Full Text of HB3412 102nd General Assembly
HB3412 102ND GENERAL ASSEMBLY |
| | 102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022 HB3412 Introduced 2/22/2021, by Rep. Janet Yang Rohr SYNOPSIS AS INTRODUCED: |
| |
Amends the Personal Information Protection Act. Provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the Illinois resident to whom the breach relates. Requires the notice to be provided no later than 5 days after the breach.
|
| |
| | A BILL FOR |
|
| | | HB3412 | | LRB102 12757 JLS 18096 b |
|
| 1 | | AN ACT concerning business.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Personal Information Protection Act is | 5 | | amended by changing Section 10 as follows: | 6 | | (815 ILCS 530/10) | 7 | | Sec. 10. Notice of breach; notice to Attorney General. | 8 | | (a) Any data collector that owns or licenses personal | 9 | | information concerning an Illinois resident shall notify the | 10 | | Attorney General and the
resident at no charge that there has | 11 | | been a breach of the security of the
system data following | 12 | | discovery or notification of the breach.
The disclosure | 13 | | notification shall be made in the most
expedient time | 14 | | possible , but no later than 5 days after the breach and without | 15 | | unreasonable delay,
consistent with any measures necessary to | 16 | | determine the
scope of the breach and restore the reasonable | 17 | | integrity,
security, and confidentiality of the data system . | 18 | | The disclosure notification to an Illinois resident shall | 19 | | include, but need not be limited to, information as follows: | 20 | | (1) With respect to personal information as defined in | 21 | | Section 5 in paragraph (1) of the definition of "personal | 22 | | information": | 23 | | (A) the toll-free numbers and addresses for |
| | | HB3412 | - 2 - | LRB102 12757 JLS 18096 b |
|
| 1 | | consumer reporting agencies; | 2 | | (B) the toll-free number, address, and website | 3 | | address for the Federal Trade Commission; and | 4 | | (C) a statement that the individual can obtain | 5 | | information from these sources about fraud alerts and | 6 | | security freezes. | 7 | | (2) With respect to personal information defined in | 8 | | Section 5 in paragraph (2) of the definition of "personal | 9 | | information", notice may be provided in electronic or | 10 | | other form directing the Illinois resident whose personal | 11 | | information has been breached to promptly change his or | 12 | | her user name or password and security question or answer, | 13 | | as applicable, or to take other steps appropriate to | 14 | | protect all online accounts for which the resident uses | 15 | | the same user name or email address and password or | 16 | | security question and answer. | 17 | | The notification shall not, however, include information | 18 | | concerning the number of Illinois residents affected by the | 19 | | breach. | 20 | | (b) Any data collector that maintains or stores, but does | 21 | | not own or license, computerized data that
includes personal | 22 | | information that the data collector does not own or license | 23 | | shall notify the Attorney General and the owner or licensee of | 24 | | the information of any breach of the security of the data | 25 | | immediately following discovery, if the personal information | 26 | | was, or is reasonably believed to have been, acquired by
an |
| | | HB3412 | - 3 - | LRB102 12757 JLS 18096 b |
|
| 1 | | unauthorized person. In addition to providing such | 2 | | notification to the owner or licensee, the data collector | 3 | | shall cooperate with the owner or licensee in matters relating | 4 | | to the breach. That cooperation shall include, but need not be | 5 | | limited to, (i) informing the owner or licensee of the breach, | 6 | | including giving notice of the date or approximate date of the | 7 | | breach and the nature of the breach, and (ii) informing the | 8 | | owner or licensee of any steps the data collector has taken or | 9 | | plans to take relating to the breach. The data collector's | 10 | | cooperation shall not, however, be deemed to require either | 11 | | the disclosure of confidential business information or trade | 12 | | secrets or the notification of an Illinois resident who may | 13 | | have been affected by the breach.
| 14 | | (b-5) The notification to an Illinois resident required by | 15 | | subsection (a) of this Section may be delayed if an | 16 | | appropriate law enforcement agency determines that | 17 | | notification will interfere with a criminal investigation and | 18 | | provides the data collector with a written request for the | 19 | | delay. However, the data collector must notify the Illinois | 20 | | resident as soon as notification will no longer interfere with | 21 | | the investigation.
| 22 | | (c) For purposes of this Section, notice to consumers may | 23 | | be provided by one of the following methods:
| 24 | | (1) written notice; | 25 | | (2) electronic notice, if the notice provided is
| 26 | | consistent with the provisions regarding electronic
|
| | | HB3412 | - 4 - | LRB102 12757 JLS 18096 b |
|
| 1 | | records and signatures for notices legally required to be
| 2 | | in writing as set forth in Section 7001 of Title 15 of the | 3 | | United States Code;
or | 4 | | (3) substitute notice, if the data collector
| 5 | | demonstrates that the cost of providing notice would | 6 | | exceed
$250,000 or that the affected class of subject | 7 | | persons to be notified exceeds 500,000, or the data | 8 | | collector does not
have sufficient contact information. | 9 | | Substitute notice shall consist of all of the following: | 10 | | (i) email notice if the data collector has an email | 11 | | address for the subject persons; (ii) conspicuous posting | 12 | | of the notice on the data
collector's web site page if the | 13 | | data collector maintains
one; and (iii) notification to | 14 | | major statewide media or, if the breach impacts residents | 15 | | in one geographic area, to prominent local media in areas | 16 | | where affected individuals are likely to reside if such | 17 | | notice is reasonably calculated to give actual notice to | 18 | | persons whom notice is required. | 19 | | (d) Notwithstanding any other subsection in this Section, | 20 | | a data collector
that maintains its own notification | 21 | | procedures as part of an
information security policy for the | 22 | | treatment of personal
information and is otherwise consistent | 23 | | with the timing requirements of this Act, shall be deemed in | 24 | | compliance
with the notification requirements of this Section | 25 | | if the
data collector notifies subject persons in accordance | 26 | | with its policies in the event of a breach of the security of |
| | | HB3412 | - 5 - | LRB102 12757 JLS 18096 b |
|
| 1 | | the system data.
| 2 | | (e)(1) This subsection does not apply to data collectors | 3 | | that are covered entities or business associates and are in | 4 | | compliance with Section 50. | 5 | | (2) Any data collector required to issue notice pursuant | 6 | | to this Section to more than 500 Illinois residents as a result | 7 | | of a single breach of the security system shall provide notice | 8 | | to the Attorney General of the breach, including: | 9 | | (A) A description of the nature of the breach of | 10 | | security or unauthorized acquisition
or use. | 11 | | (B) The number of Illinois residents affected by such | 12 | | incident at the time of notification. | 13 | | (C) Any steps the data collector has taken or plans to | 14 | | take relating to the incident. | 15 | | Such notification must be made in the most expedient time | 16 | | possible and without unreasonable delay but in no event later | 17 | | than when the data collector provides notice to consumers | 18 | | pursuant to this Section. If the date of the breach is unknown | 19 | | at the time the notice is sent to the Attorney General, the | 20 | | data collector shall send the Attorney General the date of the | 21 | | breach as soon as possible. | 22 | | Upon receiving notification from a data collector of a | 23 | | breach of personal information, the Attorney General may | 24 | | publish the name of the data collector that suffered the | 25 | | breach, the types of personal information compromised in the | 26 | | breach, and the date range of the breach. |
| | | HB3412 | - 6 - | LRB102 12757 JLS 18096 b |
|
| 1 | | (Source: P.A. 100-201, eff. 8-18-17; 101-343, eff. 1-1-20.)
|
|