Rep. Ann Williams

Filed: 5/11/2015





09900SB1833ham001LRB099 09064 JLS 35392 a


2    AMENDMENT NO. ______. Amend Senate Bill 1833 on page 1 by
3replacing line 5 with the following:
4"amended by changing Sections 5, 10, and 12 and adding Sections
545,"; and
6on page 1, line 6, by changing "and 50" to "50, and 55"; and
7on page 2, line 4, by changing "history." to "history,
8including, but not limited to, consumer profiles that are based
9upon the information. "Consumer marketing information" does
10not include information related to a consumer's online browsing
11history, online search history, or purchasing history held by a
12data collector that has a direct relationship with the
13consumer."; and
14on page 2, line 7, by changing "is" to "is stored and"; and



09900SB1833ham001- 2 -LRB099 09064 JLS 35392 a

1on page 2, line 8, by changing "the device" to "an individual";
3on page 3, line 14, by changing "data" to "data generated from
4measurements or analysis of human body characteristics that
5could be used to identify an individual"; and
6on page 3, line 23, by changing "name" to "name, when not part
7of an individual's surname"; and
8on page 5, line 2, by changing "information"" to "information",
9excluding geolocation information and consumer marketing
10information"; and
11on page 8, line 4, by changing "that" to "that owns or licenses
12personal information and"; and
13on page 8, line 9, by changing "A description of the" to "The
14types of"; and
15on page 8, line 20, by changing "2 days before" to "when"; and
16on page 9, line 12, by changing "A description of the" to "The
17types of"; and
18on page 10 by replacing lines 10 through 18 with the following:



09900SB1833ham001- 3 -LRB099 09064 JLS 35392 a

1    "(f) Upon receiving notification from a data collector of a
2breach of personal information, the Attorney General may
3publish the name of the data collector that suffered the
4breach, the types of personal information compromised in the
5breach, and the date range of the breach."; and
6on page 10 by inserting immediately below line 19 the
8    "(815 ILCS 530/12)
9    Sec. 12. Notice of breach; State agency.
10    (a) Any State agency that collects personal information,
11excluding geolocation and consumer marketing information,
12concerning an Illinois resident shall notify the resident at no
13charge that there has been a breach of the security of the
14system data or written material following discovery or
15notification of the breach. The disclosure notification shall
16be made in the most expedient time possible and without
17unreasonable delay, consistent with any measures necessary to
18determine the scope of the breach and restore the reasonable
19integrity, security, and confidentiality of the data system.
20The disclosure notification to an Illinois resident shall
21include, but need not be limited to information as follows:
22        (1) With respect to personal information defined in
23    Section 5 in paragraph (1) of the definition of "personal
24    information": ,



09900SB1833ham001- 4 -LRB099 09064 JLS 35392 a

1            (i) the toll-free numbers and addresses for
2        consumer reporting agencies; ,
3            (ii) the toll-free number, address, and website
4        address for the Federal Trade Commission; , and
5            (iii) a statement that the individual can obtain
6        information from these sources about fraud alerts and
7        security freezes.
8        (2) With respect to personal information as defined in
9    Section 5 in paragraph (2) of the definition of "personal
10    information", notice may be provided in electronic or other
11    form directing the Illinois resident whose personal
12    information has been breached to promptly change his or her
13    user name or password and security question or answer, as
14    applicable, or to take other steps appropriate to protect
15    all online accounts for which the resident uses the same
16    user name or email address and password or security
17    question and answer.
18    The notification shall not, however, include information
19concerning the number of Illinois residents affected by the
21    (a-5) The notification to an Illinois resident required by
22subsection (a) of this Section may be delayed if an appropriate
23law enforcement agency determines that notification will
24interfere with a criminal investigation and provides the State
25agency with a written request for the delay. However, the State
26agency must notify the Illinois resident as soon as



09900SB1833ham001- 5 -LRB099 09064 JLS 35392 a

1notification will no longer interfere with the investigation.
2    (b) For purposes of this Section, notice to residents may
3be provided by one of the following methods:
4        (1) written notice;
5        (2) electronic notice, if the notice provided is
6    consistent with the provisions regarding electronic
7    records and signatures for notices legally required to be
8    in writing as set forth in Section 7001 of Title 15 of the
9    United States Code; or
10        (3) substitute notice, if the State agency
11    demonstrates that the cost of providing notice would exceed
12    $250,000 or that the affected class of subject persons to
13    be notified exceeds 500,000, or the State agency does not
14    have sufficient contact information. Substitute notice
15    shall consist of all of the following: (i) email notice if
16    the State agency has an email address for the subject
17    persons; (ii) conspicuous posting of the notice on the
18    State agency's web site page if the State agency maintains
19    one; and (iii) notification to major statewide media.
20    (c) Notwithstanding subsection (b), a State agency that
21maintains its own notification procedures as part of an
22information security policy for the treatment of personal
23information and is otherwise consistent with the timing
24requirements of this Act shall be deemed in compliance with the
25notification requirements of this Section if the State agency
26notifies subject persons in accordance with its policies in the



09900SB1833ham001- 6 -LRB099 09064 JLS 35392 a

1event of a breach of the security of the system data or written
3    (d) If a State agency is required to notify more than 1,000
4persons of a breach of security pursuant to this Section, the
5State agency shall also notify, without unreasonable delay, all
6consumer reporting agencies that compile and maintain files on
7consumers on a nationwide basis, as defined by 15 U.S.C.
8Section 1681a(p), of the timing, distribution, and content of
9the notices. Nothing in this subsection (d) shall be construed
10to require the State agency to provide to the consumer
11reporting agency the names or other personal identifying
12information of breach notice recipients.
13    (e) Notice to Attorney General.
14        (1) Any State agency that suffers a single breach of
15    the security of the data concerning the personal
16    information of more than 250 Illinois residents shall
17    provide notice to the Attorney General of the breach,
18    including:
19            (A) The categories of personal information
20        compromised in the breach.
21            (B) The number of Illinois residents affected by
22        such incident at the time of notification.
23            (C) Any steps the State agency has taken or plans
24        to take relating to notification of the breach to
25        consumers.
26            (D) The date and timeframe of the breach, if known



09900SB1833ham001- 7 -LRB099 09064 JLS 35392 a

1        at the time notification is provided.
2        Such notification must be made within 30 business days
3    of the State agency's discovery of the security breach or
4    when the State agency provides any notice to consumers
5    required by this Section, whichever is sooner, unless the
6    State agency has good cause for reasonable delay to
7    determine the scope of the breach and restore the
8    integrity, security, and confidentiality of the data
9    system, or when law enforcement requests in writing to
10    withhold disclosure of some or all of the information
11    required in the notification under this Section. If the
12    date or timeframe of the breach is unknown at the time the
13    notice is sent to the Attorney General, the State agency
14    shall send the Attorney General the date or timeframe of
15    the breach as soon as possible.
16(Source: P.A. 97-483, eff. 1-1-12.)"; and
17on page 11 by deleting lines 17 through 22; and
18on page 11, line 23, by changing "(e)" to "(d)"; and
19on page 13, line 23, by replacing "online service" with ", in
20the case of an operator of an online service, make the policy
21available in accordance with paragraph (5) of subsection (a) of
22this Section"; and



09900SB1833ham001- 8 -LRB099 09064 JLS 35392 a

1on page 15 by inserting immediately below line 10 the
3    "(815 ILCS 530/55 new)
4    Sec. 55. Entities subject to the federal Health Insurance
5Portability and Accountability Act of 1996. Any covered entity
6or business associate that is subject to and in compliance with
7the privacy and security standards for the protection of
8electronic health information established pursuant to the
9federal Health Insurance Portability and Accountability Act of
101996 and the Health Information Technology for Economic and
11Clinical Health Act shall be deemed to be in compliance with
12the provisions of this Act, provided that any covered entity or
13business associate required to provide notification of a breach
14to the Secretary of Health and Human Services pursuant to the
15Health Information Technology for Economic and Clinical Health
16Act also provides such notification to the Attorney General
17within 5 business days of notifying the Secretary.".