HB1260 EnrolledLRB099 05116 JLS 25145 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Personal Information Protection Act is
5amended by changing Sections 5, 10, and 12 and adding Sections
645 and 50 as follows:
 
7    (815 ILCS 530/5)
8    Sec. 5. Definitions. In this Act:
9    "Data Collector" may include, but is not limited to,
10government agencies, public and private universities,
11privately and publicly held corporations, financial
12institutions, retail operators, and any other entity that, for
13any purpose, handles, collects, disseminates, or otherwise
14deals with nonpublic personal information.
15    "Breach of the security of the system data" or "breach"
16means unauthorized acquisition of computerized data that
17compromises the security, confidentiality, or integrity of
18personal information maintained by the data collector. "Breach
19of the security of the system data" does not include good faith
20acquisition of personal information by an employee or agent of
21the data collector for a legitimate purpose of the data
22collector, provided that the personal information is not used
23for a purpose unrelated to the data collector's business or

 

 

HB1260 Enrolled- 2 -LRB099 05116 JLS 25145 b

1subject to further unauthorized disclosure.
2    "Health insurance information" means an individual's
3health insurance policy number or subscriber identification
4number, any unique identifier used by a health insurer to
5identify the individual, or any medical information in an
6individual's health insurance application and claims history,
7including any appeals records.
8    "Medical information" means any information regarding an
9individual's medical history, mental or physical condition, or
10medical treatment or diagnosis by a healthcare professional,
11including such information provided to a website or mobile
12application.
13    "Personal information" means either of the following:
14        (1) an individual's first name or first initial and
15    last name in combination with any one or more of the
16    following data elements, when either the name or the data
17    elements are not encrypted or redacted or are encrypted or
18    redacted but the keys to unencrypt or unredact or otherwise
19    read the name or data elements have been acquired without
20    authorization through the breach of security:
21            (A) (1) Social Security number.
22            (B) (2) Driver's license number or State
23        identification card number.
24            (C) (3) Account number or credit or debit card
25        number, or an account number or credit card number in
26        combination with any required security code, access

 

 

HB1260 Enrolled- 3 -LRB099 05116 JLS 25145 b

1        code, or password that would permit access to an
2        individual's financial account.
3            (D) Medical information.
4            (E) Health insurance information.
5            (F) Unique biometric data generated from
6        measurements or technical analysis of human body
7        characteristics used by the owner or licensee to
8        authenticate an individual, such as a fingerprint,
9        retina or iris image, or other unique physical
10        representation or digital representation of biometric
11        data.
12        (2) user name or email address, in combination with a
13    password or security question and answer that would permit
14    access to an online account, when either the user name or
15    email address or password or security question and answer
16    are not encrypted or redacted or are encrypted or redacted
17    but the keys to unencrypt or unredact or otherwise read the
18    data elements have been obtained through the breach of
19    security.
20    "Personal information" does not include publicly available
21information that is lawfully made available to the general
22public from federal, State, or local government records.
23(Source: P.A. 97-483, eff. 1-1-12.)
 
24    (815 ILCS 530/10)
25    Sec. 10. Notice of Breach.

 

 

HB1260 Enrolled- 4 -LRB099 05116 JLS 25145 b

1    (a) Any data collector that owns or licenses personal
2information concerning an Illinois resident shall notify the
3resident at no charge that there has been a breach of the
4security of the system data following discovery or notification
5of the breach. The disclosure notification shall be made in the
6most expedient time possible and without unreasonable delay,
7consistent with any measures necessary to determine the scope
8of the breach and restore the reasonable integrity, security,
9and confidentiality of the data system. The disclosure
10notification to an Illinois resident shall include, but need
11not be limited to, information as follows:
12        (1) With respect to personal information as defined in
13    Section 5 in paragraph (1) of the definition of "personal
14    information":
15            (A) (i) the toll-free numbers and addresses for
16        consumer reporting agencies; ,
17            (B) (ii) the toll-free number, address, and
18        website address for the Federal Trade Commission; , and
19            (C) (iii) a statement that the individual can
20        obtain information from these sources about fraud
21        alerts and security freezes.
22    The notification shall not, however, include information
23concerning the number of Illinois residents affected by the
24breach.
25        (2) With respect to personal information defined in
26    Section 5 in paragraph (2) of the definition of "personal

 

 

HB1260 Enrolled- 5 -LRB099 05116 JLS 25145 b

1    information", notice may be provided in electronic or other
2    form directing the Illinois resident whose personal
3    information has been breached to promptly change his or her
4    user name or password and security question or answer, as
5    applicable, or to take other steps appropriate to protect
6    all online accounts for which the resident uses the same
7    user name or email address and password or security
8    question and answer.
9    (b) Any data collector that maintains or stores, but does
10not own or license, computerized data that includes personal
11information that the data collector does not own or license
12shall notify the owner or licensee of the information of any
13breach of the security of the data immediately following
14discovery, if the personal information was, or is reasonably
15believed to have been, acquired by an unauthorized person. In
16addition to providing such notification to the owner or
17licensee, the data collector shall cooperate with the owner or
18licensee in matters relating to the breach. That cooperation
19shall include, but need not be limited to, (i) informing the
20owner or licensee of the breach, including giving notice of the
21date or approximate date of the breach and the nature of the
22breach, and (ii) informing the owner or licensee of any steps
23the data collector has taken or plans to take relating to the
24breach. The data collector's cooperation shall not, however, be
25deemed to require either the disclosure of confidential
26business information or trade secrets or the notification of an

 

 

HB1260 Enrolled- 6 -LRB099 05116 JLS 25145 b

1Illinois resident who may have been affected by the breach.
2    (b-5) The notification to an Illinois resident required by
3subsection (a) of this Section may be delayed if an appropriate
4law enforcement agency determines that notification will
5interfere with a criminal investigation and provides the data
6collector with a written request for the delay. However, the
7data collector must notify the Illinois resident as soon as
8notification will no longer interfere with the investigation.
9    (c) For purposes of this Section, notice to consumers may
10be provided by one of the following methods:
11        (1) written notice;
12        (2) electronic notice, if the notice provided is
13    consistent with the provisions regarding electronic
14    records and signatures for notices legally required to be
15    in writing as set forth in Section 7001 of Title 15 of the
16    United States Code; or
17        (3) substitute notice, if the data collector
18    demonstrates that the cost of providing notice would exceed
19    $250,000 or that the affected class of subject persons to
20    be notified exceeds 500,000, or the data collector does not
21    have sufficient contact information. Substitute notice
22    shall consist of all of the following: (i) email notice if
23    the data collector has an email address for the subject
24    persons; (ii) conspicuous posting of the notice on the data
25    collector's web site page if the data collector maintains
26    one; and (iii) notification to major statewide media or, if

 

 

HB1260 Enrolled- 7 -LRB099 05116 JLS 25145 b

1    the breach impacts residents in one geographic area, to
2    prominent local media in areas where affected individuals
3    are likely to reside if such notice is reasonably
4    calculated to give actual notice to persons whom notice is
5    required.
6    (d) Notwithstanding any other subsection in this Section, a
7data collector that maintains its own notification procedures
8as part of an information security policy for the treatment of
9personal information and is otherwise consistent with the
10timing requirements of this Act, shall be deemed in compliance
11with the notification requirements of this Section if the data
12collector notifies subject persons in accordance with its
13policies in the event of a breach of the security of the system
14data.
15(Source: P.A. 97-483, eff. 1-1-12.)
 
16    (815 ILCS 530/12)
17    Sec. 12. Notice of breach; State agency.
18    (a) Any State agency that collects personal information
19concerning an Illinois resident shall notify the resident at no
20charge that there has been a breach of the security of the
21system data or written material following discovery or
22notification of the breach. The disclosure notification shall
23be made in the most expedient time possible and without
24unreasonable delay, consistent with any measures necessary to
25determine the scope of the breach and restore the reasonable

 

 

HB1260 Enrolled- 8 -LRB099 05116 JLS 25145 b

1integrity, security, and confidentiality of the data system.
2The disclosure notification to an Illinois resident shall
3include, but need not be limited to information as follows:
4        (1) With respect to personal information defined in
5    Section 5 in paragraph (1) of the definition of "personal
6    information": ,
7            (i) the toll-free numbers and addresses for
8        consumer reporting agencies; ,
9            (ii) the toll-free number, address, and website
10        address for the Federal Trade Commission; , and
11            (iii) a statement that the individual can obtain
12        information from these sources about fraud alerts and
13        security freezes.
14        (2) With respect to personal information as defined in
15    Section 5 in paragraph (2) of the definition of "personal
16    information", notice may be provided in electronic or other
17    form directing the Illinois resident whose personal
18    information has been breached to promptly change his or her
19    user name or password and security question or answer, as
20    applicable, or to take other steps appropriate to protect
21    all online accounts for which the resident uses the same
22    user name or email address and password or security
23    question and answer.
24    The notification shall not, however, include information
25concerning the number of Illinois residents affected by the
26breach.

 

 

HB1260 Enrolled- 9 -LRB099 05116 JLS 25145 b

1    (a-5) The notification to an Illinois resident required by
2subsection (a) of this Section may be delayed if an appropriate
3law enforcement agency determines that notification will
4interfere with a criminal investigation and provides the State
5agency with a written request for the delay. However, the State
6agency must notify the Illinois resident as soon as
7notification will no longer interfere with the investigation.
8    (b) For purposes of this Section, notice to residents may
9be provided by one of the following methods:
10        (1) written notice;
11        (2) electronic notice, if the notice provided is
12    consistent with the provisions regarding electronic
13    records and signatures for notices legally required to be
14    in writing as set forth in Section 7001 of Title 15 of the
15    United States Code; or
16        (3) substitute notice, if the State agency
17    demonstrates that the cost of providing notice would exceed
18    $250,000 or that the affected class of subject persons to
19    be notified exceeds 500,000, or the State agency does not
20    have sufficient contact information. Substitute notice
21    shall consist of all of the following: (i) email notice if
22    the State agency has an email address for the subject
23    persons; (ii) conspicuous posting of the notice on the
24    State agency's web site page if the State agency maintains
25    one; and (iii) notification to major statewide media.
26    (c) Notwithstanding subsection (b), a State agency that

 

 

HB1260 Enrolled- 10 -LRB099 05116 JLS 25145 b

1maintains its own notification procedures as part of an
2information security policy for the treatment of personal
3information and is otherwise consistent with the timing
4requirements of this Act shall be deemed in compliance with the
5notification requirements of this Section if the State agency
6notifies subject persons in accordance with its policies in the
7event of a breach of the security of the system data or written
8material.
9    (d) If a State agency is required to notify more than 1,000
10persons of a breach of security pursuant to this Section, the
11State agency shall also notify, without unreasonable delay, all
12consumer reporting agencies that compile and maintain files on
13consumers on a nationwide basis, as defined by 15 U.S.C.
14Section 1681a(p), of the timing, distribution, and content of
15the notices. Nothing in this subsection (d) shall be construed
16to require the State agency to provide to the consumer
17reporting agency the names or other personal identifying
18information of breach notice recipients.
19    (e) Notice to Attorney General. Any State agency that
20suffers a single breach of the security of the data concerning
21the personal information of more than 250 Illinois residents
22shall provide notice to the Attorney General of the breach,
23including:
24        (A) The types of personal information compromised in
25    the breach.
26        (B) The number of Illinois residents affected by such

 

 

HB1260 Enrolled- 11 -LRB099 05116 JLS 25145 b

1    incident at the time of notification.
2        (C) Any steps the State agency has taken or plans to
3    take relating to notification of the breach to consumers.
4        (D) The date and timeframe of the breach, if known at
5    the time notification is provided.
6    Such notification must be made within 45 days of the State
7agency's discovery of the security breach or when the State
8agency provides any notice to consumers required by this
9Section, whichever is sooner, unless the State agency has good
10cause for reasonable delay to determine the scope of the breach
11and restore the integrity, security, and confidentiality of the
12data system, or when law enforcement requests in writing to
13withhold disclosure of some or all of the information required
14in the notification under this Section. If the date or
15timeframe of the breach is unknown at the time the notice is
16sent to the Attorney General, the State agency shall send the
17Attorney General the date or timeframe of the breach as soon as
18possible.
19(Source: P.A. 97-483, eff. 1-1-12.)
 
20    (815 ILCS 530/45 new)
21    Sec. 45. Data security.
22    (a) A data collector that owns or licenses, or maintains or
23stores but does not own or license, records that contain
24personal information concerning an Illinois resident shall
25implement and maintain reasonable security measures to protect

 

 

HB1260 Enrolled- 12 -LRB099 05116 JLS 25145 b

1those records from unauthorized access, acquisition,
2destruction, use, modification, or disclosure.
3    (b) A contract for the disclosure of personal information
4concerning an Illinois resident that is maintained by a data
5collector must include a provision requiring the person to whom
6the information is disclosed to implement and maintain
7reasonable security measures to protect those records from
8unauthorized access, acquisition, destruction, use,
9modification, or disclosure.
10    (c) If a state or federal law requires a data collector to
11provide greater protection to records that contain personal
12information concerning an Illinois resident that are
13maintained by the data collector and the data collector is in
14compliance with the provisions of that state or federal law,
15the data collector shall be deemed to be in compliance with the
16provisions of this Section.
17    (d) A data collector that is subject to and in compliance
18with the standards established pursuant to Section 501(b) of
19the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801,
20shall be deemed to be in compliance with the provisions of this
21Section.
 
22    (815 ILCS 530/50 new)
23    Sec. 50. Entities subject to the federal Health Insurance
24Portability and Accountability Act of 1996. Any covered entity
25or business associate that is subject to and in compliance with

 

 

HB1260 Enrolled- 13 -LRB099 05116 JLS 25145 b

1the privacy and security standards for the protection of
2electronic health information established pursuant to the
3federal Health Insurance Portability and Accountability Act of
41996 and the Health Information Technology for Economic and
5Clinical Health Act shall be deemed to be in compliance with
6the provisions of this Act, provided that any covered entity or
7business associate required to provide notification of a breach
8to the Secretary of Health and Human Services pursuant to the
9Health Information Technology for Economic and Clinical Health
10Act also provides such notification to the Attorney General
11within 5 business days of notifying the Secretary.