Bill Text: IL SB1833 | 2015-2016 | 99th General Assembly | Enrolled

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Amends the Personal Information Protection Act. Expands the scope of information to be protected to include medical, health insurance, biometric, consumer marketing, and geolocation information. Requires notice of breaches of security to be provided to the Attorney General. Requires privacy policies to be posted.

Spectrum: Partisan Bill (Democrat 55-0)

Status: (Vetoed) 2015-09-24 - Bill Dead - Amendatory Veto [SB1833 Detail]

Download: Illinois-2015-SB1833-Enrolled.html




 


SB1833 EnrolledLRB099 09064 JLS 31312 b



1 AN ACT concerning business.


2 Be it enacted by the People of the State of Illinois,

3represented in the General Assembly:



4 Section 5. The Personal Information Protection Act is 
5amended by changing Sections 5, 10, and 12 and adding Sections 
645, 50, and 55 as follows:

7 (815 ILCS 530/5)

8 Sec. 5. Definitions. In this Act: 
9 "Data Collector" may include, but is not limited to,

10government agencies, public and private universities,

11privately and publicly held corporations, financial

12institutions, retail operators, and any other entity that, for 
13any purpose, handles, collects, disseminates, or otherwise

14deals with nonpublic personal information.

15 "Breach of the security of the system data" or "breach" 
16means
unauthorized acquisition of computerized data that 
17compromises the security, confidentiality, or integrity of 
18personal information maintained by the data collector. "Breach 
19of the security of the system data" does not include good faith

20acquisition of personal information by an employee or agent of

21the data collector for a legitimate purpose of the data

22collector, provided that the personal information is not used

23for a purpose unrelated to the data collector's business or

 
 
SB1833 Enrolled- 2 -LRB099 09064 JLS 31312 b


1subject to further unauthorized disclosure.

2 "Consumer marketing information" means information related 
3to a consumer's online browsing history, online search history, 
4or purchasing history, including, but not limited to, consumer 
5profiles that are based upon the information. "Consumer 
6marketing information" does not include information related to 
7a consumer's online browsing history, online search history, or 
8purchasing history held by a data collector that has a direct 
9relationship with the consumer.
10 "Geolocation information" means information generated or 
11derived from the operation or use of an electronic 
12communications device that is stored and sufficient to identify 
13the street name and name of the city or town in which an 
14individual is located and the information is likely to enable 
15someone to determine an individual's regular pattern of 
16behavior. "Geolocation information" does not include the 
17contents of an electronic communication.
18 "Health insurance information" means an individual's 
19health insurance policy number or subscriber identification 
20number, any unique identifier used by a health insurer to 
21identify the individual, or any information in an individual's 
22health insurance application and claims history, including any 
23appeals records.
24 "Medical information" means any information regarding an 
25individual's medical history, mental or physical condition, or 
26medical treatment or diagnosis by a healthcare professional, 
 
 
SB1833 Enrolled- 3 -LRB099 09064 JLS 31312 b


1including health information provided to a website or mobile 
2application. 
3 "Personal information" means either of the following:
4  (1) an individual's first name or first initial and 
5 last name in combination with any one or more
of the 
6 following data elements, when either the name or the data 
7 elements are not encrypted or redacted or are encrypted or 
8 redacted but the keys to unencrypt or unredact or otherwise 
9 read the name or data elements have been acquired without 
10 authorization through the breach of security:

11   (A) (1) Social Security number. 
12   (B) (2) Driver's license number or State 
13 identification
card number.

14   (C) (3) Account number or credit or debit card 
15 number, or an
account number or credit card number in 
16 combination with
any required security code, access 
17 code, or password that
would permit access to an 
18 individual's financial account.

19   (D) Medical information.
20   (E) Health insurance information.
21   (F) Unique biometric data generated from 
22 measurements or technical analysis of human body 
23 characteristics that could be used to identify an 
24 individual, such as a fingerprint, retina or iris 
25 image, or other unique physical representation or 
26 digital representation of biometric data.
 
 
SB1833 Enrolled- 4 -LRB099 09064 JLS 31312 b


1   (G) Geolocation information.
2   (H) Consumer marketing information.
3   (I) Home address, telephone number, and email 
4 address in combination with either:
5    (i) mother's maiden name when not part of an 
6 individual's surname; or
7    (ii) month, day, and year of birth.
8  (2) user name or email address, in combination with a 
9 password or security question and answer that would permit 
10 access to an online account, when either the user name or 
11 email address or password or security question and answer 
12 are not encrypted or redacted or are encrypted or redacted 
13 but the keys to unencrypt or unredact or otherwise read the 
14 data elements have been obtained through the breach of 
15 security. 
16 "Personal information" does not include publicly available

17information that is lawfully made available to the general

18public from federal, State, or local government records.


19(Source: P.A. 97-483, eff. 1-1-12.)

20 (815 ILCS 530/10)

21 Sec. 10. Notice of Breach. 
22 (a) Any data collector that owns or licenses personal 
23information, excluding geolocation information and consumer 
24marketing information, concerning an Illinois resident shall 
25notify the
resident at no charge that there has been a breach 
 
 
SB1833 Enrolled- 5 -LRB099 09064 JLS 31312 b


1of the security of the
system data following discovery or 
2notification of the breach.
The disclosure notification shall 
3be made in the most
expedient time possible and without 
4unreasonable delay,
consistent with any measures necessary to 
5determine the
scope of the breach and restore the reasonable 
6integrity,
security, and confidentiality of the data system. 
7The disclosure notification to an Illinois resident shall 
8include, but need not be limited to, information as follows: 
9  (1) With respect to personal information as defined in 
10 Section 5 in paragraph (1) of the definition of "personal 
11 information", excluding geolocation information and 
12 consumer marketing information:
13   (A) (i) the toll-free numbers and addresses for 
14 consumer reporting agencies; ,
15   (B) (ii) the toll-free number, address, and 
16 website address for the Federal Trade Commission; , and
17   (C) (iii) a statement that the individual can 
18 obtain information from these sources about fraud 
19 alerts and security freezes.
20 The notification shall not, however, include information 
21concerning the number of Illinois residents affected by the 
22breach.
23  (2) With respect to personal information defined in 
24 Section 5 in paragraph (2) of the definition of "personal 
25 information", notice may be provided in electronic or other 
26 form directing the Illinois resident whose personal 
 
 
SB1833 Enrolled- 6 -LRB099 09064 JLS 31312 b


1 information has been breached to promptly change his or her 
2 username or password and security question or answer, as 
3 applicable, or to take other steps appropriate to protect 
4 all online accounts for which the resident uses the same 
5 user name or email address and password or security 
6 question and answer. 
7 (b) Any data collector that maintains or stores, but does 
8not own or license, computerized data that
includes personal 
9information that the data collector does not own or license 
10shall notify the owner or licensee of the information of any 
11breach of the security of the data immediately following 
12discovery, if the personal information was, or is reasonably 
13believed to have been, acquired by
an unauthorized person. In 
14addition to providing such notification to the owner or 
15licensee, the data collector shall cooperate with the owner or 
16licensee in matters relating to the breach. That cooperation 
17shall include, but need not be limited to, (i) informing the 
18owner or licensee of the breach, including giving notice of the 
19date or approximate date of the breach and the nature of the 
20breach, and (ii) informing the owner or licensee of any steps 
21the data collector has taken or plans to take relating to the 
22breach. The data collector's cooperation shall not, however, be 
23deemed to require either the disclosure of confidential 
24business information or trade secrets or the notification of an 
25Illinois resident who may have been affected by the breach.

26 (b-5) The notification to an Illinois resident required by 
 
 
SB1833 Enrolled- 7 -LRB099 09064 JLS 31312 b


1subsection (a) of this Section may be delayed if an appropriate 
2law enforcement agency determines that notification will 
3interfere with a criminal investigation and provides the data 
4collector with a written request for the delay. However, the 
5data collector must notify the Illinois resident as soon as 
6notification will no longer interfere with the investigation.

7 (c) For purposes of this Section, notice to consumers may 
8be provided by one of the following methods:

9  (1) written notice; 
10  (2) electronic notice, if the notice provided is

11 consistent with the provisions regarding electronic

12 records and signatures for notices legally required to be

13 in writing as set forth in Section 7001 of Title 15 of the 
14 United States Code;
or 
15  (3) substitute notice, if the data collector

16 demonstrates that the cost of providing notice would exceed

17 $250,000 or that the affected class of subject persons to 
18 be notified exceeds 500,000, or the data collector does not

19 have sufficient contact information. Substitute notice 
20 shall consist of all of the following: (i) email notice if 
21 the data collector has an email address for the subject 
22 persons; (ii) conspicuous posting of the notice on the data

23 collector's web site page if the data collector maintains

24 one; and (iii) notification to major statewide media or, if 
25 the breach impacts residents in one geographic area, to 
26 prominent local media in areas where affected individuals 
 
 
SB1833 Enrolled- 8 -LRB099 09064 JLS 31312 b


1 are likely to reside if such notice is reasonably 
2 calculated to give actual notice to persons whom notice is 
3 required. 
4 (d) Notwithstanding any other subsection in this Section, a 
5data collector
that maintains its own notification procedures 
6as part of an
information security policy for the treatment of 
7personal
information and is otherwise consistent with the 
8timing requirements of this Act, shall be deemed in compliance

9with the notification requirements of this Section if the
data 
10collector notifies subject persons in accordance with its 
11policies in the event of a breach of the security of the system 
12data.


13 (e) Notice to Attorney General.
14  (1) Any data collector that owns or licenses personal 
15 information and suffers a single breach of the security of 
16 the data concerning the personal information of more than 
17 250 Illinois residents shall provide notice to the Attorney 
18 General of the breach, including:
19   (A) The types of personal information compromised 
20 in the breach.
21   (B) The number of Illinois residents affected by 
22 such incident at the time of notification.
23   (C) Any steps the data collector has taken or plans 
24 to take relating to notification of the breach to 
25 consumers.
26   (D) The date and timeframe of the breach, if known 
 
 
SB1833 Enrolled- 9 -LRB099 09064 JLS 31312 b


1 at the time notification is provided. 
2  Such notification must be made within 30 business days 
3 of the data collector's discovery of the security breach or 
4 when the data collector provides any notice to consumers 
5 required by this Section, whichever is sooner, unless the 
6 data collector has good cause for reasonable delay to 
7 determine the scope of the breach and restore the 
8 integrity, security, and confidentiality of the data 
9 system, or when law enforcement requests in writing to 
10 withhold disclosure of some or all of the information 
11 required in the notification under this Section. If the 
12 date or timeframe of the breach is unknown at the time the 
13 notice is sent to the Attorney General, the data collector 
14 shall send the Attorney General the date or timeframe of 
15 the breach as soon as possible.
16  (2) Any data collector that maintains or stores, but 
17 does not own or license, computerized data that includes 
18 personal information that suffers a single breach of the 
19 security of the data concerning the personal information of 
20 more than 250 Illinois residents shall notify the Attorney 
21 General of the following:
22   (A) The types of personal information compromised 
23 in the breach.
24   (B) The number of Illinois residents affected by 
25 such incident at the time of notification.
26   (C) Any steps the data collector has taken or plans 
 
 
SB1833 Enrolled- 10 -LRB099 09064 JLS 31312 b


1 to take relating to notification of the owner or 
2 licensee of the breach and what measures, if any, the 
3 data collector has taken to notify Illinois residents.
4   (D) The date and timeframe of the breach, if known 
5 at the time notification is provided. 
6  Such notification must be made within 30 business days 
7 of the data collector's discovery of the security breach or 
8 when the data collector provides notice to the owner or 
9 licensee of the information pursuant to this Section, 
10 whichever is sooner, unless the data collector has good 
11 cause for reasonable delay to determine the scope of the 
12 breach and restore the integrity, security, and 
13 confidentiality of the data system, or when law enforcement 
14 requests in writing to withhold disclosure of some or all 
15 of the information required in the notification under this 
16 Section. If the date or timeframe of the breach is unknown 
17 at the time the notice is sent to the Attorney General, the 
18 data collector shall send the Attorney General the date or 
19 timeframe of the breach as soon as possible. 
20 (f) Upon receiving notification from a data collector of a 
21breach of personal information, the Attorney General may 
22publish the name of the data collector that suffered the 
23breach, the types of personal information compromised in the 
24breach, and the date range of the breach. 
25(Source: P.A. 97-483, eff. 1-1-12.)

 
 
SB1833 Enrolled- 11 -LRB099 09064 JLS 31312 b


1 (815 ILCS 530/12)

2 Sec. 12. Notice of breach; State agency.
3 (a) Any State agency that collects personal information, 
4excluding geolocation and consumer marketing information, 
5concerning an Illinois resident shall notify the
resident at no 
6charge that there has been a breach of the security of the

7system data or written material following discovery or 
8notification of the breach.
The disclosure notification shall 
9be made in the most
expedient time possible and without 
10unreasonable delay,
consistent with any measures necessary to 
11determine the
scope of the breach and restore the reasonable 
12integrity,
security, and confidentiality of the data system. 
13The disclosure notification to an Illinois resident shall 
14include, but need not be limited to information as follows:
15  (1) With respect to personal information defined in 
16 Section 5 in paragraph (1) of the definition of "personal 
17 information": ,
18   (i) the toll-free numbers and addresses for 
19 consumer reporting agencies; ,
20   (ii) the toll-free number, address, and website 
21 address for the Federal Trade Commission; , and
22   (iii) a statement that the individual can obtain 
23 information from these sources about fraud alerts and 
24 security freezes.
25  (2) With respect to personal information as defined in 
26 Section 5 in paragraph (2) of the definition of "personal 
 
 
SB1833 Enrolled- 12 -LRB099 09064 JLS 31312 b


1 information", notice may be provided in electronic or other 
2 form directing the Illinois resident whose personal 
3 information has been breached to promptly change his or her 
4 user name or password and security question or answer, as 
5 applicable, or to take other steps appropriate to protect 
6 all online accounts for which the resident uses the same 
7 user name or email address and password or security 
8 question and answer. 
9 The notification shall not, however, include information 
10concerning the number of Illinois residents affected by the 
11breach. 
12 (a-5) The notification to an Illinois resident required by 
13subsection (a) of this Section may be delayed if an appropriate 
14law enforcement agency determines that notification will 
15interfere with a criminal investigation and provides the State 
16agency with a written request for the delay. However, the State 
17agency must notify the Illinois resident as soon as 
18notification will no longer interfere with the investigation. 
19 (b) For purposes of this Section, notice to residents may 
20be provided by one of the following methods:

21  (1) written notice;

22  (2) electronic notice, if the notice provided is

23 consistent with the provisions regarding electronic

24 records and signatures for notices legally required to be

25 in writing as set forth in Section 7001 of Title 15 of the 
26 United States Code;
or

 
 
SB1833 Enrolled- 13 -LRB099 09064 JLS 31312 b


1  (3) substitute notice, if the State agency

2 demonstrates that the cost of providing notice would exceed

3 $250,000 or that the affected class of subject persons to 
4 be notified exceeds 500,000, or the State agency does not

5 have sufficient contact information. Substitute notice 
6 shall consist of all of the following: (i) email notice if 
7 the State agency has an email address for the subject 
8 persons; (ii) conspicuous posting of the notice on the 
9 State agency's web site page if the State agency maintains

10 one; and (iii) notification to major statewide media.

11 (c) Notwithstanding subsection (b), a State agency
that 
12maintains its own notification procedures as part of an

13information security policy for the treatment of personal

14information and is otherwise consistent with the timing 
15requirements of this Act shall be deemed in compliance
with the 
16notification requirements of this Section if the
State agency 
17notifies subject persons in accordance with its policies in the 
18event of a breach of the security of the system data or written 
19material.

20 (d) If a State agency is required to notify more than 1,000 
21persons of a breach of security pursuant to this Section, the 
22State agency shall also notify, without unreasonable delay, all 
23consumer reporting agencies that compile and maintain files on 
24consumers on a nationwide basis, as defined by 15 U.S.C. 
25Section 1681a(p), of the timing, distribution, and content of 
26the notices. Nothing in this subsection (d) shall be construed 
 
 
SB1833 Enrolled- 14 -LRB099 09064 JLS 31312 b


1to require the State agency to provide to the consumer 
2reporting agency the names or other personal identifying 
3information of breach notice recipients.


4 (e) Notice to Attorney General.
5  (1) Any State agency that suffers a single breach of 
6 the security of the data concerning the personal 
7 information of more than 250 Illinois residents shall 
8 provide notice to the Attorney General of the breach, 
9 including:
10   (A) The types of personal information compromised 
11 in the breach.
12   (B) The number of Illinois residents affected by 
13 such incident at the time of notification.
14   (C) Any steps the State agency has taken or plans 
15 to take relating to notification of the breach to 
16 consumers.
17   (D) The date and timeframe of the breach, if known 
18 at the time notification is provided. 
19  Such notification must be made within 30 business days 
20 of the State agency's discovery of the security breach or 
21 when the State agency provides any notice to consumers 
22 required by this Section, whichever is sooner, unless the 
23 State agency has good cause for reasonable delay to 
24 determine the scope of the breach and restore the 
25 integrity, security, and confidentiality of the data 
26 system, or when law enforcement requests in writing to 
 
 
SB1833 Enrolled- 15 -LRB099 09064 JLS 31312 b


1 withhold disclosure of some or all of the information 
2 required in the notification under this Section. If the 
3 date or timeframe of the breach is unknown at the time the 
4 notice is sent to the Attorney General, the State agency 
5 shall send the Attorney General the date or timeframe of 
6 the breach as soon as possible.
7(Source: P.A. 97-483, eff. 1-1-12.)

8 (815 ILCS 530/45 new)
9 Sec. 45. Data security.
10 (a) A data collector that owns or licenses, or maintains or 
11stores but does not own or license, records that contain 
12personal information concerning an Illinois resident shall 
13implement and maintain reasonable security measures to protect 
14those records from unauthorized access, acquisition, 
15destruction, use, modification, or disclosure.
16 (b) A contract for the disclosure of personal information 
17concerning an Illinois resident that is maintained by a data 
18collector must include a provision requiring the person to whom 
19the information is disclosed to implement and maintain 
20reasonable security measures to protect those records from 
21unauthorized access, acquisition, destruction, use, 
22modification, or disclosure.
23 (c) If a state or federal law requires a data collector to 
24provide greater protection to records that contain personal 
25information concerning an Illinois resident that are 
 
 
SB1833 Enrolled- 16 -LRB099 09064 JLS 31312 b


1maintained by the data collector and the data collector is in 
2compliance with the provisions of that state or federal law, 
3the data collector shall be deemed to be in compliance with the 
4provisions of this Section.
5 (d) A data collector that is subject to and in compliance 
6with the standards established pursuant to Section 501(b) of 
7the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. Section 6801, 
8shall be deemed to be in compliance with the provisions of this 
9Section. 

10 (815 ILCS 530/50 new)
11 Sec. 50. Posting of privacy policy.
12 (a) As used in this Section:
13 "Conspicuously post" means posting the privacy policy 
14through any of the following:
15  (1) A Web page on which the actual privacy policy is 
16 posted if the Web page is the homepage or first significant 
17 page after entering the Web site.
18  (2) An icon that hyperlinks to a Web page on which the 
19 actual privacy policy is posted, if the icon is located on 
20 the homepage or the first significant page after entering 
21 the Web site, and if the icon contains the word "privacy". 
22 The icon shall also use a color that contrasts with the 
23 background color of the Web page or is otherwise 
24 distinguishable.
25  (3) A text link that hyperlinks to a Web page on which 
 
 
SB1833 Enrolled- 17 -LRB099 09064 JLS 31312 b


1 the actual privacy policy is posted, if the text link is 
2 located on the homepage or first significant page after 
3 entering the Web site, and if the text link does one of the 
4 following:
5   (A) Includes the word "privacy".
6   (B) Is written in capital letters equal to or 
7 greater in size than the surrounding text.
8   (C) Is written in larger type than the surrounding 
9 text, or in contrasting type, font, or color to the 
10 surrounding text of the same size, or set off from the 
11 surrounding text of the same size by symbols or other 
12 marks that call attention to the language.
13  (4) Any other functional hyperlink that is displayed in 
14 a noticeable manner.
15  (5) In the case of an online service, any other 
16 reasonably accessible means of making the privacy policy 
17 available for a consumer of the online service.
18 "Operator" means any person or entity that owns a Web site 
19located on the Internet or an online service that collects and 
20maintains personal information from a consumer residing in 
21Illinois who uses or visits the Web site or online service if 
22the Web site or online service is operated for commercial 
23purposes. It does not include any third party that operates, 
24hosts, or manages, but does not own, a Web site or online 
25service on the owner's behalf or by processing information on 
26behalf of the owner.
 
 
SB1833 Enrolled- 18 -LRB099 09064 JLS 31312 b


1 (b) An operator of a commercial Web site or online service 
2that collects personal information through the Internet about 
3individual consumers residing in Illinois who use or visit its 
4commercial Web site or online service shall conspicuously post 
5its privacy policy on its Web site or, in the case of an 
6operator of an online service, make the policy available in 
7accordance with paragraph (5) of subsection (a) of this 
8Section. An operator shall be in violation of this subdivision 
9only if the operator fails to post its policy within 30 days 
10after being notified of noncompliance.
11 (c) The privacy policy required by subsection (b) shall, at 
12a minimum, do the following:
13  (1) Identify the categories of personal information 
14 that the operator collects through the Web site or online 
15 service about individual consumers who use or visit its 
16 commercial Web site or online service and the categories of 
17 third-party persons or entities with whom the operator may 
18 share that personal information.
19  (2) If the operator maintains a process for an 
20 individual consumer who uses or visits its commercial Web 
21 site or online service to review and request changes to any 
22 of his or her personal information that is collected 
23 through the Web site or online service, provide a 
24 description of that process.
25  (3) Describe the process by which the operator notifies 
26 consumers who use or visit its commercial Web site or 
 
 
SB1833 Enrolled- 19 -LRB099 09064 JLS 31312 b


1 online service of material changes to the operator's 
2 privacy policy for that Web site or online service.
3  (4) Identify its effective date.
4  (5) Disclose how the operator responds to Web browser 
5 "do not track" signals or other mechanisms that provide 
6 consumers the ability to exercise choice regarding the 
7 collection of personal information about an individual 
8 consumer's online activities over time and across 
9 third-party Web sites or online services, if the operator 
10 engages in that collection.
11  (6) Disclose whether other parties may collect 
12 personal information about an individual consumer's online 
13 activities over time and across different Web sites or 
14 online services when a consumer uses the operator's Web 
15 site or online service.
16 An operator may satisfy the requirement of paragraph (5) by 
17providing a clear and conspicuous hyperlink in the operator's 
18privacy policy to an online location containing a description, 
19including the effects, of any program or protocol the operator 
20follows that offers the consumer that choice.

21 (815 ILCS 530/55 new)
22 Sec. 55. Entities subject to the federal Health Insurance 
23Portability and Accountability Act of 1996. Any covered entity 
24or business associate that is subject to and in compliance with 
25the privacy and security standards for the protection of 
 
 
SB1833 Enrolled- 20 -LRB099 09064 JLS 31312 b


1electronic health information established pursuant to the 
2federal Health Insurance Portability and Accountability Act of 
31996 and the Health Information Technology for Economic and 
4Clinical Health Act shall be deemed to be in compliance with 
5the provisions of this Act, provided that any covered entity or 
6business associate required to provide notification of a breach 
7to the Secretary of Health and Human Services pursuant to the 
8Health Information Technology for Economic and Clinical Health 
9Act also provides such notification to the Attorney General 
10within 5 business days of notifying the Secretary.

 
         


        
        
      


      

  

      
LegiScan Search

  
  

    
View Top 50 Searches



 
 
 
Select area of search.






 
 
 
Find an exact bill number.





 
 
 
Search bill text and data. [help]








 Reset








  


  




      
LegiScan Trends

  
  

    
View Top 50 National
CA AB637 Zero-emission vehicles: fleet owners: rental vehicles.
CA SB73 Employment policy: voluntary veterans’ preference.
CA AB2882 California Community Corrections Performance Incentives.
CA AB2143 Fairs.
MA S2881 Site Information & Links
CA AB159 Health.
CA AB1967 Food Insecurity Officer.
CA AB2903 Homelessness.
CA AB1893 Housing Accountability Act: housing disapprovals: required local findi...
IL SB3285 DOM VIOLENCE-JUDICIAL RELIEF
  


  




      
    


          
    
  


  
  
  
  


  
  

   
      feedback