Bill Amendment: IL SB0707 | 2017-2018 | 100th General Assembly
NOTE: For additional amemendments please see the Bill Drafting List
Bill Title: PERSONAL INFO PRTCT AGENCY RPT
Status: 2017-08-25 - Public Act . . . . . . . . . 100-0412 [SB0707 Detail]
Download: Illinois-2017-SB0707-Senate_Amendment_002.html
Bill Title: PERSONAL INFO PRTCT AGENCY RPT
Status: 2017-08-25 - Public Act . . . . . . . . . 100-0412 [SB0707 Detail]
Download: Illinois-2017-SB0707-Senate_Amendment_002.html
| |||||||
| |||||||
| |||||||
1 | AMENDMENT TO SENATE BILL 707
| ||||||
2 | AMENDMENT NO. ______. Amend Senate Bill 707, AS AMENDED, by | ||||||
3 | replacing everything after the enacting clause with the | ||||||
4 | following:
| ||||||
5 | "Section 5. The Personal Information Protection Act is | ||||||
6 | amended by changing Section 12 as follows:
| ||||||
7 | (815 ILCS 530/12) | ||||||
8 | Sec. 12. Notice of breach; State agency. | ||||||
9 | (a) Any State agency that collects personal information | ||||||
10 | concerning an Illinois resident shall notify the
resident at no | ||||||
11 | charge that there has been a breach of the security of the
| ||||||
12 | system data or written material following discovery or | ||||||
13 | notification of the breach.
The disclosure notification shall | ||||||
14 | be made in the most
expedient time possible and without | ||||||
15 | unreasonable delay,
consistent with any measures necessary to | ||||||
16 | determine the
scope of the breach and restore the reasonable |
| |||||||
| |||||||
1 | integrity,
security, and confidentiality of the data system. | ||||||
2 | The disclosure notification to an Illinois resident shall | ||||||
3 | include, but need not be limited to information as follows: | ||||||
4 | (1) With respect to personal information defined in | ||||||
5 | Section 5 in paragraph (1) of the definition of "personal | ||||||
6 | information": | ||||||
7 | (i) the toll-free numbers and addresses for | ||||||
8 | consumer reporting agencies; | ||||||
9 | (ii) the toll-free number, address, and website | ||||||
10 | address for the Federal Trade Commission; and | ||||||
11 | (iii) a statement that the individual can obtain | ||||||
12 | information from these sources about fraud alerts and | ||||||
13 | security freezes. | ||||||
14 | (2) With respect to personal information as defined in | ||||||
15 | Section 5 in paragraph (2) of the definition of "personal | ||||||
16 | information", notice may be provided in electronic or other | ||||||
17 | form directing the Illinois resident whose personal | ||||||
18 | information has been breached to promptly change his or her | ||||||
19 | user name or password and security question or answer, as | ||||||
20 | applicable, or to take other steps appropriate to protect | ||||||
21 | all online accounts for which the resident uses the same | ||||||
22 | user name or email address and password or security | ||||||
23 | question and answer. | ||||||
24 | The notification shall not, however, include information | ||||||
25 | concerning the number of Illinois residents affected by the | ||||||
26 | breach. |
| |||||||
| |||||||
1 | (a-5) The notification to an Illinois resident required by | ||||||
2 | subsection (a) of this Section may be delayed if an appropriate | ||||||
3 | law enforcement agency determines that notification will | ||||||
4 | interfere with a criminal investigation and provides the State | ||||||
5 | agency with a written request for the delay. However, the State | ||||||
6 | agency must notify the Illinois resident as soon as | ||||||
7 | notification will no longer interfere with the investigation. | ||||||
8 | (b) For purposes of this Section, notice to residents may | ||||||
9 | be provided by one of the following methods:
| ||||||
10 | (1) written notice;
| ||||||
11 | (2) electronic notice, if the notice provided is
| ||||||
12 | consistent with the provisions regarding electronic
| ||||||
13 | records and signatures for notices legally required to be
| ||||||
14 | in writing as set forth in Section 7001 of Title 15 of the | ||||||
15 | United States Code;
or
| ||||||
16 | (3) substitute notice, if the State agency
| ||||||
17 | demonstrates that the cost of providing notice would exceed
| ||||||
18 | $250,000 or that the affected class of subject persons to | ||||||
19 | be notified exceeds 500,000, or the State agency does not
| ||||||
20 | have sufficient contact information. Substitute notice | ||||||
21 | shall consist of all of the following: (i) email notice if | ||||||
22 | the State agency has an email address for the subject | ||||||
23 | persons; (ii) conspicuous posting of the notice on the | ||||||
24 | State agency's web site page if the State agency maintains
| ||||||
25 | one; and (iii) notification to major statewide media.
| ||||||
26 | (c) Notwithstanding subsection (b), a State agency
that |
| |||||||
| |||||||
1 | maintains its own notification procedures as part of an
| ||||||
2 | information security policy for the treatment of personal
| ||||||
3 | information and is otherwise consistent with the timing | ||||||
4 | requirements of this Act shall be deemed in compliance
with the | ||||||
5 | notification requirements of this Section if the
State agency | ||||||
6 | notifies subject persons in accordance with its policies in the | ||||||
7 | event of a breach of the security of the system data or written | ||||||
8 | material.
| ||||||
9 | (d) If a State agency is required to notify more than 1,000 | ||||||
10 | persons of a breach of security pursuant to this Section, the | ||||||
11 | State agency shall also notify, without unreasonable delay, all | ||||||
12 | consumer reporting agencies that compile and maintain files on | ||||||
13 | consumers on a nationwide basis, as defined by 15 U.S.C. | ||||||
14 | Section 1681a(p), of the timing, distribution, and content of | ||||||
15 | the notices. Nothing in this subsection (d) shall be construed | ||||||
16 | to require the State agency to provide to the consumer | ||||||
17 | reporting agency the names or other personal identifying | ||||||
18 | information of breach notice recipients.
| ||||||
19 | (e) Notice to Attorney General. Any State agency that | ||||||
20 | suffers a single breach of the security of the data concerning | ||||||
21 | the personal information of more than 250 Illinois residents | ||||||
22 | shall provide notice to the Attorney General of the breach, | ||||||
23 | including: | ||||||
24 | (A) The types of personal information compromised in | ||||||
25 | the breach. | ||||||
26 | (B) The number of Illinois residents affected by such |
| |||||||
| |||||||
1 | incident at the time of notification. | ||||||
2 | (C) Any steps the State agency has taken or plans to | ||||||
3 | take relating to notification of the breach to consumers. | ||||||
4 | (D) The date and timeframe of the breach, if known at | ||||||
5 | the time notification is provided. | ||||||
6 | Such notification must be made within 45 days of the State | ||||||
7 | agency's discovery of the security breach or when the State | ||||||
8 | agency provides any notice to consumers required by this | ||||||
9 | Section, whichever is sooner, unless the State agency has good | ||||||
10 | cause for reasonable delay to determine the scope of the breach | ||||||
11 | and restore the integrity, security, and confidentiality of the | ||||||
12 | data system, or when law enforcement requests in writing to | ||||||
13 | withhold disclosure of some or all of the information required | ||||||
14 | in the notification under this Section. If the date or | ||||||
15 | timeframe of the breach is unknown at the time the notice is | ||||||
16 | sent to the Attorney General, the State agency shall send the | ||||||
17 | Attorney General the date or timeframe of the breach as soon as | ||||||
18 | possible. | ||||||
19 | (f) In addition to the report required by Section 25 of | ||||||
20 | this Act, if the State agency that suffers a breach determines | ||||||
21 | the identity of the actor who perpetrated the breach, then the | ||||||
22 | State agency shall report this information, within 5 days after | ||||||
23 | the determination, to the Subcommittee on Cybersecurity of the | ||||||
24 | Senate Telecommunications and Information Technology Committee | ||||||
25 | and to the House Cybersecurity, Data Analytics, & IT | ||||||
26 | (Information Technology) Committee, provided that such report |
| |||||||
| |||||||
1 | would not jeopardize the security of Illinois residents or | ||||||
2 | compromise a security investigation. | ||||||
3 | (g) A State agency directly responsible to the Governor | ||||||
4 | that has been subject to or has reason to believe it has been | ||||||
5 | subject to a single breach of the security of the data | ||||||
6 | concerning the personal information of more than 250 Illinois | ||||||
7 | residents or an instance of aggravated computer tampering, as | ||||||
8 | defined in Section 17-53 of the Criminal Code of 2012, shall | ||||||
9 | notify the Office of the Chief Information Security Officer of | ||||||
10 | the Illinois Department of Innovation and Technology and the | ||||||
11 | Attorney General regarding the breach or instance of aggravated | ||||||
12 | computer tampering. The notification shall be made without | ||||||
13 | delay, but no later than 72 hours following the discovery of | ||||||
14 | the incident. | ||||||
15 | Upon receiving notification of such incident, the Chief | ||||||
16 | Information Security Officer shall without delay take | ||||||
17 | necessary and reasonable actions to: | ||||||
18 | (i) assess the incident to determine the potential | ||||||
19 | impact on the overall confidentiality, security, and | ||||||
20 | availability of State of Illinois data and information | ||||||
21 | systems; | ||||||
22 | (ii) ensure the security incident is contained to | ||||||
23 | minimize additional impact and risk to the State; | ||||||
24 | (iii) identify the root cause of the incident; | ||||||
25 | (iv) provide recommendations to the impacted State | ||||||
26 | agency to assist with eradicating the threat and removing |
| |||||||
| |||||||
1 | and mitigating any vulnerabilities to reduce the risk of | ||||||
2 | further compromise; and | ||||||
3 | (v) assist the impacted State agency in any necessary | ||||||
4 | recovery efforts to ensure effective return to a state of | ||||||
5 | normal operations. | ||||||
6 | The Department of Innovation and Technology may agree to | ||||||
7 | submit the reports required in subsections (e) and (f) of this | ||||||
8 | Section and in Section 25 in lieu of the impacted agency. | ||||||
9 | (h) Upon receiving notification from a State agency of a | ||||||
10 | breach of personal information or from the Department of | ||||||
11 | Innovation and Technology in lieu of the impacted agency, the | ||||||
12 | Attorney General may publish the name of the State agency that | ||||||
13 | suffered the breach, the types of personal information | ||||||
14 | compromised in the breach, and the date range of the breach. | ||||||
15 | (Source: P.A. 99-503, eff. 1-1-17 .)
| ||||||
16 | Section 99. Effective date. This Act takes effect upon | ||||||
17 | becoming law.".
|