Full Text of SB2977 94th General Assembly
SB2977 94TH GENERAL ASSEMBLY
|
|
|
|
94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006
SB2977
Introduced 1/20/2006, by Sen. Don Harmon SYNOPSIS AS INTRODUCED:
|
|
220 ILCS 5/13-910 new |
|
220 ILCS 5/13-911 new |
|
225 ILCS 447/40-10 |
|
720 ILCS 110/2 |
from Ch. 38, par. 87-2 |
720 ILCS 110/4 new |
|
815 ILCS 505/2Z |
from Ch. 121 1/2, par. 262Z |
|
Amends the Telecommunications Article of the Public Utilities Act. Prohibits any telecommunications carrier from releasing the customer proprietary network information or personal identifying information of any end user with an Illinois billing address or an Illinois area code, except under specified circumstances. Requires the Illinois Commerce Commission to adopt rules to regulate the security of customer proprietary network information and personal identifying information. Requires a telecommunications carrier to provide notice to an Illinois resident (i) in the event of a breach of customer property network information or personal identifying information concerning an Illinois resident or (ii) if the carrier discovers or has reason to believe that customer proprietary network information or personal identifying information concerning the Illinois resident was acquired by an unauthorized person. Sets forth penalties for failure to comply with the provisions. Amends the Private Detective, Private Alarm, Private Security, and Locksmith Act of 2004 to authorize the Department of Financial and Professional Regulation to impose disciplinary sanctions against any licensee for purchasing, acquiring, selling, or releasing the customer proprietary network information or personal identifying information of an Illinois resident. Amends the Communications Consumer Privacy Act. Provides that it is an unlawful business offense for a customer proprietary network information broker to purchase, acquire, sell, or release customer proprietary network information or personal identifying information of an Illinois resident. Sets forth penalties for violations. Amends the Consumer Fraud and Deceptive Business Practices Act to provide that any person who knowingly violates certain provisions of the Public Utilities Act prohibiting the release of the customer proprietary network information or personal identifying information of any end user commits an unlawful practice within the meaning of the Act. Effective immediately.
|
| |
|
|
| FISCAL NOTE ACT MAY APPLY | |
|
|
|
A BILL FOR
|
|
|
|
|
SB2977 |
|
LRB094 19079 MKM 54587 b |
|
| | 1 |
| AN ACT concerning telecommunications.
| | 2 |
| Be it enacted by the People of the State of Illinois,
| | 3 |
| represented in the General Assembly:
| | 4 |
| Section 1. Findings. | | 5 |
| (a) The General Assembly finds and declares that | | 6 |
| unauthorized access and use of customer proprietary network | | 7 |
| information and personal identifying information endanger the | | 8 |
| safety, security, and privacy of Illinois telecommunications | | 9 |
| end users and Illinois residents and it is therefore in the | | 10 |
| public interest to ensure that this information is not released | | 11 |
| without the express consent of the end user or the end user's | | 12 |
| authorized representative. | | 13 |
| (b) The General Assembly further finds and declares that | | 14 |
| the widespread availability of and unauthorized access to | | 15 |
| customer proprietary network information and personal | | 16 |
| identifying information have led to and will continue to lead | | 17 |
| to a substantial increase in identity theft-related crimes and | | 18 |
| other crimes.
| | 19 |
| Section 5. The Public Utilities Act is amended by adding | | 20 |
| Sections 13-910 and 13-911 as follows:
| | 21 |
| (220 ILCS 5/13-910 new) | | 22 |
| Sec. 13-910. Customer proprietary network information. | | 23 |
| (a) As used in this Section: | | 24 |
| "Customer proprietary network information" means: (i) | | 25 |
| information maintained by a telecommunications carrier that | | 26 |
| relates to the quantity, technical configuration, type, | | 27 |
| destination, and amount of use of any telecommunications | | 28 |
| service subscribed to by an end user of the telecommunications | | 29 |
| carrier and that is made available to the carrier by the end | | 30 |
| user solely by virtue of its relationship with the carrier; | | 31 |
| (ii) information contained in the end user's billing statement |
|
|
|
SB2977 |
- 2 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| pertaining to telecommunications services received by the end | | 2 |
| user from a telecommunications carrier; and (iii) information | | 3 |
| identifying the location of the end user or that may be used to | | 4 |
| identify the location of an end user. | | 5 |
| "End user" means that term as it is defined in Section | | 6 |
| 13-217 of this Act.
| | 7 |
| "Personal identifying information" means that term as it is | | 8 |
| defined in subsection (b) of Section 16G-10 of the Criminal | | 9 |
| Code of 1961. | | 10 |
| (b) No telecommunications carrier may release the customer | | 11 |
| proprietary network information or personal identifying | | 12 |
| information of any end user with an Illinois billing address or | | 13 |
| an Illinois area code without the express consent of the end | | 14 |
| user, except with proper law enforcement or court order | | 15 |
| documentation. | | 16 |
| (c) Within one year after the effective date of this | | 17 |
| amendatory Act of the 94th General Assembly, the Commission | | 18 |
| must adopt rules to regulate the security of customer | | 19 |
| proprietary network information and personal identifying | | 20 |
| information including, but not limited to, all of the following | | 21 |
| provisions: | | 22 |
| (1) Security standards to protect the confidentiality | | 23 |
| of data records containing customer proprietary network | | 24 |
| information and personal identifying information. | | 25 |
| (2) Authentication procedures necessary to provide | | 26 |
| access by the end user or the end user's authorized | | 27 |
| representative to the end user's customer proprietary | | 28 |
| network information and personal identifying information. | | 29 |
| (3) Reporting requirements for telecommunications | | 30 |
| carriers, remedies, and other enforcement mechanisms to | | 31 |
| ensure compliance with this Section. | | 32 |
| The rules may allow for an implementation period of up to | | 33 |
| one year for a telecommunications carrier to implement the | | 34 |
| rules adopted by the Commission in accordance with this Section | | 35 |
| if the Commission determines that immediate and full compliance | | 36 |
| with the rules would be unduly economically burdensome or |
|
|
|
SB2977 |
- 3 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| technically infeasible for the telecommunications carrier. | | 2 |
| (d) No provision of this Section shall be construed to | | 3 |
| prohibit a telecommunications carrier from obtaining, using, | | 4 |
| releasing, or permitting access to any customer proprietary | | 5 |
| network information or personal identifying information of any | | 6 |
| end user with an Illinois billing address or an Illinois area | | 7 |
| code as follows: | | 8 |
| (1) as otherwise authorized by law; | | 9 |
| (2) with the lawful consent of the end user or the end | | 10 |
| user's designated representative; | | 11 |
| (3) as necessary for the provision of services, for the | | 12 |
| protection of the rights or property of the provider, for | | 13 |
| the protection of end users, and for the protection of | | 14 |
| other telecommunications carriers from fraudulent, | | 15 |
| abusive, or unlawful use of or subscription to services; | | 16 |
| (4) to a governmental entity, if the telecommunication | | 17 |
| carrier reasonably believes that an emergency involving | | 18 |
| immediate danger of death or serious physical injury to any | | 19 |
| person justifies disclosure of the information; or | | 20 |
| (5) to the National Center for Missing and Exploited | | 21 |
| Children, in connection with the report submitted thereto | | 22 |
| under Section 227 of the federal Victims of Child Abuse Act | | 23 |
| of 1990.
| | 24 |
| (220 ILCS 5/13-911 new) | | 25 |
| Sec. 13-911. Breach of customer proprietary network | | 26 |
| information.
| | 27 |
| (a) As used in the Section: | | 28 |
| "Breach of customer proprietary network information" means | | 29 |
| the unauthorized acquisition of customer proprietary network | | 30 |
| information or personal identifying information that | | 31 |
| compromises the security, confidentiality, or integrity of | | 32 |
| that information as maintained by the telecommunications | | 33 |
| carrier. | | 34 |
| "Customer proprietary network information" means that term | | 35 |
| as it defined in Section 13-910.
|
|
|
|
SB2977 |
- 4 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| "Personal identifying information" means that term as it is | | 2 |
| defined in subsection (b) of Section 16G-10 of the Criminal | | 3 |
| Code of 1961. | | 4 |
| "Customer proprietary network information" and "personal | | 5 |
| identifying information" do not include publicly available | | 6 |
| information that is lawfully made available to the general | | 7 |
| public from federal, State, or local government records. | | 8 |
| (b) In the event of a breach of customer proprietary | | 9 |
| network information or personal identifying information | | 10 |
| concerning an Illinois resident, the telecommunications | | 11 |
| carrier must notify the Illinois resident immediately | | 12 |
| following discovery or notification of the breach. The notice | | 13 |
| must be made in the most expedient manner possible and without | | 14 |
| unreasonable delay, consistent with any measures necessary to | | 15 |
| determine the scope of the breach and restore the reasonable | | 16 |
| integrity, security, and confidentiality of the customer | | 17 |
| proprietary network information or personal identifying | | 18 |
| information. | | 19 |
| (c) If the telecommunications carrier discovers or has | | 20 |
| reason to believe that customer proprietary network | | 21 |
| information or personal identifying information concerning an | | 22 |
| Illinois resident was acquired by an unauthorized person, the | | 23 |
| telecommunications carrier must immediately notify the | | 24 |
| Illinois resident and disclose any breach or suspected breach | | 25 |
| of customer proprietary information or personal identifying | | 26 |
| information. The notice must be made in the most expedient | | 27 |
| manner possible and without unreasonable delay, consistent | | 28 |
| with any measures necessary to determine the scope of the | | 29 |
| acquisition by an unauthorized person and to restore the | | 30 |
| reasonable integrity, security, and confidentiality of the | | 31 |
| customer proprietary network information or personal | | 32 |
| identifying information. | | 33 |
| (d) For purposes of this Section, notice to Illinois | | 34 |
| residents under this Section may be provided by any one of the | | 35 |
| following methods: | | 36 |
| (1) written notice; |
|
|
|
SB2977 |
- 5 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| (2) electronic notice, if the notice provided is | | 2 |
| consistent with the provisions regarding electronic | | 3 |
| records and signatures for notices legally required to be | | 4 |
| in writing, as set forth in Section 7001 of Title 15 of the | | 5 |
| United States Code; or | | 6 |
| (3) substitute notice, if the telecommunications | | 7 |
| carrier demonstrates that the cost of providing notice | | 8 |
| would exceed $250,000 or that the affected class of subject | | 9 |
| persons to be notified exceeds 500,000, or if the | | 10 |
| telecommunications carrier does not have sufficient | | 11 |
| contact information. Substitute notice shall consist of | | 12 |
| all of the following: (i) e-mail notice if the | | 13 |
| telecommunications carrier has an e-mail address for the | | 14 |
| subject persons; (ii) conspicuous posting of the notice on | | 15 |
| the telecommunication carrier's website, if the | | 16 |
| telecommunications carrier maintains one; and (iii) notice | | 17 |
| to major statewide media. | | 18 |
| (e) Notwithstanding any other provision of this Section to | | 19 |
| the contrary, if a telecommunications carrier maintains its own | | 20 |
| notice procedures as part of a security policy for the | | 21 |
| treatment of customer proprietary network information or | | 22 |
| personal identifying information that is otherwise consistent | | 23 |
| with the timing requirements of this Section, then that carrier | | 24 |
| shall be deemed to be in compliance with the notice | | 25 |
| requirements of this Section if the telecommunications carrier | | 26 |
| notifies Illinois residents in accordance with its policies in | | 27 |
| the event of a breach of the security of customer proprietary | | 28 |
| network information or personal identifying information. | | 29 |
| (f) Any waiver of the provisions of this Section is | | 30 |
| contrary to public policy and is void and unenforceable. | | 31 |
| (g) A violation of this Section constitutes an unlawful | | 32 |
| practice under the Consumer Fraud and Deceptive Business | | 33 |
| Practices Act.
| | 34 |
| Section 10. The Private Detective, Private Alarm, Private | | 35 |
| Security, and
Locksmith Act of 2004 is amended by changing |
|
|
|
SB2977 |
- 6 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| Section 40-10 as follows:
| | 2 |
| (225 ILCS 447/40-10)
| | 3 |
| (Section scheduled to be repealed on January 1, 2014)
| | 4 |
| Sec. 40-10. Disciplinary sanctions.
| | 5 |
| (a) The Department may deny issuance, refuse to renew,
or | | 6 |
| restore or may reprimand, place on probation, suspend, or
| | 7 |
| revoke any license, registration, permanent employee
| | 8 |
| registration card, or firearm authorization card, and it may
| | 9 |
| impose a fine not to exceed $1,500 for a first violation and
| | 10 |
| not to exceed $5,000 for a second or subsequent violation for
| | 11 |
| any of the following:
| | 12 |
| (1) Fraud or deception in obtaining or renewing of
a | | 13 |
| license or registration.
| | 14 |
| (2) Professional incompetence as manifested by poor
| | 15 |
| standards of service.
| | 16 |
| (3) Engaging in dishonorable, unethical, or
| | 17 |
| unprofessional conduct of a character likely to deceive,
| | 18 |
| defraud, or harm the public.
| | 19 |
| (4) Conviction in Illinois or another state of any
| | 20 |
| crime that is a felony under the laws of Illinois; a felony | | 21 |
| in
a federal court; a misdemeanor, an essential element of | | 22 |
| which
is dishonesty; or directly related to professional | | 23 |
| practice.
| | 24 |
| (5) Performing any services in a grossly negligent
| | 25 |
| manner or permitting any of a licensee's employees to | | 26 |
| perform
services in a grossly negligent manner, regardless | | 27 |
| of whether
actual damage to the public is established.
| | 28 |
| (6) Continued practice, although the person
has become | | 29 |
| unfit to practice due to any of the
following:
| | 30 |
| (A) Physical illness, including, but not
limited | | 31 |
| to, deterioration through the aging process or loss of
| | 32 |
| motor skills that results in the inability to serve the | | 33 |
| public
with reasonable judgment, skill, or safety.
| | 34 |
| (B) Mental disability demonstrated by the
entry of | | 35 |
| an order or judgment by a court that a
person is in |
|
|
|
SB2977 |
- 7 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| need of mental treatment or is incompetent.
| | 2 |
| (C) Addiction to or dependency on alcohol or
drugs | | 3 |
| that is likely to endanger the public. If the
| | 4 |
| Department has reasonable cause to believe that a | | 5 |
| person is
addicted to or dependent on alcohol or drugs | | 6 |
| that
may endanger the public, the Department may | | 7 |
| require the
person to undergo an examination to | | 8 |
| determine the
extent of the addiction or dependency.
| | 9 |
| (7) Receiving, directly or indirectly, compensation
| | 10 |
| for any services not rendered.
| | 11 |
| (8) Willfully deceiving or defrauding the public on
a | | 12 |
| material matter.
| | 13 |
| (9) Failing to account for or remit any moneys or
| | 14 |
| documents coming into the licensee's possession that
| | 15 |
| belong to another person or entity.
| | 16 |
| (10) Discipline by another United States
jurisdiction | | 17 |
| or foreign nation, if at least one of the grounds
for the | | 18 |
| discipline is the same or substantially equivalent to
those | | 19 |
| set forth in this Act.
| | 20 |
| (11) Giving differential treatment to a person that
is | | 21 |
| to that person's detriment because of race, color, creed,
| | 22 |
| sex, religion, or national origin.
| | 23 |
| (12) Engaging in false or misleading advertising.
| | 24 |
| (13) Aiding, assisting, or willingly permitting
| | 25 |
| another person to violate this Act or rules promulgated | | 26 |
| under
it.
| | 27 |
| (14) Performing and charging for services without
| | 28 |
| authorization to do so from the person or entity serviced.
| | 29 |
| (15) Directly or indirectly offering or accepting
any | | 30 |
| benefit to or from any employee, agent, or fiduciary
| | 31 |
| without the consent of the latter's employer or principal | | 32 |
| with
intent to or the understanding that this action will | | 33 |
| influence
his or her conduct in relation to his or her | | 34 |
| employer's or
principal's affairs.
| | 35 |
| (16) Violation of any disciplinary order imposed on
a | | 36 |
| licensee by the Department.
|
|
|
|
SB2977 |
- 8 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| (17) Failing to comply with any provision of this
Act | | 2 |
| or rule promulgated under it.
| | 3 |
| (18) Conducting an agency without a valid license.
| | 4 |
| (19) Revealing confidential information, except as
| | 5 |
| required by law, including but not limited to information
| | 6 |
| available under Section 2-123 of the Illinois Vehicle Code.
| | 7 |
| (20) Failing to make available to the Department,
upon | | 8 |
| request, any books, records, or forms required by this
Act.
| | 9 |
| (21) Failing, within 30 days, to respond to a
written | | 10 |
| request for information from the Department.
| | 11 |
| (22) Failing to provide employment information or
| | 12 |
| experience information required by the Department | | 13 |
| regarding an
applicant for licensure.
| | 14 |
| (23) Failing to make available to the Department at
the | | 15 |
| time of the request any indicia of licensure or
| | 16 |
| registration issued under this Act.
| | 17 |
| (24) Purporting to be a licensee-in-charge of an
agency | | 18 |
| without active participation in the agency.
| | 19 |
| (25) Purchasing, acquiring, selling, or releasing the | | 20 |
| customer proprietary network information or personal | | 21 |
| identifying information of any third party who is an | | 22 |
| Illinois resident. For purposes of this Section, "customer | | 23 |
| proprietary network information" means that term as it is | | 24 |
| defined in Section 13-910 of the Public Utilities Act and | | 25 |
| "personal identifying information" means that term as it is | | 26 |
| defined in subsection (b) of Section 16G-10 of the Criminal | | 27 |
| Code of 1961.
| | 28 |
| (b) The Department shall seek to be consistent in the
| | 29 |
| application of disciplinary sanctions.
| | 30 |
| (Source: P.A. 93-438, eff. 8-5-03.)
| | 31 |
| Section 15. The Communications Consumer Privacy Act is | | 32 |
| amended by changing Section 2 and by adding Section 4 as | | 33 |
| follows:
| | 34 |
| (720 ILCS 110/2) (from Ch. 38, par. 87-2)
|
|
|
|
SB2977 |
- 9 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| Sec. 2. Definitions.
For purposes of this Act: ,
| | 2 |
| "Communications Company" means any
person or organization | | 3 |
| which owns, controls, operates or manages any company
which | | 4 |
| provides information or entertainment electronically to a | | 5 |
| household,
including but not limited to a cable or community | | 6 |
| antenna television system.
| | 7 |
| "Customer proprietary network information broker" means | | 8 |
| any person or organization that purchases, acquires, sells, or | | 9 |
| releases the customer proprietary network information of any | | 10 |
| third party or that attempts to purchase, acquire, sell, or | | 11 |
| release the customer proprietary network information of any | | 12 |
| third party.
| | 13 |
| "Customer proprietary network information" means that term | | 14 |
| as it is defined in Section 13-901 of the Public Utilities Act.
| | 15 |
| "End user" means that term as it is defined in Section | | 16 |
| 13-217 of the Public Utilities Act.
| | 17 |
| "Personal identifying information" means that term as it is | | 18 |
| defined in subsection (b) of Section 16G-10 of the Criminal | | 19 |
| Code of 1961. | | 20 |
| "Telecommunications carrier" means that term as it is | | 21 |
| defined in Section 13-202 of the Public Utilities Act.
| | 22 |
| (Source: P.A. 82-526.)
| | 23 |
| (720 ILCS 110/4 new) | | 24 |
| Sec. 4. Customer proprietary network information; | | 25 |
| purchase, acquisition, sale, or release prohibited. | | 26 |
| (a) It is unlawful for any customer proprietary network | | 27 |
| information broker to purchase, acquire, sell, or release the | | 28 |
| customer proprietary network information or any personal | | 29 |
| identifying information of any third party who is an Illinois | | 30 |
| resident or to attempt to purchase, acquire, sell, or release | | 31 |
| the customer proprietary network information or any personal | | 32 |
| identifying information of any third party who is an Illinois | | 33 |
| resident. This Section applies whether the customer | | 34 |
| proprietary network information is obtained by the customer | | 35 |
| proprietary network information broker directly from a |
|
|
|
SB2977 |
- 10 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| telecommunications carrier or from any other third party | | 2 |
| source. For purposes of this Section, an individual is an | | 3 |
| Illinois resident if the individual has an Illinois billing | | 4 |
| address or an Illinois area code. | | 5 |
| (b) A violation of any provision of this Section is a | | 6 |
| business offense punishable by a fine in an amount not to | | 7 |
| exceed $10,000 for each violation. Each item of customer | | 8 |
| proprietary network information or personal identifying | | 9 |
| information purchased, acquired, sold, or released and each | | 10 |
| attempt to purchase, acquire, sell, or release customer | | 11 |
| proprietary network information constitutes a separate | | 12 |
| violation of this Section. Any person who has been injured by a | | 13 |
| violation of this Section may commence an action in circuit | | 14 |
| court for damages against the customer proprietary network | | 15 |
| information broker who committed the violation. If the court | | 16 |
| awards damages to the plaintiff in any action brought under | | 17 |
| this Section, the court shall awarded the plaintiff court costs | | 18 |
| and attorney's fees. | | 19 |
| (c) No provision of this Section shall be construed to | | 20 |
| prevent any action by a law enforcement agency or any officer, | | 21 |
| employee, or agent of a law enforcement agency, to obtain the | | 22 |
| customer proprietary network information or personal | | 23 |
| identifying information of any third party who is an Illinois | | 24 |
| resident in connection with the performance of the official | | 25 |
| duties of the agency, officer, employee, or agent.
| | 26 |
| Section 20. The Consumer Fraud and Deceptive Business | | 27 |
| Practices Act is amended by changing Section 2Z as follows:
| | 28 |
| (815 ILCS 505/2Z) (from Ch. 121 1/2, par. 262Z)
| | 29 |
| Sec. 2Z. Violations of other Acts. Any person who knowingly | | 30 |
| violates
the Automotive Repair Act, the Automotive Collision | | 31 |
| Repair Act,
the Home Repair and Remodeling Act,
the Dance | | 32 |
| Studio Act,
the Physical Fitness Services Act,
the Hearing | | 33 |
| Instrument Consumer Protection Act,
the Illinois Union Label | | 34 |
| Act,
the Job Referral and Job Listing Services Consumer |
|
|
|
SB2977 |
- 11 - |
LRB094 19079 MKM 54587 b |
|
| | 1 |
| Protection Act,
the Travel Promotion Consumer Protection Act,
| | 2 |
| the Credit Services Organizations Act,
the Automatic Telephone | | 3 |
| Dialers Act,
the Pay-Per-Call Services Consumer Protection | | 4 |
| Act,
the Telephone Solicitations Act,
the Illinois Funeral or | | 5 |
| Burial Funds Act,
the Cemetery Care Act,
the Safe and Hygienic | | 6 |
| Bed Act,
the Pre-Need Cemetery Sales Act,
the High Risk Home | | 7 |
| Loan Act, the Payday Loan Reform Act, subsection (a) or (b) of | | 8 |
| Section 3-10 of the
Cigarette Tax Act, the Payday Loan Reform | | 9 |
| Act, subsection
(a) or (b) of Section 3-10 of the Cigarette Use | | 10 |
| Tax Act, the Electronic
Mail Act, paragraph (6)
of
subsection | | 11 |
| (k) of Section 6-305 of the Illinois Vehicle Code, Article 3 of | | 12 |
| the Residential Real Property Disclosure Act, the Automatic | | 13 |
| Contract Renewal Act, Section 13-911 of the Public Utilities | | 14 |
| Act, or the Personal Information Protection Act commits an | | 15 |
| unlawful practice within the meaning of this Act.
| | 16 |
| (Source: P.A. 93-561, eff. 1-1-04; 93-950, eff. 1-1-05; 94-13, | | 17 |
| eff. 12-6-05; 94-36, eff. 1-1-06; 94-280, eff. 1-1-06; 94-292, | | 18 |
| eff. 1-1-06; revised 8-19-05.)
| | 19 |
| Section 99. Effective date. This Act takes effect upon | | 20 |
| becoming law.
|
|
Translate
