Full Text of SB1798 94th General Assembly
SB1798 94TH GENERAL ASSEMBLY
|
|
|
94TH GENERAL ASSEMBLY
State of Illinois
2005 and 2006 SB1798
Introduced 2/25/2005, by Sen. Peter J. Roskam SYNOPSIS AS INTRODUCED: |
|
|
Creates the Personal Information Protection Act. Requires any person, business, or State agency conducting business in the State, and that owns or licenses computerized data that includes vulnerable personal information, to disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any person whose unencrypted personal information was, or is reasonably believed to have been acquired by an unauthorized person. Requires any person, business, or State agency that maintains computerized data that includes vulnerable personal information that the person, business, or State agency does not own, to notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the vulnerable personal information was, or is reasonably believed to have been acquired by an unauthorized person. Provides that notice may be provided to a customer in one of the following ways: (1) written notice; or (2) substitute notice if the person or business demonstrates that the cost of providing notice would exceed $250,000, or the affected class of persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information.
|
| |
|
|
A BILL FOR
|
|
|
|
|
SB1798 |
|
LRB094 11157 RXD 41798 b |
|
| 1 |
| AN ACT concerning business.
| 2 |
| Be it enacted by the People of the State of Illinois,
| 3 |
| represented in the General Assembly:
| 4 |
| Section 1. Short title. This Act may be cited as the | 5 |
| Personal Information Protection Act. | 6 |
| Section 5. Definitions. In this Act: | 7 |
| "Breach of the security of the system" means unauthorized | 8 |
| acquisition of computerized data that comprises the security, | 9 |
| confidentiality, or integrity of personal information | 10 |
| maintained by a person, business, or State agency. "Breach of | 11 |
| the security of the system" does not include good faith | 12 |
| acquisition of personal information by an employee or agent of | 13 |
| the person, business, or State agency, provided that the | 14 |
| personal information is not used or subject to further | 15 |
| unauthorized disclosure. | 16 |
| "Personal information" shall mean any information | 17 |
| concerning a natural person which, because of name, number, | 18 |
| personal mark, or other identifier can be used to identify the | 19 |
| natural person. | 20 |
| "Vulnerable personal information" means personal | 21 |
| information consisting of any information in combination with | 22 |
| any one or more of the following data elements, when either the | 23 |
| personal information or the data element is not encrypted: | 24 |
| (1) Social security number. | 25 |
| (2) Driver's license number. | 26 |
| (3) Account number, credit or debit card number, in | 27 |
| combination with any required security code, access code, | 28 |
| or password that would permit access to an individual's | 29 |
| financial account. | 30 |
| "Vulnerable personal information" does not include publicly | 31 |
| available information that is lawfully made available to the | 32 |
| general public from federal, State, or local government |
|
|
|
SB1798 |
- 2 - |
LRB094 11157 RXD 41798 b |
|
| 1 |
| records. | 2 |
| Section 10. Security breach. | 3 |
| (a) Any person, business, or State agency that conducts | 4 |
| business in the State and owns or licenses computerized data | 5 |
| that includes vulnerable personal information shall disclose | 6 |
| any breach of the security of the system following discovery or | 7 |
| notification of the breach in the security of the data to any | 8 |
| resident of the State whose unencrypted personal information | 9 |
| was, or is reasonably believed to have been acquired by an | 10 |
| unauthorized person. Disclosure shall be made in the most | 11 |
| expedient time possible and without unreasonable delay, | 12 |
| consistent with the legitimate needs of the law enforcement | 13 |
| agency, as provided in subsection (b), or any measures | 14 |
| necessary to determine the scope of the breach and restore the | 15 |
| reasonable integrity of the data system. | 16 |
| (b) Any person, business, or State agency that maintains | 17 |
| computerized data that includes vulnerable personal | 18 |
| information that the person, business, or State agency does not | 19 |
| own, shall notify the owner or licensee of the information of | 20 |
| any breach of the security of the data immediately following | 21 |
| discovery, if the vulnerable personal information was, or is | 22 |
| reasonably believed to have been acquired by an unauthorized | 23 |
| person. | 24 |
| (1) Notice may be provided by one of the following | 25 |
| methods: | 26 |
| (A) written notice; or | 27 |
| (B) substitute notice, if a person, business, or | 28 |
| State agency demonstrates that the cost of the | 29 |
| providing notice would exceed $250,000, or the | 30 |
| affected class of persons to be notified exceeds | 31 |
| 500,000, or the person, business, or State agency does | 32 |
| not have sufficient contact information. Substitute | 33 |
| notice shall consist of all of the following: (i) email | 34 |
| notification if the person, business, or State agency | 35 |
| has an email address for the person to be notified; |
|
|
|
SB1798 |
- 3 - |
LRB094 11157 RXD 41798 b |
|
| 1 |
| (ii) conspicuous posting of the notice on a web site if | 2 |
| the person, business, or State agency maintains a web | 3 |
| site page; and (iii) notification to major statewide | 4 |
| media outlets. | 5 |
| (2) The notification required under this subsection | 6 |
| (b) may be delayed if a law enforcement agency determines | 7 |
| that the notification will impede a criminal | 8 |
| investigation. Notification shall be made after the law | 9 |
| enforcement agency determines that it will not compromise | 10 |
| its investigation. | 11 |
| Section 15. Violation; person or business. | 12 |
| (a) Any person or business found to have violated this Act, | 13 |
| knowingly or recklessly, shall be liable to the aggrieved user | 14 |
| for all actual damages sustained by the user as a direct result | 15 |
| of the violation, provided that any subscriber that prevails or | 16 |
| substantially prevails in any action brought under this | 17 |
| subsection (a) shall receive not less than $500,000 in damages, | 18 |
| regardless of the amount of actual damage proved, plus costs, | 19 |
| disbursements, and reasonable attorney's fees. An action | 20 |
| brought under this subsection (a) may be maintained as a class | 21 |
| action. | 22 |
| (b) Civil penalties under this Act are recoverable in an | 23 |
| action brought by the Attorney General on behalf of the State | 24 |
| in the circuit court. A circuit court may issue an injunction | 25 |
| to restrain any person or business from violating or continuing | 26 |
| to violate any provision of this Act. | 27 |
| (c) If the court determines that a grossly negligent | 28 |
| violation of this Act has occurred, the court may impose a | 29 |
| civil penalty of not more than $1,000 for the violation. | 30 |
| (d) The rights and remedies available under this Section | 31 |
| are cumulative to each other and to any other rights and | 32 |
| remedies available under law.
|
|