Illinois General Assembly - Full Text of SB1833
Illinois General Assembly

Previous General Assemblies

Full Text of SB1833  99th General Assembly

SB1833sam002 99TH GENERAL ASSEMBLY

Sen. Daniel Biss

Filed: 4/17/2015

 

 


 

 


 
09900SB1833sam002LRB099 09064 JLS 34170 a

1
AMENDMENT TO SENATE BILL 1833

2    AMENDMENT NO. ______. Amend Senate Bill 1833 by replacing
3everything after the enacting clause with the following:
 
4    "Section 5. The Personal Information Protection Act is
5amended by changing Sections 5 and 10 and by adding Sections 45
6and 50 as follows:
 
7    (815 ILCS 530/5)
8    Sec. 5. Definitions. In this Act:
9    "Data Collector" may include, but is not limited to,
10government agencies, public and private universities,
11privately and publicly held corporations, financial
12institutions, retail operators, and any other entity that, for
13any purpose, handles, collects, disseminates, or otherwise
14deals with nonpublic personal information.
15    "Breach of the security of the system data" or "breach"
16means unauthorized acquisition of computerized data that

 

 

09900SB1833sam002- 2 -LRB099 09064 JLS 34170 a

1compromises the security, confidentiality, or integrity of
2personal information maintained by the data collector. "Breach
3of the security of the system data" does not include good faith
4acquisition of personal information by an employee or agent of
5the data collector for a legitimate purpose of the data
6collector, provided that the personal information is not used
7for a purpose unrelated to the data collector's business or
8subject to further unauthorized disclosure.
9    "Consumer marketing information" means information related
10to a consumer's online browsing history, online search history,
11or purchasing history.
12    "Geolocation information" means information generated or
13derived from the operation or use of an electronic
14communications device that is sufficient to identify the street
15name and name of the city or town in which the device is
16located. "Geolocation information" does not include the
17contents of an electronic communication.
18    "Health insurance information" means an individual's
19health insurance policy number or subscriber identification
20number, any unique identifier used by a health insurer to
21identify the individual, or any information in an individual's
22health insurance application and claims history, including any
23appeals records.
24    "Medical information" means any information regarding an
25individual's medical history, mental or physical condition, or
26medical treatment or diagnosis by a healthcare professional,

 

 

09900SB1833sam002- 3 -LRB099 09064 JLS 34170 a

1including health information provided to a website or mobile
2application.
3    "Personal information" means either of the following:
4        (1) an individual's first name or first initial and
5    last name in combination with any one or more of the
6    following data elements, when either the name or the data
7    elements are not encrypted or redacted or are encrypted or
8    redacted but the keys to unencrypt or unredact or otherwise
9    read the name or data elements have been acquired without
10    authorization through the breach of security:
11            (A) (1) Social Security number.
12            (B) (2) Driver's license number or State
13        identification card number.
14            (C) (3) Account number or credit or debit card
15        number, or an account number or credit card number in
16        combination with any required security code, access
17        code, or password that would permit access to an
18        individual's financial account.
19            (D) Medical information.
20            (E) Health insurance information.
21            (F) Unique biometric data, such as a fingerprint,
22        retina or iris image, or other unique physical
23        representation or digital representation of biometric
24        data.
25            (G) Geolocation information.
26            (H) Consumer marketing information.

 

 

09900SB1833sam002- 4 -LRB099 09064 JLS 34170 a

1            (I) Any 2 of the following data elements:
2                (i) home address, telephone number, or email
3            address;
4                (ii) mother's maiden name;
5                (iii) month, day, and year of birth.
6        (2) user name or email address, in combination with a
7    password or security question and answer that would permit
8    access to an online account, when either the user name or
9    email address or password or security question and answer
10    are not encrypted or redacted or are encrypted or redacted
11    but the keys to unencrypt or unredact or otherwise read the
12    data elements have been obtained through the breach of
13    security.
14    "Personal information" does not include publicly available
15information that is lawfully made available to the general
16public from federal, State, or local government records.
17(Source: P.A. 97-483, eff. 1-1-12.)
 
18    (815 ILCS 530/10)
19    Sec. 10. Notice of Breach.
20    (a) Any data collector that owns or licenses personal
21information, excluding geolocation information and consumer
22marketing information, concerning an Illinois resident shall
23notify the resident at no charge that there has been a breach
24of the security of the system data following discovery or
25notification of the breach. The disclosure notification shall

 

 

09900SB1833sam002- 5 -LRB099 09064 JLS 34170 a

1be made in the most expedient time possible and without
2unreasonable delay, consistent with any measures necessary to
3determine the scope of the breach and restore the reasonable
4integrity, security, and confidentiality of the data system.
5The disclosure notification to an Illinois resident shall
6include, but need not be limited to, information as follows:
7        (1) With respect to personal information as defined in
8    Section 5 in paragraph (1) of the definition of "personal
9    information":
10            (A) (i) the toll-free numbers and addresses for
11        consumer reporting agencies; ,
12            (B) (ii) the toll-free number, address, and
13        website address for the Federal Trade Commission; , and
14            (C) (iii) a statement that the individual can
15        obtain information from these sources about fraud
16        alerts and security freezes.
17    The notification shall not, however, include information
18concerning the number of Illinois residents affected by the
19breach.
20        (2) With respect to personal information defined in
21    Section 5 in paragraph (2) of the definition of "personal
22    information", notice may be provided in electronic or other
23    form directing the Illinois resident whose personal
24    information has been breached to promptly change his or her
25    username or password and security question or answer, as
26    applicable, or to take other steps appropriate to protect

 

 

09900SB1833sam002- 6 -LRB099 09064 JLS 34170 a

1    all online accounts for which the resident uses the same
2    user name or email address and password or security
3    question and answer.
4    (b) Any data collector that maintains or stores, but does
5not own or license, computerized data that includes personal
6information that the data collector does not own or license
7shall notify the owner or licensee of the information of any
8breach of the security of the data immediately following
9discovery, if the personal information was, or is reasonably
10believed to have been, acquired by an unauthorized person. In
11addition to providing such notification to the owner or
12licensee, the data collector shall cooperate with the owner or
13licensee in matters relating to the breach. That cooperation
14shall include, but need not be limited to, (i) informing the
15owner or licensee of the breach, including giving notice of the
16date or approximate date of the breach and the nature of the
17breach, and (ii) informing the owner or licensee of any steps
18the data collector has taken or plans to take relating to the
19breach. The data collector's cooperation shall not, however, be
20deemed to require either the disclosure of confidential
21business information or trade secrets or the notification of an
22Illinois resident who may have been affected by the breach.
23    (b-5) The notification to an Illinois resident required by
24subsection (a) of this Section may be delayed if an appropriate
25law enforcement agency determines that notification will
26interfere with a criminal investigation and provides the data

 

 

09900SB1833sam002- 7 -LRB099 09064 JLS 34170 a

1collector with a written request for the delay. However, the
2data collector must notify the Illinois resident as soon as
3notification will no longer interfere with the investigation.
4    (c) For purposes of this Section, notice to consumers may
5be provided by one of the following methods:
6        (1) written notice;
7        (2) electronic notice, if the notice provided is
8    consistent with the provisions regarding electronic
9    records and signatures for notices legally required to be
10    in writing as set forth in Section 7001 of Title 15 of the
11    United States Code; or
12        (3) substitute notice, if the data collector
13    demonstrates that the cost of providing notice would exceed
14    $250,000 or that the affected class of subject persons to
15    be notified exceeds 500,000, or the data collector does not
16    have sufficient contact information. Substitute notice
17    shall consist of all of the following: (i) email notice if
18    the data collector has an email address for the subject
19    persons; (ii) conspicuous posting of the notice on the data
20    collector's web site page if the data collector maintains
21    one; and (iii) notification to major statewide media or, if
22    the breach impacts residents in one geographic area, to
23    prominent local media in areas where affected individuals
24    are likely to reside if such notice is reasonably
25    calculated to give actual notice to persons whom notice is
26    required.

 

 

09900SB1833sam002- 8 -LRB099 09064 JLS 34170 a

1    (d) Notwithstanding any other subsection in this Section, a
2data collector that maintains its own notification procedures
3as part of an information security policy for the treatment of
4personal information and is otherwise consistent with the
5timing requirements of this Act, shall be deemed in compliance
6with the notification requirements of this Section if the data
7collector notifies subject persons in accordance with its
8policies in the event of a breach of the security of the system
9data.
10    (e) Notice to Attorney General.
11        (1) Any data collector that suffers a single breach of
12    the security of the data concerning the personal
13    information of more than 250 Illinois residents shall
14    provide notice to the Attorney General of the breach,
15    including:
16            (A) A description of the personal information
17        compromised in the breach.
18            (B) The number of Illinois residents affected by
19        such incident at the time of notification.
20            (C) Any steps the data collector has taken or plans
21        to take relating to notification of the breach to
22        consumers.
23            (D) The date and timeframe of the breach, if known
24        at the time notification is provided.
25        Such notification must be made within 30 business days
26    of the data collector's discovery of the security breach or

 

 

09900SB1833sam002- 9 -LRB099 09064 JLS 34170 a

1    2 days before the data collector provides any notice to
2    consumers required by this Section, whichever is sooner,
3    unless the data collector has good cause for reasonable
4    delay to determine the scope of the breach and restore the
5    integrity, security, and confidentiality of the data
6    system, or when law enforcement requests in writing to
7    withhold disclosure of some or all of the information
8    required in the notification under this Section. If the
9    date or timeframe of the breach is unknown at the time the
10    notice is sent to the Attorney General, the data collector
11    shall send the Attorney General the date or timeframe of
12    the breach as soon as possible.
13        (2) Any data collector that maintains or stores, but
14    does not own or license, computerized data that includes
15    personal information that suffers a single breach of the
16    security of the data concerning the personal information of
17    more than 250 Illinois residents shall notify the Attorney
18    General of the following:
19            (A) A description of the personal information
20        compromised in the breach.
21            (B) The number of Illinois residents affected by
22        such incident at the time of notification.
23            (C) Any steps the data collector has taken or plans
24        to take relating to notification of the owner or
25        licensee of the breach and what measures, if any, the
26        data collector has taken to notify Illinois residents.

 

 

09900SB1833sam002- 10 -LRB099 09064 JLS 34170 a

1            (D) The date and timeframe of the breach, if known
2        at the time notification is provided.
3        Such notification must be made within 30 business days
4    of the data collector's discovery of the security breach or
5    when the data collector provides notice to the owner or
6    licensee of the information pursuant to this Section,
7    whichever is sooner, unless the data collector has good
8    cause for reasonable delay to determine the scope of the
9    breach and restore the integrity, security, and
10    confidentiality of the data system, or when law enforcement
11    requests in writing to withhold disclosure of some or all
12    of the information required in the notification under this
13    Section. If the date or timeframe of the breach is unknown
14    at the time the notice is sent to the Attorney General, the
15    data collector shall send the Attorney General the date or
16    timeframe of the breach as soon as possible.
17    (f) A data collector that suffers a breach subject to the
18breach notification standards established pursuant to the
19federal Health Information Technology Act, 42 U.S.C. Section
2017932, shall be deemed to be in compliance with the provisions
21of this Section if that data collector does the following: (1)
22provides notification to individuals in compliance with the
23federal Health Information Technology Act and implementing
24regulations and (2) provides notification to the Attorney
25General pursuant to subsection (e).
26(Source: P.A. 97-483, eff. 1-1-12.)
 

 

 

09900SB1833sam002- 11 -LRB099 09064 JLS 34170 a

1    (815 ILCS 530/45 new)
2    Sec. 45. Data security.
3    (a) A data collector that owns or licenses, or maintains or
4stores but does not own or license, records that contain
5personal information concerning an Illinois resident shall
6implement and maintain reasonable security measures to protect
7those records from unauthorized access, acquisition,
8destruction, use, modification, or disclosure.
9    (b) A contract for the disclosure of personal information
10concerning an Illinois resident that is maintained by a data
11collector must include a provision requiring the person to whom
12the information is disclosed to implement and maintain
13reasonable security measures to protect those records from
14unauthorized access, acquisition, destruction, use,
15modification, or disclosure.
16    (c) If a state or federal law requires a data collector to
17provide greater protection to records that contain personal
18information concerning an Illinois resident that are
19maintained by the data collector and the data collector is in
20compliance with the provisions of that state or federal law,
21the data collector shall be deemed to be in compliance with the
22provisions of this Section.
23    (d) A data collector that is subject to and in compliance
24with the security standards for the protection of electronic
25health information, 45 C.F.R. Parts 160 and 164, established

 

 

09900SB1833sam002- 12 -LRB099 09064 JLS 34170 a

1pursuant to the federal Health Insurance Portability and
2Accountability Act of 1996 shall be deemed to be in compliance
3with the provisions of this Section.
4    (e) A data collector that is subject to and in compliance
5with the standards established pursuant to Section 501(b) of
6the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801,
7shall be deemed to be in compliance with the provisions of this
8Section.
 
9    (815 ILCS 530/50 new)
10    Sec. 50. Posting of privacy policy.
11    (a) As used in this Section:
12    "Conspicuously post" means posting the privacy policy
13through any of the following:
14        (1) A Web page on which the actual privacy policy is
15    posted if the Web page is the homepage or first significant
16    page after entering the Web site.
17        (2) An icon that hyperlinks to a Web page on which the
18    actual privacy policy is posted, if the icon is located on
19    the homepage or the first significant page after entering
20    the Web site, and if the icon contains the word "privacy".
21    The icon shall also use a color that contrasts with the
22    background color of the Web page or is otherwise
23    distinguishable.
24        (3) A text link that hyperlinks to a Web page on which
25    the actual privacy policy is posted, if the text link is

 

 

09900SB1833sam002- 13 -LRB099 09064 JLS 34170 a

1    located on the homepage or first significant page after
2    entering the Web site, and if the text link does one of the
3    following:
4            (A) Includes the word "privacy".
5            (B) Is written in capital letters equal to or
6        greater in size than the surrounding text.
7            (C) Is written in larger type than the surrounding
8        text, or in contrasting type, font, or color to the
9        surrounding text of the same size, or set off from the
10        surrounding text of the same size by symbols or other
11        marks that call attention to the language.
12        (4) Any other functional hyperlink that is displayed in
13    a noticeable manner.
14        (5) In the case of an online service, any other
15    reasonably accessible means of making the privacy policy
16    available for a consumer of the online service.
17    "Operator" means any person or entity that owns a Web site
18located on the Internet or an online service that collects and
19maintains personal information from a consumer residing in
20Illinois who uses or visits the Web site or online service if
21the Web site or online service is operated for commercial
22purposes. It does not include any third party that operates,
23hosts, or manages, but does not own, a Web site or online
24service on the owner's behalf or by processing information on
25behalf of the owner.
26    (b) An operator of a commercial Web site or online service

 

 

09900SB1833sam002- 14 -LRB099 09064 JLS 34170 a

1that collects personal information through the Internet about
2individual consumers residing in Illinois who use or visit its
3commercial Web site or online service shall conspicuously post
4its privacy policy on its Web site or online service. An
5operator shall be in violation of this subdivision only if the
6operator fails to post its policy within 30 days after being
7notified of noncompliance.
8    (c) The privacy policy required by subsection (b) shall, at
9a minimum, do the following:
10        (1) Identify the categories of personal information
11    that the operator collects through the Web site or online
12    service about individual consumers who use or visit its
13    commercial Web site or online service and the categories of
14    third-party persons or entities with whom the operator may
15    share that personal information.
16        (2) If the operator maintains a process for an
17    individual consumer who uses or visits its commercial Web
18    site or online service to review and request changes to any
19    of his or her personal information that is collected
20    through the Web site or online service, provide a
21    description of that process.
22        (3) Describe the process by which the operator notifies
23    consumers who use or visit its commercial Web site or
24    online service of material changes to the operator's
25    privacy policy for that Web site or online service.
26        (4) Identify its effective date.

 

 

09900SB1833sam002- 15 -LRB099 09064 JLS 34170 a

1        (5) Disclose how the operator responds to Web browser
2    "do not track" signals or other mechanisms that provide
3    consumers the ability to exercise choice regarding the
4    collection of personal information about an individual
5    consumer's online activities over time and across
6    third-party Web sites or online services, if the operator
7    engages in that collection.
8        (6) Disclose whether other parties may collect
9    personal information about an individual consumer's online
10    activities over time and across different Web sites or
11    online services when a consumer uses the operator's Web
12    site or online service.
13    An operator may satisfy the requirement of paragraph (5) by
14providing a clear and conspicuous hyperlink in the operator's
15privacy policy to an online location containing a description,
16including the effects, of any program or protocol the operator
17follows that offers the consumer that choice.".