Bill Text: IL HB3200 | 2019-2020 | 101st General Assembly | Introduced
Bill Title: Amends the Personal Information Protection Act. Provides that if there is a breach of the security of system data, a data collector must notify the Attorney General in addition to the Illinois resident to whom the breach relates. Requires the notice to be provided no later than 5 days after the breach.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Introduced - Dead) 2019-03-29 - House Committee Amendment No. 1 Rule 19(c) / Re-referred to Rules Committee [HB3200 Detail]
Download: Illinois-2019-HB3200-Introduced.html
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
1 | AN ACT concerning business.
| |||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||
4 | Section 5. The Personal Information Protection Act is | |||||||||||||||||||
5 | amended by changing Section 10 as follows:
| |||||||||||||||||||
6 | (815 ILCS 530/10) | |||||||||||||||||||
7 | Sec. 10. Notice of breach. | |||||||||||||||||||
8 | (a) Any data collector that owns or licenses personal | |||||||||||||||||||
9 | information concerning an Illinois resident shall notify the | |||||||||||||||||||
10 | Attorney General and the
resident at no charge that there has | |||||||||||||||||||
11 | been a breach of the security of the
system data following | |||||||||||||||||||
12 | discovery or notification of the breach.
The disclosure | |||||||||||||||||||
13 | notification shall be made in the most
expedient time possible , | |||||||||||||||||||
14 | but no later than 5 days after the breach and without | |||||||||||||||||||
15 | unreasonable delay,
consistent with any measures necessary to | |||||||||||||||||||
16 | determine the
scope of the breach and restore the reasonable | |||||||||||||||||||
17 | integrity,
security, and confidentiality of the data system . | |||||||||||||||||||
18 | The disclosure notification to an Illinois resident shall | |||||||||||||||||||
19 | include, but need not be limited to, information as follows: | |||||||||||||||||||
20 | (1) With respect to personal information as defined in | |||||||||||||||||||
21 | Section 5 in paragraph (1) of the definition of "personal | |||||||||||||||||||
22 | information": | |||||||||||||||||||
23 | (A) the toll-free numbers and addresses for |
| |||||||
| |||||||
1 | consumer reporting agencies; | ||||||
2 | (B) the toll-free number, address, and website | ||||||
3 | address for the Federal Trade Commission; and | ||||||
4 | (C) a statement that the individual can obtain | ||||||
5 | information from these sources about fraud alerts and | ||||||
6 | security freezes. | ||||||
7 | (2) With respect to personal information defined in | ||||||
8 | Section 5 in paragraph (2) of the definition of "personal | ||||||
9 | information", notice may be provided in electronic or other | ||||||
10 | form directing the Illinois resident whose personal | ||||||
11 | information has been breached to promptly change his or her | ||||||
12 | user name or password and security question or answer, as | ||||||
13 | applicable, or to take other steps appropriate to protect | ||||||
14 | all online accounts for which the resident uses the same | ||||||
15 | user name or email address and password or security | ||||||
16 | question and answer. | ||||||
17 | The notification shall not, however, include information | ||||||
18 | concerning the number of Illinois residents affected by the | ||||||
19 | breach. | ||||||
20 | (b) Any data collector that maintains or stores, but does | ||||||
21 | not own or license, computerized data that
includes personal | ||||||
22 | information that the data collector does not own or license | ||||||
23 | shall notify the Attorney General and the owner or licensee of | ||||||
24 | the information of any breach of the security of the data | ||||||
25 | immediately following discovery, if the personal information | ||||||
26 | was, or is reasonably believed to have been, acquired by
an |
| |||||||
| |||||||
1 | unauthorized person. In addition to providing such | ||||||
2 | notification to the owner or licensee, the data collector shall | ||||||
3 | cooperate with the owner or licensee in matters relating to the | ||||||
4 | breach. That cooperation shall include, but need not be limited | ||||||
5 | to, (i) informing the owner or licensee of the breach, | ||||||
6 | including giving notice of the date or approximate date of the | ||||||
7 | breach and the nature of the breach, and (ii) informing the | ||||||
8 | owner or licensee of any steps the data collector has taken or | ||||||
9 | plans to take relating to the breach. The data collector's | ||||||
10 | cooperation shall not, however, be deemed to require either the | ||||||
11 | disclosure of confidential business information or trade | ||||||
12 | secrets or the notification of an Illinois resident who may | ||||||
13 | have been affected by the breach.
| ||||||
14 | (b-5) The notification to an Illinois resident required by | ||||||
15 | subsection (a) of this Section may be delayed if an appropriate | ||||||
16 | law enforcement agency determines that notification will | ||||||
17 | interfere with a criminal investigation and provides the data | ||||||
18 | collector with a written request for the delay. However, the | ||||||
19 | data collector must notify the Illinois resident as soon as | ||||||
20 | notification will no longer interfere with the investigation.
| ||||||
21 | (c) For purposes of this Section, notice to consumers may | ||||||
22 | be provided by one of the following methods:
| ||||||
23 | (1) written notice; | ||||||
24 | (2) electronic notice, if the notice provided is
| ||||||
25 | consistent with the provisions regarding electronic
| ||||||
26 | records and signatures for notices legally required to be
|
| |||||||
| |||||||
1 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
2 | United States Code;
or | ||||||
3 | (3) substitute notice, if the data collector
| ||||||
4 | demonstrates that the cost of providing notice would exceed
| ||||||
5 | $250,000 or that the affected class of subject persons to | ||||||
6 | be notified exceeds 500,000, or the data collector does not
| ||||||
7 | have sufficient contact information. Substitute notice | ||||||
8 | shall consist of all of the following: (i) email notice if | ||||||
9 | the data collector has an email address for the subject | ||||||
10 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
11 | collector's web site page if the data collector maintains
| ||||||
12 | one; and (iii) notification to major statewide media or, if | ||||||
13 | the breach impacts residents in one geographic area, to | ||||||
14 | prominent local media in areas where affected individuals | ||||||
15 | are likely to reside if such notice is reasonably | ||||||
16 | calculated to give actual notice to persons whom notice is | ||||||
17 | required. | ||||||
18 | (d) Notwithstanding any other subsection in this Section, a | ||||||
19 | data collector
that maintains its own notification procedures | ||||||
20 | as part of an
information security policy for the treatment of | ||||||
21 | personal
information and is otherwise consistent with the | ||||||
22 | timing requirements of this Act, shall be deemed in compliance
| ||||||
23 | with the notification requirements of this Section if the
data | ||||||
24 | collector notifies subject persons in accordance with its | ||||||
25 | policies in the event of a breach of the security of the system | ||||||
26 | data.
|
| |||||||
| |||||||
1 | (Source: P.A. 99-503, eff. 1-1-17; 100-201, eff. 8-18-17.)
|