach.
9     (a) Any data collector that owns or licenses personal
10 information concerning an Illinois resident shall notify the
11 resident at no charge that there has been a breach of the
12 security of the system data following discovery or notification
13 of the breach. The disclosure notification shall be made in the
14 most expedient time possible and without unreasonable delay,
15 consistent with any measures necessary to determine the scope
16 of the breach and restore the reasonable integrity, security,
17 and confidentiality of the data system.
18     (b) Any data collector that maintains computerized data
19 that includes personal information that the data collector does
20 not own or license shall notify the owner or licensee of the
21 information of any breach of the security of the data
22 immediately following discovery, if the personal information
23 was, or is reasonably believed to have been, acquired by an
24 unauthorized person.

 

 

09400HB4449ham001 - 2 - LRB094 17445 LCT 54870 a

1     (c) For purposes of this Section, notice to consumers may
2 be provided by one of the following methods:
3         (1) written notice;
4         (2) electronic notice, if the notice provided is
5     consistent with the provisions regarding electronic
6     records and signatures for notices legally required to be
7     in writing as set forth in Section 7001 of Title 15 of the
8     United States Code; or
9         (3) substitute notice, if the data collector
10     demonstrates that the cost of providing notice would exceed
11     $250,000 or that the affected class of subject persons to
12     be notified exceeds 500,000, or the data collector does not
13     have sufficient contact information. Substitute notice
14     shall consist of all of the following: (i) email notice if
15     the data collector has an email address for the subject
16     persons; (ii) conspicuous posting of the notice on the data
17     collector's web site page if the data collector maintains
18     one; and (iii) notification to major statewide media.
19     (d) Notwithstanding subsection (c), a data collector that
20 maintains its own notification procedures as part of an
21 information security policy for the treatment of personal
22 information and is otherwise consistent with the timing
23 requirements of this Act, shall be deemed in compliance with
24 the notification requirements of this Section if the data
25 collector notifies subject persons in accordance with its
26 policies in the event of a breach of the security of the system
27 data.
28 (Source: P.A. 94-36, eff. 1-1-06.)
 
29     (815 ILCS 530/12 new)
30     Sec. 12. Notice of breach; State agency.
31     (a) Any State agency that collects personal information
32 concerning an Illinois resident shall notify the resident at no
33 charge that there has been a breach of the security of the

 

 

09400HB4449ham001 - 3 - LRB094 17445 LCT 54870 a

1 system data or written material following discovery or
2 notification of the breach. The disclosure notification shall
3 be made in the most expedient time possible and without
4 unreasonable delay, consistent with any measures necessary to
5 determine the scope of the breach and restore the reasonable
6 integrity, security, and confidentiality of the data system.
7     (b) For purposes of this Section, notice to residents may
8 be provided by one of the following methods:
9         (1) written notice;
10         (2) electronic notice, if the notice provided is
11     consistent with the provisions regarding electronic
12     records and signatures for notices legally required to be
13     in writing as set forth in Section 7001 of Title 15 of the
14     United States Code; or
15         (3) substitute notice, if the State agency
16     demonstrates that the cost of providing notice would exceed
17     $250,000 or that the affected class of subject persons to
18     be notified exceeds 500,000, or the State agency does not
19     have sufficient contact information. Substitute notice
20     shall consist of all of the following: (i) email notice if
21     the State agency has an email address for the subject
22     persons; (ii) conspicuous posting of the notice on the
23     State agency's web site page if the State agency maintains
24     one; and (iii) notification to major statewide media.
25     (c) Notwithstanding subsection (b), a State agency that
26 maintains its own notification procedures as part of an
27 information security policy for the treatment of personal
28 information and is otherwise consistent with the timing
29 requirements of this Act shall be deemed in compliance with the
30 notification requirements of this Section if the State agency
31 notifies subject persons in accordance with its policies in the
32 event of a breach of the security of the system data or written
33 material.
34     (d) If a State agency is required to notify more than 1,000

 

 

09400HB4449ham001 - 4 - LRB094 17445 LCT 54870 a

1 persons of a breach of security pursuant to this Section, the
2 State agency shall also notify, without unreasonable delay, all
3 consumer reporting agencies that compile and maintain files on
4 consumers on a nationwide basis, as defined by 15 U.S.C.
5 Section 1681a(p), of the timing, distribution, and content of
6 the notices. Nothing in this subsection (d) shall be construed
7 to require the State agency to provide to the consumer
8 reporting agency the names or other personal identifying
9 information of breach notice recipients.
 
10     (815 ILCS 530/25 new)
11     Sec. 25. Annual reporting. Any State agency that collects
12 personal data and has had a breach of security of the system
13 data or written material shall submit a report within 5
14 business days of the discovery or notification of the breach to
15 the General Assembly listing the breaches and outlining any
16 corrective measures that have been taken to prevent future
17 breaches of the security of the system data or written
18 material. Any State agency that has submitted a report under
19 this Section shall submit an annual report listing all breaches
20 of security of the system data or written materials and the
21 corrective measures that have been taken to prevent future
22 breaches.
 
23     (815 ILCS 530/30 new)
24     Sec. 30. Safe disposal of information. Any State agency
25 that collects personal data that is no longer needed or stored
26 at the agency shall dispose of the personal data or written
27 material it has collected in such a manner as to ensure the
28 security and confidentiality of the material.
 
29     Section 99. Effective date. This Act takes effect upon
30 becoming law.".