Public Act 099-0503
 
HB1260 EnrolledLRB099 05116 JLS 25145 b

    AN ACT concerning business.
 
    Be it enacted by the People of the State of Illinois,
represented in the General Assembly:
 
    Section 5. The Personal Information Protection Act is
amended by changing Sections 5, 10, and 12 and adding Sections
45 and 50 as follows:
 
    (815 ILCS 530/5)
    Sec. 5. Definitions. In this Act:
    "Data Collector" may include, but is not limited to,
government agencies, public and private universities,
privately and publicly held corporations, financial
institutions, retail operators, and any other entity that, for
any purpose, handles, collects, disseminates, or otherwise
deals with nonpublic personal information.
    "Breach of the security of the system data" or "breach"
means unauthorized acquisition of computerized data that
compromises the security, confidentiality, or integrity of
personal information maintained by the data collector. "Breach
of the security of the system data" does not include good faith
acquisition of personal information by an employee or agent of
the data collector for a legitimate purpose of the data
collector, provided that the personal information is not used
for a purpose unrelated to the data collector's business or
subject to further unauthorized disclosure.
    "Health insurance information" means an individual's
health insurance policy number or subscriber identification
number, any unique identifier used by a health insurer to
identify the individual, or any medical information in an
individual's health insurance application and claims history,
including any appeals records.
    "Medical information" means any information regarding an
individual's medical history, mental or physical condition, or
medical treatment or diagnosis by a healthcare professional,
including such information provided to a website or mobile
application.
    "Personal information" means either of the following:
        (1) an individual's first name or first initial and
    last name in combination with any one or more of the
    following data elements, when either the name or the data
    elements are not encrypted or redacted or are encrypted or
    redacted but the keys to unencrypt or unredact or otherwise
    read the name or data elements have been acquired without
    authorization through the breach of security:
            (A) (1) Social Security number.
            (B) (2) Driver's license number or State
        identification card number.
            (C) (3) Account number or credit or debit card
        number, or an account number or credit card number in
        combination with any required security code, access
        code, or password that would permit access to an
        individual's financial account.
            (D) Medical information.
            (E) Health insurance information.
            (F) Unique biometric data generated from
        measurements or technical analysis of human body
        characteristics used by the owner or licensee to
        authenticate an individual, such as a fingerprint,
        retina or iris image, or other unique physical
        representation or digital representation of biometric
        data.
        (2) user name or email address, in combination with a
    password or security question and answer that would permit
    access to an online account, when either the user name or
    email address or password or security question and answer
    are not encrypted or redacted or are encrypted or redacted
    but the keys to unencrypt or unredact or otherwise read the
    data elements have been obtained through the breach of
    security.
    "Personal information" does not include publicly available
information that is lawfully made available to the general
public from federal, State, or local government records.
(Source: P.A. 97-483, eff. 1-1-12.)
 
    (815 ILCS 530/10)
    Sec. 10. Notice of Breach.
    (a) Any data collector that owns or licenses personal
information concerning an Illinois resident shall notify the
resident at no charge that there has been a breach of the
security of the system data following discovery or notification
of the breach. The disclosure notification shall be made in the
most expedient time possible and without unreasonable delay,
consistent with any measures necessary to determine the scope
of the breach and restore the reasonable integrity, security,
and confidentiality of the data system. The disclosure
notification to an Illinois resident shall include, but need
not be limited to, information as follows:
        (1) With respect to personal information as defined in
    Section 5 in paragraph (1) of the definition of "personal
    information":
            (A) (i) the toll-free numbers and addresses for
        consumer reporting agencies; ,
            (B) (ii) the toll-free number, address, and
        website address for the Federal Trade Commission; , and
            (C) (iii) a statement that the individual can
        obtain information from these sources about fraud
        alerts and security freezes.
    The notification shall not, however, include information
concerning the number of Illinois residents affected by the
breach.
        (2) With respect to personal information defined in
    Section 5 in paragraph (2) of the definition of "personal
    information", notice may be provided in electronic or other
    form directing the Illinois resident whose personal
    information has been breached to promptly change his or her
    user name or password and security question or answer, as
    applicable, or to take other steps appropriate to protect
    all online accounts for which the resident uses the same
    user name or email address and password or security
    question and answer.
    (b) Any data collector that maintains or stores, but does
not own or license, computerized data that includes personal
information that the data collector does not own or license
shall notify the owner or licensee of the information of any
breach of the security of the data immediately following
discovery, if the personal information was, or is reasonably
believed to have been, acquired by an unauthorized person. In
addition to providing such notification to the owner or
licensee, the data collector shall cooperate with the owner or
licensee in matters relating to the breach. That cooperation
shall include, but need not be limited to, (i) informing the
owner or licensee of the breach, including giving notice of the
date or approximate date of the breach and the nature of the
breach, and (ii) informing the owner or licensee of any steps
the data collector has taken or plans to take relating to the
breach. The data collector's cooperation shall not, however, be
deemed to require either the disclosure of confidential
business information or trade secrets or the notification of an
Illinois resident who may have been affected by the breach.
    (b-5) The notification to an Illinois resident required by
subsection (a) of this Section may be delayed if an appropriate
law enforcement agency determines that notification will
interfere with a criminal investigation and provides the data
collector with a written request for the delay. However, the
data collector must notify the Illinois resident as soon as
notification will no longer interfere with the investigation.
    (c) For purposes of this Section, notice to consumers may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the data collector
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the data collector does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the data collector has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the data
    collector's web site page if the data collector maintains
    one; and (iii) notification to major statewide media or, if
    the breach impacts residents in one geographic area, to
    prominent local media in areas where affected individuals
    are likely to reside if such notice is reasonably
    calculated to give actual notice to persons whom notice is
    required.
    (d) Notwithstanding any other subsection in this Section, a
data collector that maintains its own notification procedures
as part of an information security policy for the treatment of
personal information and is otherwise consistent with the
timing requirements of this Act, shall be deemed in compliance
with the notification requirements of this Section if the data
collector notifies subject persons in accordance with its
policies in the event of a breach of the security of the system
data.
(Source: P.A. 97-483, eff. 1-1-12.)
 
    (815 ILCS 530/12)
    Sec. 12. Notice of breach; State agency.
    (a) Any State agency that collects personal information
concerning an Illinois resident shall notify the resident at no
charge that there has been a breach of the security of the
system data or written material following discovery or
notification of the breach. The disclosure notification shall
be made in the most expedient time possible and without
unreasonable delay, consistent with any measures necessary to
determine the scope of the breach and restore the reasonable
integrity, security, and confidentiality of the data system.
The disclosure notification to an Illinois resident shall
include, but need not be limited to information as follows:
        (1) With respect to personal information defined in
    Section 5 in paragraph (1) of the definition of "personal
    information": ,
            (i) the toll-free numbers and addresses for
        consumer reporting agencies; ,
            (ii) the toll-free number, address, and website
        address for the Federal Trade Commission; , and
            (iii) a statement that the individual can obtain
        information from these sources about fraud alerts and
        security freezes.
        (2) With respect to personal information as defined in
    Section 5 in paragraph (2) of the definition of "personal
    information", notice may be provided in electronic or other
    form directing the Illinois resident whose personal
    information has been breached to promptly change his or her
    user name or password and security question or answer, as
    applicable, or to take other steps appropriate to protect
    all online accounts for which the resident uses the same
    user name or email address and password or security
    question and answer.
    The notification shall not, however, include information
concerning the number of Illinois residents affected by the
breach.
    (a-5) The notification to an Illinois resident required by
subsection (a) of this Section may be delayed if an appropriate
law enforcement agency determines that notification will
interfere with a criminal investigation and provides the State
agency with a written request for the delay. However, the State
agency must notify the Illinois resident as soon as
notification will no longer interfere with the investigation.
    (b) For purposes of this Section, notice to residents may
be provided by one of the following methods:
        (1) written notice;
        (2) electronic notice, if the notice provided is
    consistent with the provisions regarding electronic
    records and signatures for notices legally required to be
    in writing as set forth in Section 7001 of Title 15 of the
    United States Code; or
        (3) substitute notice, if the State agency
    demonstrates that the cost of providing notice would exceed
    $250,000 or that the affected class of subject persons to
    be notified exceeds 500,000, or the State agency does not
    have sufficient contact information. Substitute notice
    shall consist of all of the following: (i) email notice if
    the State agency has an email address for the subject
    persons; (ii) conspicuous posting of the notice on the
    State agency's web site page if the State agency maintains
    one; and (iii) notification to major statewide media.
    (c) Notwithstanding subsection (b), a State agency that
maintains its own notification procedures as part of an
information security policy for the treatment of personal
information and is otherwise consistent with the timing
requirements of this Act shall be deemed in compliance with the
notification requirements of this Section if the State agency
notifies subject persons in accordance with its policies in the
event of a breach of the security of the system data or written
material.
    (d) If a State agency is required to notify more than 1,000
persons of a breach of security pursuant to this Section, the
State agency shall also notify, without unreasonable delay, all
consumer reporting agencies that compile and maintain files on
consumers on a nationwide basis, as defined by 15 U.S.C.
Section 1681a(p), of the timing, distribution, and content of
the notices. Nothing in this subsection (d) shall be construed
to require the State agency to provide to the consumer
reporting agency the names or other personal identifying
information of breach notice recipients.
    (e) Notice to Attorney General. Any State agency that
suffers a single breach of the security of the data concerning
the personal information of more than 250 Illinois residents
shall provide notice to the Attorney General of the breach,
including:
        (A) The types of personal information compromised in
    the breach.
        (B) The number of Illinois residents affected by such
    incident at the time of notification.
        (C) Any steps the State agency has taken or plans to
    take relating to notification of the breach to consumers.
        (D) The date and timeframe of the breach, if known at
    the time notification is provided.
    Such notification must be made within 45 days of the State
agency's discovery of the security breach or when the State
agency provides any notice to consumers required by this
Section, whichever is sooner, unless the State agency has good
cause for reasonable delay to determine the scope of the breach
and restore the integrity, security, and confidentiality of the
data system, or when law enforcement requests in writing to
withhold disclosure of some or all of the information required
in the notification under this Section. If the date or
timeframe of the breach is unknown at the time the notice is
sent to the Attorney General, the State agency shall send the
Attorney General the date or timeframe of the breach as soon as
possible.
(Source: P.A. 97-483, eff. 1-1-12.)
 
    (815 ILCS 530/45 new)
    Sec. 45. Data security.
    (a) A data collector that owns or licenses, or maintains or
stores but does not own or license, records that contain
personal information concerning an Illinois resident shall
implement and maintain reasonable security measures to protect
those records from unauthorized access, acquisition,
destruction, use, modification, or disclosure.
    (b) A contract for the disclosure of personal information
concerning an Illinois resident that is maintained by a data
collector must include a provision requiring the person to whom
the information is disclosed to implement and maintain
reasonable security measures to protect those records from
unauthorized access, acquisition, destruction, use,
modification, or disclosure.
    (c) If a state or federal law requires a data collector to
provide greater protection to records that contain personal
information concerning an Illinois resident that are
maintained by the data collector and the data collector is in
compliance with the provisions of that state or federal law,
the data collector shall be deemed to be in compliance with the
provisions of this Section.
    (d) A data collector that is subject to and in compliance
with the standards established pursuant to Section 501(b) of
the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801,
shall be deemed to be in compliance with the provisions of this
Section.
 
    (815 ILCS 530/50 new)
    Sec. 50. Entities subject to the federal Health Insurance
Portability and Accountability Act of 1996. Any covered entity
or business associate that is subject to and in compliance with
the privacy and security standards for the protection of
electronic health information established pursuant to the
federal Health Insurance Portability and Accountability Act of
1996 and the Health Information Technology for Economic and
Clinical Health Act shall be deemed to be in compliance with
the provisions of this Act, provided that any covered entity or
business associate required to provide notification of a breach
to the Secretary of Health and Human Services pursuant to the
Health Information Technology for Economic and Clinical Health
Act also provides such notification to the Attorney General
within 5 business days of notifying the Secretary.