Bill Text: IL HB3188 | 2015-2016 | 99th General Assembly | Introduced

Bill Title: Amends the Personal Information Protection Act. Expands the scope of information to be protected to include medical, health insurance, biometric, consumer marketing, and geolocation information. Requires notice of breaches of security to be provided to the Attorney General. Requires privacy policies to be posted.

Spectrum: Partisan Bill (Democrat 29-0)

Status: (Introduced - Dead) 2016-06-01 - Added Co-Sponsor Rep. Camille Y. Lilly [HB3188 Detail]

Download: Illinois-2015-HB3188-Introduced.html



 


99TH GENERAL ASSEMBLY
State of Illinois
2015 and 2016
HB3188
 
Introduced , by Rep. Ann Williams
 
SYNOPSIS AS INTRODUCED:



815 ILCS 530/5
815 ILCS 530/10
815 ILCS 530/45 new
815 ILCS 530/50 new

 Amends the Personal Information Protection Act. Expands the scope of information to be protected to include medical, health insurance, biometric, consumer marketing, and geolocation information. Requires notice of breaches of security to be provided to the Attorney General. Requires privacy policies to be posted.



LRB099 10963 JLS 31316 b


FISCAL NOTE ACT MAY APPLY
 
 
A BILL FOR
 


HB3188LRB099 10963 JLS 31316 b



1 AN ACT concerning business.


2 Be it enacted by the People of the State of Illinois,

3represented in the General Assembly:



4 Section 5. The Personal Information Protection Act is 
5amended by changing Sections 5 and 10 and by adding Sections 
645, and 50 as follows:

7 (815 ILCS 530/5)

8 Sec. 5. Definitions. In this Act: 
9 "Data Collector" may include, but is not limited to,

10government agencies, public and private universities,

11privately and publicly held corporations, financial

12institutions, retail operators, and any other entity that, for 
13any purpose, handles, collects, disseminates, or otherwise

14deals with nonpublic personal information.

15 "Breach of the security of the system data" or "breach" 
16means
unauthorized acquisition of computerized data that 
17compromises the security, confidentiality, or integrity of 
18personal information maintained by the data collector. "Breach 
19of the security of the system data" does not include good faith

20acquisition of personal information by an employee or agent of

21the data collector for a legitimate purpose of the data

22collector, provided that the personal information is not used

23for a purpose unrelated to the data collector's business or

 
 
HB3188- 2 -LRB099 10963 JLS 31316 b


1subject to further unauthorized disclosure.

2 "Consumer marketing information" means information related 
3to a consumer's online browsing history, online search history, 
4or purchasing history.
5 "Geolocation information" means information generated or 
6derived from the operation or use of an electronic 
7communications device that is sufficient to identify the street 
8name and name of the city or town in which the device is 
9located. "Geolocation information" does not include the 
10contents of an electronic communication.
11 "Health insurance information" means an individual's 
12health insurance policy number or subscriber identification 
13number, any unique identifier used by a health insurer to 
14identify the individual, or any information in an individual's 
15health insurance application and claims history, including any 
16appeals records.
17 "Medical information" means any information regarding an 
18individual's medical history, mental or physical condition, or 
19medical treatment or diagnosis by a healthcare professional, 
20including health information provided to a website or mobile 
21application. 
22 "Personal information" means either of the following:
23  (1) an individual's first name or first initial and 
24 last name in combination with any one or more
of the 
25 following data elements, when either the name or the data 
26 elements are not encrypted or redacted or are encrypted or 
 
 
HB3188- 3 -LRB099 10963 JLS 31316 b


1 redacted but the keys to unencrypt or unredact or otherwise 
2 read the name or data elements have been obtained through 
3 the breach of security:

4   (A) (1) Social Security number. 
5   (B) (2) Driver's license number or State 
6 identification
card number.

7   (C) (3) Account number or credit or debit card 
8 number, or an
account number or credit card number in 
9 combination with
any required security code, access 
10 code, or password that
would permit access to an 
11 individual's financial account.

12   (D) Medical information.
13   (E) Health insurance information.
14   (F) Unique biometric data, such as a fingerprint, 
15 retina or iris image, or other unique physical 
16 representation or digital representation of biometric 
17 data.
18   (G) Geolocation information.
19   (H) Consumer marketing information.
20   (I) Any 2 of the following data elements:
21    (i) home address, telephone number, or email 
22 address;
23    (ii) mother's maiden name; 
24    (iii) month, day, and year of birth.
25  (2) user name or email address, in combination with a 
26 password or security question and answer that would permit 
 
 
HB3188- 4 -LRB099 10963 JLS 31316 b


1 access to an online account, when either the user name or 
2 email address or password or security question and answer 
3 are not encrypted or redacted or are encrypted or redacted 
4 but the keys to unencrypt or unredact or otherwise read the 
5 data elements have been obtained through the breach of 
6 security. 
7 "Personal information" does not include publicly available

8information that is lawfully made available to the general

9public from federal, State, or local government records.


10(Source: P.A. 97-483, eff. 1-1-12.)

11 (815 ILCS 530/10)

12 Sec. 10. Notice of Breach. 
13 (a) Any data collector that owns or licenses personal 
14information concerning an Illinois resident shall notify the

15resident at no charge that there has been a breach of the 
16security of the
system data following discovery or notification 
17of the breach.
The disclosure notification shall be made in the 
18most
expedient time possible and without unreasonable delay,

19consistent with any measures necessary to determine the
scope 
20of the breach and restore the reasonable integrity,
security, 
21and confidentiality of the data system. The disclosure 
22notification to an Illinois resident shall include, but need 
23not be limited to, (i) the toll-free numbers and addresses for 
24consumer reporting agencies, (ii) the toll-free number, 
25address, and website address for the Federal Trade Commission, 
 
 
HB3188- 5 -LRB099 10963 JLS 31316 b


1and (iii) a statement that the individual can obtain 
2information from these sources about fraud alerts and security 
3freezes. The notification shall not, however, include 
4information concerning the number of Illinois residents 
5affected by the breach.
6 (b) Any data collector that maintains or stores, but does 
7not own or license, computerized data that
includes personal 
8information that the data collector does not own or license 
9shall notify the owner or licensee of the information of any 
10breach of the security of the data immediately following 
11discovery, if the personal information was, or is reasonably 
12believed to have been, acquired by
an unauthorized person. In 
13addition to providing such notification to the owner or 
14licensee, the data collector shall cooperate with the owner or 
15licensee in matters relating to the breach. That cooperation 
16shall include, but need not be limited to, (i) informing the 
17owner or licensee of the breach, including giving notice of the 
18date or approximate date of the breach and the nature of the 
19breach, and (ii) informing the owner or licensee of any steps 
20the data collector has taken or plans to take relating to the 
21breach. The data collector's cooperation shall not, however, be 
22deemed to require either the disclosure of confidential 
23business information or trade secrets or the notification of an 
24Illinois resident who may have been affected by the breach.

25 (b-5) The notification to an Illinois resident required by 
26subsection (a) of this Section may be delayed if an appropriate 
 
 
HB3188- 6 -LRB099 10963 JLS 31316 b


1law enforcement agency determines that notification will 
2interfere with a criminal investigation and provides the data 
3collector with a written request for the delay. However, the 
4data collector must notify the Illinois resident as soon as 
5notification will no longer interfere with the investigation.

6 (c) For purposes of this Section, notice to consumers may 
7be provided by one of the following methods:

8  (1) written notice; 
9  (2) electronic notice, if the notice provided is

10 consistent with the provisions regarding electronic

11 records and signatures for notices legally required to be

12 in writing as set forth in Section 7001 of Title 15 of the 
13 United States Code;
or 
14  (3) substitute notice, if the data collector

15 demonstrates that the cost of providing notice would exceed

16 $250,000 or that the affected class of subject persons to 
17 be notified exceeds 500,000, or the data collector does not

18 have sufficient contact information. Substitute notice 
19 shall consist of all of the following: (i) email notice if 
20 the data collector has an email address for the subject 
21 persons; (ii) conspicuous posting of the notice on the data

22 collector's web site page if the data collector maintains

23 one; and (iii) notification to major statewide media or, if 
24 the breach impacts residents in one geographic area, to 
25 prominent local media in areas where affected individuals 
26 are likely to reside if such notice is reasonably 
 
 
HB3188- 7 -LRB099 10963 JLS 31316 b


1 calculated to give actual notice to persons whom notice is 
2 required. 
3 (d) Notwithstanding any other subsection in this Section, a 
4data collector
that maintains its own notification procedures 
5as part of an
information security policy for the treatment of 
6personal
information and is otherwise consistent with the 
7timing requirements of this Act, shall be deemed in compliance

8with the notification requirements of this Section if the
data 
9collector notifies subject persons in accordance with its 
10policies in the event of a breach of the security of the system 
11data.


12 (e) Notice to Attorney General.
13  (1) Any data collector required to issue notice 
14 pursuant to this Section to more than 100 Illinois 
15 residents as a result of a single breach of the security 
16 system shall provide notice to the Attorney General of the 
17 breach, including:
18   (A) a description of the nature of the breach of 
19 security or unauthorized acquisition
or use.
20   (B) the number of Illinois residents affected by 
21 such incident at the time of notification.
22   (C) any steps the data collector has taken or plans 
23 to take relating to the incident.
24  Such notification must be made within 14 business days 
25 of the data collector's discovery of the security breach, 
26 or when the data collector provides notice to consumers 
 
 
HB3188- 8 -LRB099 10963 JLS 31316 b


1 pursuant to this Section, whichever is sooner. If the date 
2 of the breach is unknown at the time the notice is sent to 
3 the Attorney General, the data collector shall send the 
4 Attorney General the date of the breach as soon as 
5 possible.
6  (2) Any data collector that maintains or stores, but 
7 does not own or license, computerized data that includes 
8 personal information that is required to notify the owner 
9 or licensee of the information that there has been a breach 
10 of the security of the data, shall notify the Attorney 
11 General of the following:
12   (A) a description of the nature of the breach of 
13 security or unauthorized acquisition or use.
14   (B) the number of Illinois residents affected by 
15 such incident at the time of notification.
16   (C) any steps the data collector has taken or plans 
17 to take relating to the incident, including the steps 
18 the data collector has taken to inform the owner or 
19 licensee of the breach and what measures, if any, the 
20 data collector has taken to notify Illinois residents.
21  Such notification must be made within 14 business days 
22 of the data collector's discovery of the security breach, 
23 or when the data collector provides notice to the owner or 
24 licensee of the information pursuant to this section, 
25 whichever is sooner. If the date of the breach is unknown 
26 at the time the notice is sent to the Attorney General, the 
 
 
HB3188- 9 -LRB099 10963 JLS 31316 b


1 data collector shall send the Attorney General the date of 
2 the breach as soon as possible. 
3(Source: P.A. 97-483, eff. 1-1-12.)

4 (815 ILCS 530/45 new)
5 Sec. 45. Data security.
6 (a) A data collector that owns or licenses, or maintains or 
7stores but does not own or license, records that contain 
8personal information concerning an Illinois resident shall 
9implement and maintain reasonable security measures to protect 
10those records from unauthorized access, acquisition, 
11destruction, use, modification, or disclosure.
12 (b) A contract for the disclosure of personal information 
13concerning an Illinois resident that is maintained by a data 
14collector must include a provision requiring the person to whom 
15the information is disclosed to implement and maintain 
16reasonable security measures to protect those records from 
17unauthorized access, acquisition, destruction, use, 
18modification, or disclosure.
19 (c) If a State or federal law requires a data collector to 
20provide greater protection to records that contain personal 
21information concerning an Illinois resident that are 
22maintained by the data collector and the data collector is in 
23compliance with the provisions of that State or federal law, 
24the data collector shall be deemed to be in compliance with the 
25provisions of this Section.

 
 
HB3188- 10 -LRB099 10963 JLS 31316 b


1 (815 ILCS 530/50 new)
2 Sec. 50. Posting of privacy policy.
3 (a) As used in this Section:
4 "Conspicuously post" means posting the privacy policy 
5through any of the following:
6  (1) A Web page on which the actual privacy policy is 
7 posted if the Web page is the homepage or first significant 
8 page after entering the Web site.
9  (2) An icon that hyperlinks to a Web page on which the 
10 actual privacy policy is posted, if the icon is located on 
11 the homepage or the first significant page after entering 
12 the Web site, and if the icon contains the word "privacy." 
13 The icon shall also use a color that contrasts with the 
14 background color of the Web page or is otherwise 
15 distinguishable.
16  (3) A text link that hyperlinks to a Web page on which 
17 the actual privacy policy is posted, if the text link is 
18 located on the homepage or first significant page after 
19 entering the Web site, and if the text link does one of the 
20 following:
21   (A) Includes the word "privacy".
22   (B) Is written in capital letters equal to or 
23 greater in size than the surrounding text.
24   (C) Is written in larger type than the surrounding 
25 text, or in contrasting type, font, or color to the 
 
 
HB3188- 11 -LRB099 10963 JLS 31316 b


1 surrounding text of the same size, or set off from the 
2 surrounding text of the same size by symbols or other 
3 marks that call attention to the language.
4  (4) Any other functional hyperlink that is displayed in 
5 a noticeable manner.
6  (5) In the case of an online service, any other 
7 reasonably accessible means of making the privacy policy 
8 available for a consumer of the online service.
9 "Operator" means any person or entity that owns a Web site 
10located on the Internet or an online service that collects and 
11maintains personal information from a consumer residing in 
12Illinois who uses or visits the Web site or online service if 
13the Web site or online service is operated for commercial 
14purposes. It does not include any third party that operates, 
15hosts, or manages, but does not own, a Web site or online 
16service on the owner's behalf or by processing information on 
17behalf of the owner.
18 (b) An operator of a commercial Web site or online service 
19that collects personal information through the Internet about 
20individual consumers residing in Illinois who use or visit its 
21commercial Web site or online service shall conspicuously post 
22its privacy policy on its Web site or online service. An 
23operator shall be in violation of this subdivision only if the 
24operator fails to post its policy within 30 days after being 
25notified of noncompliance.
26 (c) The privacy policy required by subsection (b) shall, at 
 
 
HB3188- 12 -LRB099 10963 JLS 31316 b


1a minimum, do the following:
2  (1) Identify the categories of personal information 
3 that the operator collects through the Web site or online 
4 service about individual consumers who use or visit its 
5 commercial Web site or online service and the categories of 
6 third-party persons or entities with whom the operator may 
7 share that personal information.
8  (2) If the operator maintains a process for an 
9 individual consumer who uses or visits its commercial Web 
10 site or online service to review and request changes to any 
11 of his or her personal information that is collected 
12 through the Web site or online service, provide a 
13 description of that process.
14  (3) Describe the process by which the operator notifies 
15 consumers who use or visit its commercial Web site or 
16 online service of material changes to the operator's 
17 privacy policy for that Web site or online service.
18  (4) Identify its effective date.
19  (5) Disclose how the operator responds to Web browser 
20 "do not track" signals or other mechanisms that provide 
21 consumers the ability to exercise choice regarding the 
22 collection of personal information about an individual 
23 consumer's online activities over time and across 
24 third-party Web sites or online services, if the operator 
25 engages in that collection.
26  (6) Disclose whether other parties may collect 
 
 
HB3188- 13 -LRB099 10963 JLS 31316 b


1 personal information about an individual consumer's online 
2 activities over time and across different Web sites or 
3 online services when a consumer uses the operator's Web 
4 site or online service.
5 An operator may satisfy the requirement of paragraph (5) by 
6providing a clear and conspicuous hyperlink in the operator's 
7privacy policy to an online location containing a description, 
8including the effects, of any program or protocol the operator 
9follows that offers the consumer that choice.


 
         


        
        
      


      

  

      
LegiScan Search

  
  

    
View Top 50 Searches



 
 
 
Select area of search.






 
 
 
Find an exact bill number.





 
 
 
Search bill text and data. [help]








 Reset








  


  




      
LegiScan Trends

  
  

    
View Top 50 National
TX SB901 Relating to the declaration of a candidate's ineligibility on the basis...
NM SB200 State Holiday To Vote
PA HB158 Providing for sport activities in public institutions of higher education...
OR HB2388 Relating to easements; declaring an emergency.
OR HB3095 Relating to rebuttable presumptions regarding parenting; prescribing an...
NJ S4008 Imposes locational restriction on construction of a new crematory.
TX SB869 Relating to the deadline for the Texas Ethics Commission to resolve certain...
TN HB0552 AN ACT to amend Tennessee Code Annotated, Title 37; Title 49; Title 50...
RI H5116 Directs the state board of pharmacy to annually identify up to fifteen...
TX SB883 Relating to patient access to prescription drugs for off-label use for...
  


  




      
    


          
    
  


  
  
  
  


  
  

   
      feedback