SB1833 EngrossedLRB099 09064 JLS 31312 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 5. The Personal Information Protection Act is
5amended by changing Sections 5 and 10 and by adding Sections 45
6and 50 as follows:
 
7    (815 ILCS 530/5)
8    Sec. 5. Definitions. In this Act:
9    "Data Collector" may include, but is not limited to,
10government agencies, public and private universities,
11privately and publicly held corporations, financial
12institutions, retail operators, and any other entity that, for
13any purpose, handles, collects, disseminates, or otherwise
14deals with nonpublic personal information.
15    "Breach of the security of the system data" or "breach"
16means unauthorized acquisition of computerized data that
17compromises the security, confidentiality, or integrity of
18personal information maintained by the data collector. "Breach
19of the security of the system data" does not include good faith
20acquisition of personal information by an employee or agent of
21the data collector for a legitimate purpose of the data
22collector, provided that the personal information is not used
23for a purpose unrelated to the data collector's business or

 

 

SB1833 Engrossed- 2 -LRB099 09064 JLS 31312 b

1subject to further unauthorized disclosure.
2    "Consumer marketing information" means information related
3to a consumer's online browsing history, online search history,
4or purchasing history.
5    "Geolocation information" means information generated or
6derived from the operation or use of an electronic
7communications device that is sufficient to identify the street
8name and name of the city or town in which the device is
9located. "Geolocation information" does not include the
10contents of an electronic communication.
11    "Health insurance information" means an individual's
12health insurance policy number or subscriber identification
13number, any unique identifier used by a health insurer to
14identify the individual, or any information in an individual's
15health insurance application and claims history, including any
16appeals records.
17    "Medical information" means any information regarding an
18individual's medical history, mental or physical condition, or
19medical treatment or diagnosis by a healthcare professional,
20including health information provided to a website or mobile
21application.
22    "Personal information" means either of the following:
23        (1) an individual's first name or first initial and
24    last name in combination with any one or more of the
25    following data elements, when either the name or the data
26    elements are not encrypted or redacted or are encrypted or

 

 

SB1833 Engrossed- 3 -LRB099 09064 JLS 31312 b

1    redacted but the keys to unencrypt or unredact or otherwise
2    read the name or data elements have been acquired without
3    authorization through the breach of security:
4            (A) (1) Social Security number.
5            (B) (2) Driver's license number or State
6        identification card number.
7            (C) (3) Account number or credit or debit card
8        number, or an account number or credit card number in
9        combination with any required security code, access
10        code, or password that would permit access to an
11        individual's financial account.
12            (D) Medical information.
13            (E) Health insurance information.
14            (F) Unique biometric data, such as a fingerprint,
15        retina or iris image, or other unique physical
16        representation or digital representation of biometric
17        data.
18            (G) Geolocation information.
19            (H) Consumer marketing information.
20            (I) Any 2 of the following data elements:
21                (i) home address, telephone number, or email
22            address;
23                (ii) mother's maiden name;
24                (iii) month, day, and year of birth.
25        (2) user name or email address, in combination with a
26    password or security question and answer that would permit

 

 

SB1833 Engrossed- 4 -LRB099 09064 JLS 31312 b

1    access to an online account, when either the user name or
2    email address or password or security question and answer
3    are not encrypted or redacted or are encrypted or redacted
4    but the keys to unencrypt or unredact or otherwise read the
5    data elements have been obtained through the breach of
6    security.
7    "Personal information" does not include publicly available
8information that is lawfully made available to the general
9public from federal, State, or local government records.
10(Source: P.A. 97-483, eff. 1-1-12.)
 
11    (815 ILCS 530/10)
12    Sec. 10. Notice of Breach.
13    (a) Any data collector that owns or licenses personal
14information, excluding geolocation information and consumer
15marketing information, concerning an Illinois resident shall
16notify the resident at no charge that there has been a breach
17of the security of the system data following discovery or
18notification of the breach. The disclosure notification shall
19be made in the most expedient time possible and without
20unreasonable delay, consistent with any measures necessary to
21determine the scope of the breach and restore the reasonable
22integrity, security, and confidentiality of the data system.
23The disclosure notification to an Illinois resident shall
24include, but need not be limited to, information as follows:
25        (1) With respect to personal information as defined in

 

 

SB1833 Engrossed- 5 -LRB099 09064 JLS 31312 b

1    Section 5 in paragraph (1) of the definition of "personal
2    information":
3            (A) (i) the toll-free numbers and addresses for
4        consumer reporting agencies; ,
5            (B) (ii) the toll-free number, address, and
6        website address for the Federal Trade Commission; , and
7            (C) (iii) a statement that the individual can
8        obtain information from these sources about fraud
9        alerts and security freezes.
10    The notification shall not, however, include information
11concerning the number of Illinois residents affected by the
12breach.
13        (2) With respect to personal information defined in
14    Section 5 in paragraph (2) of the definition of "personal
15    information", notice may be provided in electronic or other
16    form directing the Illinois resident whose personal
17    information has been breached to promptly change his or her
18    username or password and security question or answer, as
19    applicable, or to take other steps appropriate to protect
20    all online accounts for which the resident uses the same
21    user name or email address and password or security
22    question and answer.
23    (b) Any data collector that maintains or stores, but does
24not own or license, computerized data that includes personal
25information that the data collector does not own or license
26shall notify the owner or licensee of the information of any

 

 

SB1833 Engrossed- 6 -LRB099 09064 JLS 31312 b

1breach of the security of the data immediately following
2discovery, if the personal information was, or is reasonably
3believed to have been, acquired by an unauthorized person. In
4addition to providing such notification to the owner or
5licensee, the data collector shall cooperate with the owner or
6licensee in matters relating to the breach. That cooperation
7shall include, but need not be limited to, (i) informing the
8owner or licensee of the breach, including giving notice of the
9date or approximate date of the breach and the nature of the
10breach, and (ii) informing the owner or licensee of any steps
11the data collector has taken or plans to take relating to the
12breach. The data collector's cooperation shall not, however, be
13deemed to require either the disclosure of confidential
14business information or trade secrets or the notification of an
15Illinois resident who may have been affected by the breach.
16    (b-5) The notification to an Illinois resident required by
17subsection (a) of this Section may be delayed if an appropriate
18law enforcement agency determines that notification will
19interfere with a criminal investigation and provides the data
20collector with a written request for the delay. However, the
21data collector must notify the Illinois resident as soon as
22notification will no longer interfere with the investigation.
23    (c) For purposes of this Section, notice to consumers may
24be provided by one of the following methods:
25        (1) written notice;
26        (2) electronic notice, if the notice provided is

 

 

SB1833 Engrossed- 7 -LRB099 09064 JLS 31312 b

1    consistent with the provisions regarding electronic
2    records and signatures for notices legally required to be
3    in writing as set forth in Section 7001 of Title 15 of the
4    United States Code; or
5        (3) substitute notice, if the data collector
6    demonstrates that the cost of providing notice would exceed
7    $250,000 or that the affected class of subject persons to
8    be notified exceeds 500,000, or the data collector does not
9    have sufficient contact information. Substitute notice
10    shall consist of all of the following: (i) email notice if
11    the data collector has an email address for the subject
12    persons; (ii) conspicuous posting of the notice on the data
13    collector's web site page if the data collector maintains
14    one; and (iii) notification to major statewide media or, if
15    the breach impacts residents in one geographic area, to
16    prominent local media in areas where affected individuals
17    are likely to reside if such notice is reasonably
18    calculated to give actual notice to persons whom notice is
19    required.
20    (d) Notwithstanding any other subsection in this Section, a
21data collector that maintains its own notification procedures
22as part of an information security policy for the treatment of
23personal information and is otherwise consistent with the
24timing requirements of this Act, shall be deemed in compliance
25with the notification requirements of this Section if the data
26collector notifies subject persons in accordance with its

 

 

SB1833 Engrossed- 8 -LRB099 09064 JLS 31312 b

1policies in the event of a breach of the security of the system
2data.
3    (e) Notice to Attorney General.
4        (1) Any data collector that suffers a single breach of
5    the security of the data concerning the personal
6    information of more than 250 Illinois residents shall
7    provide notice to the Attorney General of the breach,
8    including:
9            (A) A description of the personal information
10        compromised in the breach.
11            (B) The number of Illinois residents affected by
12        such incident at the time of notification.
13            (C) Any steps the data collector has taken or plans
14        to take relating to notification of the breach to
15        consumers.
16            (D) The date and timeframe of the breach, if known
17        at the time notification is provided.
18        Such notification must be made within 30 business days
19    of the data collector's discovery of the security breach or
20    2 days before the data collector provides any notice to
21    consumers required by this Section, whichever is sooner,
22    unless the data collector has good cause for reasonable
23    delay to determine the scope of the breach and restore the
24    integrity, security, and confidentiality of the data
25    system, or when law enforcement requests in writing to
26    withhold disclosure of some or all of the information

 

 

SB1833 Engrossed- 9 -LRB099 09064 JLS 31312 b

1    required in the notification under this Section. If the
2    date or timeframe of the breach is unknown at the time the
3    notice is sent to the Attorney General, the data collector
4    shall send the Attorney General the date or timeframe of
5    the breach as soon as possible.
6        (2) Any data collector that maintains or stores, but
7    does not own or license, computerized data that includes
8    personal information that suffers a single breach of the
9    security of the data concerning the personal information of
10    more than 250 Illinois residents shall notify the Attorney
11    General of the following:
12            (A) A description of the personal information
13        compromised in the breach.
14            (B) The number of Illinois residents affected by
15        such incident at the time of notification.
16            (C) Any steps the data collector has taken or plans
17        to take relating to notification of the owner or
18        licensee of the breach and what measures, if any, the
19        data collector has taken to notify Illinois residents.
20            (D) The date and timeframe of the breach, if known
21        at the time notification is provided.
22        Such notification must be made within 30 business days
23    of the data collector's discovery of the security breach or
24    when the data collector provides notice to the owner or
25    licensee of the information pursuant to this Section,
26    whichever is sooner, unless the data collector has good

 

 

SB1833 Engrossed- 10 -LRB099 09064 JLS 31312 b

1    cause for reasonable delay to determine the scope of the
2    breach and restore the integrity, security, and
3    confidentiality of the data system, or when law enforcement
4    requests in writing to withhold disclosure of some or all
5    of the information required in the notification under this
6    Section. If the date or timeframe of the breach is unknown
7    at the time the notice is sent to the Attorney General, the
8    data collector shall send the Attorney General the date or
9    timeframe of the breach as soon as possible.
10    (f) A data collector that suffers a breach subject to the
11breach notification standards established pursuant to the
12federal Health Information Technology Act, 42 U.S.C. Section
1317932, shall be deemed to be in compliance with the provisions
14of this Section if that data collector does the following: (1)
15provides notification to individuals in compliance with the
16federal Health Information Technology Act and implementing
17regulations and (2) provides notification to the Attorney
18General pursuant to subsection (e).
19(Source: P.A. 97-483, eff. 1-1-12.)
 
20    (815 ILCS 530/45 new)
21    Sec. 45. Data security.
22    (a) A data collector that owns or licenses, or maintains or
23stores but does not own or license, records that contain
24personal information concerning an Illinois resident shall
25implement and maintain reasonable security measures to protect

 

 

SB1833 Engrossed- 11 -LRB099 09064 JLS 31312 b

1those records from unauthorized access, acquisition,
2destruction, use, modification, or disclosure.
3    (b) A contract for the disclosure of personal information
4concerning an Illinois resident that is maintained by a data
5collector must include a provision requiring the person to whom
6the information is disclosed to implement and maintain
7reasonable security measures to protect those records from
8unauthorized access, acquisition, destruction, use,
9modification, or disclosure.
10    (c) If a state or federal law requires a data collector to
11provide greater protection to records that contain personal
12information concerning an Illinois resident that are
13maintained by the data collector and the data collector is in
14compliance with the provisions of that state or federal law,
15the data collector shall be deemed to be in compliance with the
16provisions of this Section.
17    (d) A data collector that is subject to and in compliance
18with the security standards for the protection of electronic
19health information, 45 C.F.R. Parts 160 and 164, established
20pursuant to the federal Health Insurance Portability and
21Accountability Act of 1996 shall be deemed to be in compliance
22with the provisions of this Section.
23    (e) A data collector that is subject to and in compliance
24with the standards established pursuant to Section 501(b) of
25the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801,
26shall be deemed to be in compliance with the provisions of this

 

 

SB1833 Engrossed- 12 -LRB099 09064 JLS 31312 b

1Section.
 
2    (815 ILCS 530/50 new)
3    Sec. 50. Posting of privacy policy.
4    (a) As used in this Section:
5    "Conspicuously post" means posting the privacy policy
6through any of the following:
7        (1) A Web page on which the actual privacy policy is
8    posted if the Web page is the homepage or first significant
9    page after entering the Web site.
10        (2) An icon that hyperlinks to a Web page on which the
11    actual privacy policy is posted, if the icon is located on
12    the homepage or the first significant page after entering
13    the Web site, and if the icon contains the word "privacy".
14    The icon shall also use a color that contrasts with the
15    background color of the Web page or is otherwise
16    distinguishable.
17        (3) A text link that hyperlinks to a Web page on which
18    the actual privacy policy is posted, if the text link is
19    located on the homepage or first significant page after
20    entering the Web site, and if the text link does one of the
21    following:
22            (A) Includes the word "privacy".
23            (B) Is written in capital letters equal to or
24        greater in size than the surrounding text.
25            (C) Is written in larger type than the surrounding

 

 

SB1833 Engrossed- 13 -LRB099 09064 JLS 31312 b

1        text, or in contrasting type, font, or color to the
2        surrounding text of the same size, or set off from the
3        surrounding text of the same size by symbols or other
4        marks that call attention to the language.
5        (4) Any other functional hyperlink that is displayed in
6    a noticeable manner.
7        (5) In the case of an online service, any other
8    reasonably accessible means of making the privacy policy
9    available for a consumer of the online service.
10    "Operator" means any person or entity that owns a Web site
11located on the Internet or an online service that collects and
12maintains personal information from a consumer residing in
13Illinois who uses or visits the Web site or online service if
14the Web site or online service is operated for commercial
15purposes. It does not include any third party that operates,
16hosts, or manages, but does not own, a Web site or online
17service on the owner's behalf or by processing information on
18behalf of the owner.
19    (b) An operator of a commercial Web site or online service
20that collects personal information through the Internet about
21individual consumers residing in Illinois who use or visit its
22commercial Web site or online service shall conspicuously post
23its privacy policy on its Web site or online service. An
24operator shall be in violation of this subdivision only if the
25operator fails to post its policy within 30 days after being
26notified of noncompliance.

 

 

SB1833 Engrossed- 14 -LRB099 09064 JLS 31312 b

1    (c) The privacy policy required by subsection (b) shall, at
2a minimum, do the following:
3        (1) Identify the categories of personal information
4    that the operator collects through the Web site or online
5    service about individual consumers who use or visit its
6    commercial Web site or online service and the categories of
7    third-party persons or entities with whom the operator may
8    share that personal information.
9        (2) If the operator maintains a process for an
10    individual consumer who uses or visits its commercial Web
11    site or online service to review and request changes to any
12    of his or her personal information that is collected
13    through the Web site or online service, provide a
14    description of that process.
15        (3) Describe the process by which the operator notifies
16    consumers who use or visit its commercial Web site or
17    online service of material changes to the operator's
18    privacy policy for that Web site or online service.
19        (4) Identify its effective date.
20        (5) Disclose how the operator responds to Web browser
21    "do not track" signals or other mechanisms that provide
22    consumers the ability to exercise choice regarding the
23    collection of personal information about an individual
24    consumer's online activities over time and across
25    third-party Web sites or online services, if the operator
26    engages in that collection.

 

 

SB1833 Engrossed- 15 -LRB099 09064 JLS 31312 b

1        (6) Disclose whether other parties may collect
2    personal information about an individual consumer's online
3    activities over time and across different Web sites or
4    online services when a consumer uses the operator's Web
5    site or online service.
6    An operator may satisfy the requirement of paragraph (5) by
7providing a clear and conspicuous hyperlink in the operator's
8privacy policy to an online location containing a description,
9including the effects, of any program or protocol the operator
10follows that offers the consumer that choice.