Bill Text: IL SB3007 | 2017-2018 | 100th General Assembly | Introduced
Bill Title: Amends the Personal Information Protection Act. Provides that a data collector required to report breaches to more than 100 Illinois residents as a result of a single breach must also report to the Attorney General. Provides that the Attorney General shall report annually to the General Assembly specified information concerning breaches of data security by February 1 of each year.
Spectrum: Partisan Bill (Democrat 2-0)
Status: (Failed) 2019-01-09 - Session Sine Die [SB3007 Detail]
Download: Illinois-2017-SB3007-Introduced.html
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
| ||||||||||||||||||||||
1 | AN ACT concerning business.
| |||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||||
4 | Section 5. The Personal Information Protection Act is | |||||||||||||||||||||
5 | amended by changing Section 10 and by adding Section 55 as | |||||||||||||||||||||
6 | follows:
| |||||||||||||||||||||
7 | (815 ILCS 530/10) | |||||||||||||||||||||
8 | Sec. 10. Notice of breach. | |||||||||||||||||||||
9 | (a) Any data collector that owns or licenses personal | |||||||||||||||||||||
10 | information concerning an Illinois resident shall notify the
| |||||||||||||||||||||
11 | resident at no charge that there has been a breach of the | |||||||||||||||||||||
12 | security of the
system data following discovery or notification | |||||||||||||||||||||
13 | of the breach.
The disclosure notification shall be made in the | |||||||||||||||||||||
14 | most
expedient time possible and without unreasonable delay,
| |||||||||||||||||||||
15 | consistent with any measures necessary to determine the
scope | |||||||||||||||||||||
16 | of the breach and restore the reasonable integrity,
security, | |||||||||||||||||||||
17 | and confidentiality of the data system. The disclosure | |||||||||||||||||||||
18 | notification to an Illinois resident shall include, but need | |||||||||||||||||||||
19 | not be limited to, information as follows: | |||||||||||||||||||||
20 | (1) With respect to personal information as defined in | |||||||||||||||||||||
21 | Section 5 in paragraph (1) of the definition of "personal | |||||||||||||||||||||
22 | information": | |||||||||||||||||||||
23 | (A) the toll-free numbers and addresses for |
| |||||||
| |||||||
1 | consumer reporting agencies; | ||||||
2 | (B) the toll-free number, address, and website | ||||||
3 | address for the Federal Trade Commission; and | ||||||
4 | (C) a statement that the individual can obtain | ||||||
5 | information from these sources about fraud alerts and | ||||||
6 | security freezes. | ||||||
7 | (2) With respect to personal information defined in | ||||||
8 | Section 5 in paragraph (2) of the definition of "personal | ||||||
9 | information", notice may be provided in electronic or other | ||||||
10 | form directing the Illinois resident whose personal | ||||||
11 | information has been breached to promptly change his or her | ||||||
12 | user name or password and security question or answer, as | ||||||
13 | applicable, or to take other steps appropriate to protect | ||||||
14 | all online accounts for which the resident uses the same | ||||||
15 | user name or email address and password or security | ||||||
16 | question and answer. | ||||||
17 | The notification shall not, however, include information | ||||||
18 | concerning the number of Illinois residents affected by the | ||||||
19 | breach. | ||||||
20 | (b) Any data collector that maintains or stores, but does | ||||||
21 | not own or license, computerized data that
includes personal | ||||||
22 | information that the data collector does not own or license | ||||||
23 | shall notify the owner or licensee of the information of any | ||||||
24 | breach of the security of the data immediately following | ||||||
25 | discovery, if the personal information was, or is reasonably | ||||||
26 | believed to have been, acquired by
an unauthorized person. In |
| |||||||
| |||||||
1 | addition to providing such notification to the owner or | ||||||
2 | licensee, the data collector shall cooperate with the owner or | ||||||
3 | licensee in matters relating to the breach. That cooperation | ||||||
4 | shall include, but need not be limited to, (i) informing the | ||||||
5 | owner or licensee of the breach, including giving notice of the | ||||||
6 | date or approximate date of the breach and the nature of the | ||||||
7 | breach, and (ii) informing the owner or licensee of any steps | ||||||
8 | the data collector has taken or plans to take relating to the | ||||||
9 | breach. The data collector's cooperation shall not, however, be | ||||||
10 | deemed to require either the disclosure of confidential | ||||||
11 | business information or trade secrets or the notification of an | ||||||
12 | Illinois resident who may have been affected by the breach.
| ||||||
13 | (b-5) The notification to an Illinois resident required by | ||||||
14 | subsection (a) of this Section may be delayed if an appropriate | ||||||
15 | law enforcement agency determines that notification will | ||||||
16 | interfere with a criminal investigation and provides the data | ||||||
17 | collector with a written request for the delay. However, the | ||||||
18 | data collector must notify the Illinois resident as soon as | ||||||
19 | notification will no longer interfere with the investigation.
| ||||||
20 | (c) For purposes of this Section, notice to consumers may | ||||||
21 | be provided by one of the following methods:
| ||||||
22 | (1) written notice; | ||||||
23 | (2) electronic notice, if the notice provided is
| ||||||
24 | consistent with the provisions regarding electronic
| ||||||
25 | records and signatures for notices legally required to be
| ||||||
26 | in writing as set forth in Section 7001 of Title 15 of the |
| |||||||
| |||||||
1 | United States Code;
or | ||||||
2 | (3) substitute notice, if the data collector
| ||||||
3 | demonstrates that the cost of providing notice would exceed
| ||||||
4 | $250,000 or that the affected class of subject persons to | ||||||
5 | be notified exceeds 500,000, or the data collector does not
| ||||||
6 | have sufficient contact information. Substitute notice | ||||||
7 | shall consist of all of the following: (i) email notice if | ||||||
8 | the data collector has an email address for the subject | ||||||
9 | persons; (ii) conspicuous posting of the notice on the data
| ||||||
10 | collector's web site page if the data collector maintains
| ||||||
11 | one; and (iii) notification to major statewide media or, if | ||||||
12 | the breach impacts residents in one geographic area, to | ||||||
13 | prominent local media in areas where affected individuals | ||||||
14 | are likely to reside if such notice is reasonably | ||||||
15 | calculated to give actual notice to persons whom notice is | ||||||
16 | required. | ||||||
17 | (d) Notwithstanding any other subsection in this Section, a | ||||||
18 | data collector
that maintains its own notification procedures | ||||||
19 | as part of an
information security policy for the treatment of | ||||||
20 | personal
information and is otherwise consistent with the | ||||||
21 | timing requirements of this Act, shall be deemed in compliance
| ||||||
22 | with the notification requirements of this Section if the
data | ||||||
23 | collector notifies subject persons in accordance with its | ||||||
24 | policies in the event of a breach of the security of the system | ||||||
25 | data.
| ||||||
26 | (e) Notice to Attorney General. |
| |||||||
| |||||||
1 | (1) Any data collector required to issue notice | ||||||
2 | pursuant to this Section to more than 100 Illinois | ||||||
3 | residents as a result of a single breach of the security | ||||||
4 | system shall provide notice to the Attorney General of the | ||||||
5 | breach, including: | ||||||
6 | (A) a description of the nature of the breach of | ||||||
7 | security or unauthorized acquisition
or use. | ||||||
8 | (B) the number of Illinois residents affected by | ||||||
9 | such incident at the time of notification. | ||||||
10 | (C) any steps the data collector has taken or plans | ||||||
11 | to take relating to the incident. | ||||||
12 | Such notification must be made within 14 business days | ||||||
13 | of the data collector's discovery of the security breach, | ||||||
14 | or when the data collector provides notice to consumers | ||||||
15 | pursuant to this Section, whichever is sooner. If the date | ||||||
16 | of the breach is unknown at the time the notice is sent to | ||||||
17 | the Attorney General, the data collector shall send the | ||||||
18 | Attorney General the date of the breach as soon as | ||||||
19 | possible. | ||||||
20 | (2) Any data collector that maintains or stores, but | ||||||
21 | does not own or license, computerized data that includes | ||||||
22 | personal information that is required to notify the owner | ||||||
23 | or licensee of the information that there has been a breach | ||||||
24 | of the security of the data, shall notify the Attorney | ||||||
25 | General of the following: | ||||||
26 | (A) a description of the nature of the breach of |
| |||||||
| |||||||
1 | security or unauthorized acquisition or use. | ||||||
2 | (B) the number of Illinois residents affected by | ||||||
3 | such incident at the time of notification. | ||||||
4 | (C) any steps the data collector has taken or plans | ||||||
5 | to take relating to the incident, including the steps | ||||||
6 | the data collector has taken to inform the owner or | ||||||
7 | licensee of the breach and what measures, if any, the | ||||||
8 | data collector has taken to notify Illinois residents. | ||||||
9 | Such notification must be made within 14 business days | ||||||
10 | of the data collector's discovery of the security breach, | ||||||
11 | or when the data collector provides notice to the owner or | ||||||
12 | licensee of the information pursuant to this section, | ||||||
13 | whichever is sooner. If the date of the breach is unknown | ||||||
14 | at the time the notice is sent to the Attorney General, the | ||||||
15 | data collector shall send the Attorney General the date of | ||||||
16 | the breach as soon as possible. | ||||||
17 | (Source: P.A. 99-503, eff. 1-1-17; 100-201, eff. 8-18-17.)
| ||||||
18 | (815 ILCS 530/55 new) | ||||||
19 | Sec. 55. Report to General Assembly. The Attorney General | ||||||
20 | shall report to the General Assembly by February 1 of each year | ||||||
21 | the following: | ||||||
22 | (1) the total number of Illinois residents affected by | ||||||
23 | a breach of security in the preceding calendar year; | ||||||
24 | (2) the total number of breaches of security affecting | ||||||
25 | more than 100 Illinois residents as a result of a single |
| |||||||
| |||||||
1 | breach in the preceding calendar year; | ||||||
2 | (3) the total number of records breached; | ||||||
3 | (4) the mean and median breach size; | ||||||
4 | (5) the types of data most commonly breached including, | ||||||
5 | but not limited to, social security numbers, drivers' | ||||||
6 | license numbers, financial account numbers, medical or | ||||||
7 | health insurance information, and credentials for online | ||||||
8 | accounts; | ||||||
9 | (6) the most common types of breach including, but not | ||||||
10 | limited to, malware, hacking, physical breaches, and | ||||||
11 | breaches caused by error or misuse; | ||||||
12 | (7) the industry sectors most affected by security | ||||||
13 | breaches; | ||||||
14 | (8) the number of breaches for which there was no | ||||||
15 | compliance with the notice requirements of this Act; and | ||||||
16 | (9) any other information the Attorney General deems | ||||||
17 | relevant.
|