Bill Text: IL HB2871 | 2019-2020 | 101st General Assembly | Introduced
Bill Title: Creates the Data Broker Registration Act. Requires a data broker to annually register with the Secretary of State. Defines "data broker" as a business or unit of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. Provides registration requirements, the duties a data broker has to protect personally identifiable information, and the requirements for an information security program. Effective January 1, 2020.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Introduced - Dead) 2019-03-29 - Rule 19(a) / Re-referred to Rules Committee [HB2871 Detail]
Download: Illinois-2019-HB2871-Introduced.html
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
| |||||||||||||||||||||||||
1 | AN ACT concerning regulation.
| ||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| ||||||||||||||||||||||||
3 | represented in the General Assembly:
| ||||||||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the Data | ||||||||||||||||||||||||
5 | Broker Registration Act.
| ||||||||||||||||||||||||
6 | Section 5. Definitions. | ||||||||||||||||||||||||
7 | "Brokered personal information" means one or more of the | ||||||||||||||||||||||||
8 | following computerized data elements about a consumer, if | ||||||||||||||||||||||||
9 | categorized or organized for dissemination to third parties: | ||||||||||||||||||||||||
10 | (1) name; | ||||||||||||||||||||||||
11 | (2) address; | ||||||||||||||||||||||||
12 | (3) date of birth; | ||||||||||||||||||||||||
13 | (4) place of birth; | ||||||||||||||||||||||||
14 | (5) mother's maiden name; | ||||||||||||||||||||||||
15 | (6) unique biometric data generated from measurements | ||||||||||||||||||||||||
16 | or technical analysis of human body characteristics used by | ||||||||||||||||||||||||
17 | the owner or licensee of the data to identify or | ||||||||||||||||||||||||
18 | authenticate the consumer, such as a fingerprint, retina or | ||||||||||||||||||||||||
19 | iris image, or other unique physical representation or | ||||||||||||||||||||||||
20 | digital representation of biometric data; | ||||||||||||||||||||||||
21 | (7) name or address of a member of the consumer's | ||||||||||||||||||||||||
22 | immediate family or household; | ||||||||||||||||||||||||
23 | (8) social security number or other government-issued |
| |||||||
| |||||||
1 | identification number; or | ||||||
2 | (9) other information that, alone or in combination | ||||||
3 | with the other information sold or licensed, would allow a | ||||||
4 | reasonable person to identify the consumer with reasonable | ||||||
5 | certainty. | ||||||
6 | "Brokered personal information" does not include publicly | ||||||
7 | available information to the extent that it is related to a | ||||||
8 | consumer's business or profession. | ||||||
9 | "Data broker" means a business or unit of a business, | ||||||
10 | separately or together, that knowingly collects and sells or | ||||||
11 | licenses to third parties the brokered personal information of | ||||||
12 | a consumer with whom the business does not have a direct | ||||||
13 | relationship. | ||||||
14 | "Data broker security breach" means an unauthorized | ||||||
15 | acquisition or a reasonable belief of an unauthorized | ||||||
16 | acquisition of more than one element of brokered personal | ||||||
17 | information maintained by a data broker when the brokered | ||||||
18 | personal information is not encrypted, redacted, or protected | ||||||
19 | by another method that renders the information unreadable or | ||||||
20 | unusable by an unauthorized person. "Data broker security | ||||||
21 | breach" does not include good faith but unauthorized | ||||||
22 | acquisition of brokered personal information by an employee or | ||||||
23 | agent of the data broker for a legitimate purpose of the data | ||||||
24 | broker if the brokered personal information is not used for a | ||||||
25 | purpose unrelated to the data broker's business or subject to | ||||||
26 | further unauthorized disclosure.
|
| |||||||
| |||||||
1 | Section 10. Annual registration. | ||||||
2 | (a) Annually, on or before January 31 following a year in | ||||||
3 | which a person meets the definition of "data broker", a data | ||||||
4 | broker shall: | ||||||
5 | (1) register with the Secretary of State; | ||||||
6 | (2) pay a registration fee of $100; and | ||||||
7 | (3) provide the following information: | ||||||
8 | (A) the name and primary physical, email, and | ||||||
9 | Internet addresses of the data broker; | ||||||
10 | (B) if the data broker permits a consumer to opt | ||||||
11 | out of the data broker's collection of brokered | ||||||
12 | personal information, opt out of its databases, or opt | ||||||
13 | out of certain sales of data: | ||||||
14 | (i) the method for requesting an opt-out; | ||||||
15 | (ii) if the opt-out applies to only certain | ||||||
16 | activities or sales, which ones; and | ||||||
17 | (iii) whether the data broker permits a | ||||||
18 | consumer to authorize a third party to perform the | ||||||
19 | opt-out on the consumer's behalf; | ||||||
20 | (C) a statement specifying the data collection, | ||||||
21 | databases, or sales activities from which a consumer | ||||||
22 | may not opt out; | ||||||
23 | (D) a statement whether the data broker implements | ||||||
24 | a purchaser credentialing process; | ||||||
25 | (E) the number of data broker security breaches |
| |||||||
| |||||||
1 | that the data broker has experienced during the prior | ||||||
2 | year, and if known, the total number of consumers | ||||||
3 | affected by the breaches; | ||||||
4 | (F) where the data broker has actual knowledge that | ||||||
5 | it possesses the brokered personal information of | ||||||
6 | minors, a separate statement detailing the data | ||||||
7 | collection practices, databases, sales activities, and | ||||||
8 | opt-out policies that are applicable to the brokered | ||||||
9 | personal information of minors; and | ||||||
10 | (G) any additional information or explanation the | ||||||
11 | data broker chooses to provide concerning its data | ||||||
12 | collection practices. | ||||||
13 | (b) A data broker that fails to register under subsection | ||||||
14 | (a) is liable to the State for: | ||||||
15 | (1) a civil penalty of $50 for each day, not to exceed | ||||||
16 | a total of $10,000 for each year, it fails to register | ||||||
17 | under this Section; | ||||||
18 | (2) an amount equal to the fees due under this Section | ||||||
19 | during the period it failed to register under this Section; | ||||||
20 | and | ||||||
21 | (3) other penalties imposed by law. | ||||||
22 | (c) The Attorney General may maintain an action in circuit | ||||||
23 | court to collect the penalties imposed in this Section and to | ||||||
24 | seek appropriate injunctive relief.
| ||||||
25 | Section 15. Duty to protect personally identifiable |
| |||||||
| |||||||
1 | information. | ||||||
2 | (a) A data broker shall develop, implement, and maintain a | ||||||
3 | comprehensive information security program that is written in | ||||||
4 | one or more readily accessible parts and contains | ||||||
5 | administrative, technical, and physical safeguards that are | ||||||
6 | appropriate to: | ||||||
7 | (1) the size, scope, and type of business of the data | ||||||
8 | broker obligated to safeguard the personally identifiable | ||||||
9 | information under such comprehensive information security | ||||||
10 | program; | ||||||
11 | (2) the amount of resources available to the data | ||||||
12 | broker; | ||||||
13 | (3) the amount of stored data; and | ||||||
14 | (4) the need for security and confidentiality of | ||||||
15 | personally identifiable information. | ||||||
16 | (b) A data broker subject to this Section shall adopt | ||||||
17 | safeguards in the comprehensive security program that are | ||||||
18 | consistent with the safeguards for protection of personally | ||||||
19 | identifiable information and information of a similar | ||||||
20 | character set forth in other State rules or federal regulations | ||||||
21 | applicable to the data broker.
| ||||||
22 | Section 20. Information security program; minimum | ||||||
23 | features. A comprehensive information security program shall, | ||||||
24 | at minimum, have the following features: | ||||||
25 | (1) designation of one or more employees to maintain |
| |||||||
| |||||||
1 | the program; | ||||||
2 | (2) identification and assessment of reasonably | ||||||
3 | foreseeable internal and external risks to the security, | ||||||
4 | confidentiality, and integrity of any electronic, paper, | ||||||
5 | or other records containing personally identifiable | ||||||
6 | information and a process for evaluating and improving, | ||||||
7 | where necessary, the effectiveness of the current | ||||||
8 | safeguards for limiting such risks, including: | ||||||
9 | (A) ongoing employee training, including training | ||||||
10 | for temporary and contract employees; | ||||||
11 | (B) employee compliance with policies and | ||||||
12 | procedures; and | ||||||
13 | (C) means for detecting and preventing security | ||||||
14 | system failures; | ||||||
15 | (3) security policies for employees relating to the | ||||||
16 | storage, access, and transportation of records containing | ||||||
17 | personally identifiable information outside business | ||||||
18 | premises; | ||||||
19 | (4) disciplinary measures for violations of the | ||||||
20 | comprehensive information security program rules; | ||||||
21 | (5) measures that prevent terminated employees from | ||||||
22 | accessing records containing personally identifiable | ||||||
23 | information; | ||||||
24 | (6) supervision of service providers by: | ||||||
25 | (A) taking reasonable steps to select and retain | ||||||
26 | third-party service providers that are capable of |
| |||||||
| |||||||
1 | maintaining appropriate security measures to protect | ||||||
2 | personally identifiable information consistent with | ||||||
3 | applicable law; and | ||||||
4 | (B) requiring third-party service providers by | ||||||
5 | contract to implement and maintain appropriate | ||||||
6 | security measures for personally identifiable | ||||||
7 | information; | ||||||
8 | (7) reasonable restrictions upon physical access to | ||||||
9 | records containing personally identifiable information and | ||||||
10 | storage of the records and data in locked facilities, | ||||||
11 | storage areas, or containers; | ||||||
12 | (8) regular monitoring to ensure that the | ||||||
13 | comprehensive information security program is operating in | ||||||
14 | a manner reasonably calculated to prevent unauthorized | ||||||
15 | access to or unauthorized use of personally identifiable | ||||||
16 | information; and upgrading information safeguards as | ||||||
17 | necessary to limit risks; | ||||||
18 | (9) regular review of the scope of the security | ||||||
19 | measures: | ||||||
20 | (A) at least annually; or | ||||||
21 | (B) whenever there is a material change in business | ||||||
22 | practices that may reasonably implicate the security | ||||||
23 | or integrity of records containing personally | ||||||
24 | identifiable information; and | ||||||
25 | (10) documentation of responsive actions taken in | ||||||
26 | connection with any incident involving a breach of |
| |||||||
| |||||||
1 | security; and mandatory post-incident review of events and | ||||||
2 | actions taken, if any, to make changes in business | ||||||
3 | practices relating to protection of personally | ||||||
4 | identifiable information.
| ||||||
5 | Section 25. Information security program; computer system | ||||||
6 | security requirements. A comprehensive information security | ||||||
7 | program required by this Act shall, at minimum, and to the | ||||||
8 | extent technically feasible, have the following elements: | ||||||
9 | (1) secure user authentication protocols, as follows: | ||||||
10 | (A) an authentication protocol that has the | ||||||
11 | following features: | ||||||
12 | (i) control of user IDs and other identifiers; | ||||||
13 | (ii) a reasonably secure method of assigning | ||||||
14 | and selecting passwords or use of unique | ||||||
15 | identifier technologies, such as biometrics or | ||||||
16 | token devices; | ||||||
17 | (iii) control of data security passwords to | ||||||
18 | ensure that such passwords are kept in a location | ||||||
19 | and format that do not compromise the security of | ||||||
20 | the data they protect; | ||||||
21 | (iv) restricting access to only active users | ||||||
22 | and active user accounts; and | ||||||
23 | (v) blocking access to user identification | ||||||
24 | after multiple unsuccessful attempts to gain | ||||||
25 | access; or |
| |||||||
| |||||||
1 | (B) an authentication protocol that provides a | ||||||
2 | higher level of security than the features specified in | ||||||
3 | subparagraph (A). | ||||||
4 | (2) secure access control measures that: | ||||||
5 | (A) restrict access to records and files | ||||||
6 | containing personally identifiable information to | ||||||
7 | those who need such information to perform their job | ||||||
8 | duties; and | ||||||
9 | (B) assign to each person with computer access | ||||||
10 | unique identifications plus passwords, which are not | ||||||
11 | vendor-supplied default passwords, that are reasonably | ||||||
12 | designed to maintain the integrity of the security of | ||||||
13 | the access controls or a protocol that provides a | ||||||
14 | higher degree of security; | ||||||
15 | (3) encryption of all transmitted records and files | ||||||
16 | containing personally identifiable information that will | ||||||
17 | travel across public networks and encryption of all data | ||||||
18 | containing personally identifiable information to be | ||||||
19 | transmitted wirelessly or a protocol that provides a higher | ||||||
20 | degree of security; | ||||||
21 | (4) reasonable monitoring of systems for unauthorized | ||||||
22 | use of or access to personally identifiable information; | ||||||
23 | (5) encryption of all personally identifiable | ||||||
24 | information stored on laptops or other portable devices or | ||||||
25 | a protocol that provides a higher degree of security; | ||||||
26 | (6) for files containing personally identifiable |
| |||||||
| |||||||
1 | information on a system that is connected to the Internet, | ||||||
2 | reasonably up-to-date firewall protection and operating | ||||||
3 | system security patches that are reasonably designed to | ||||||
4 | maintain the integrity of the personally identifiable | ||||||
5 | information or a protocol that provides a higher degree of | ||||||
6 | security; | ||||||
7 | (7) reasonably up-to-date versions of system security | ||||||
8 | agent software that must include malware protection and | ||||||
9 | reasonably up-to-date patches and virus definitions, or a | ||||||
10 | version of such software that can still be supported with | ||||||
11 | up-to-date patches and virus definitions and is set to | ||||||
12 | receive the most current security updates on a regular | ||||||
13 | basis or a protocol that provides a higher degree of | ||||||
14 | security; and | ||||||
15 | (8) education and training of employees on the proper | ||||||
16 | use of the computer security system and the importance of | ||||||
17 | personally identifiable information security.
| ||||||
18 | Section 99. Effective date. This Act takes effect January | ||||||
19 | 1, 2020.
|