Bill Text: IL HB5397 | 2019-2020 | 101st General Assembly | Introduced


Bill Title: Creates the Insurance Data Security Act. Requires any person licensed, authorized to operate, or registered as an insurer in accordance with the insurance laws of this State to conduct a risk assessment of cybersecurity threats, implement appropriate security measures, and no less than annually assess the effectiveness of the safeguards' key controls, systems, and procedures. Requires a licensee to develop, implement, and maintain a written information security program based on the licensee's risk assessment. Requires each licensee to establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations. Requires licensees domiciled in this State to annually submit a written certification of compliance to the Director of Insurance. Provides that a licensee shall notify the Director as promptly as possible, but not later than 72 hours from a determination that a cybersecurity event has occurred in specified circumstances. Provides standards and procedures for risk management, data security, and notification and investigation of cybersecurity events resulting in unauthorized access to, disruption of, or misuse of nonpublic data. Provides that the Director has the power to examine and investigate to determine whether a licensee has been or is engaged in any conduct in violation of the Act. Grants the Department of Insurance rulemaking authority to implement the Act. Provides that any documents, materials, or other information obtained pursuant to the Act is confidential by law and privileged, is not subject to the Freedom of Information Act, is not subject to subpoena, and is not subject to discovery or admissible in evidence in any private civil action. Makes a conforming change in the Freedom of Information Act. Defines terms. Effective January 1, 2021.

Spectrum: Partisan Bill (Republican 3-0)

Status: (Introduced - Dead) 2020-02-18 - Referred to Rules Committee [HB5397 Detail]

Download: Illinois-2019-HB5397-Introduced.html


101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB5397

Introduced , by Rep. Keith R. Wheeler - Grant Wehrli - Amy Grant

SYNOPSIS AS INTRODUCED:
New Act
5 ILCS 140/7.5

Creates the Insurance Data Security Act. Requires any person licensed, authorized to operate, or registered as an insurer in accordance with the insurance laws of this State to conduct a risk assessment of cybersecurity threats, implement appropriate security measures, and no less than annually assess the effectiveness of the safeguards' key controls, systems, and procedures. Requires a licensee to develop, implement, and maintain a written information security program based on the licensee's risk assessment. Requires each licensee to establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations. Requires licensees domiciled in this State to annually submit a written certification of compliance to the Director of Insurance. Provides that a licensee shall notify the Director as promptly as possible, but not later than 72 hours from a determination that a cybersecurity event has occurred in specified circumstances. Provides standards and procedures for risk management, data security, and notification and investigation of cybersecurity events resulting in unauthorized access to, disruption of, or misuse of nonpublic data. Provides that the Director has the power to examine and investigate to determine whether a licensee has been or is engaged in any conduct in violation of the Act. Grants the Department of Insurance rulemaking authority to implement the Act. Provides that any documents, materials, or other information obtained pursuant to the Act is confidential by law and privileged, is not subject to the Freedom of Information Act, is not subject to subpoena, and is not subject to discovery or admissible in evidence in any private civil action. Makes a conforming change in the Freedom of Information Act. Defines terms. Effective January 1, 2021.
LRB101 16602 BMS 65986 b

A BILL FOR

HB5397LRB101 16602 BMS 65986 b
1 AN ACT concerning regulation.
2 Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the
5Insurance Data Security Act.
6 Section 5. Purpose.
7 (a) The purpose of this Act is to establish standards for
8data security and standards for the investigation of and
9notification to the Director of a cybersecurity event
10applicable to licensees, as defined in Section 10.
11 (b) This Act may not be construed to create or imply a
12private cause of action for violation of its provisions nor may
13it be construed to curtail a private cause of action that would
14otherwise exist in the absence of this Act.
15 Section 10. Definitions. As used in this Act:
16 "Authorized individual" means an individual known to and
17screened by the licensee and determined to be necessary and
18appropriate to have access to the nonpublic information held by
19the licensee and its information systems.
20 "Consumer" means an individual, including, but not limited
21to, an applicant, a policyholder, an insured, a beneficiary, a
22claimant, and a certificate holder, who is a resident of this

HB5397- 2 -LRB101 16602 BMS 65986 b
1State and whose nonpublic information is in a licensee's
2possession, custody, or control.
3 "Cybersecurity event" means an event resulting in
4unauthorized access to, disruption of, or misuse of an
5information system or information stored on such information
6system. "Cybersecurity event" does not include the
7unauthorized acquisition of encrypted nonpublic information if
8the encryption, process, or key is not also acquired, released,
9or used without authorization. "Cybersecurity event" does not
10include an event with regard to which the licensee has
11determined that the nonpublic information accessed by an
12unauthorized person has not been used or released and has been
13returned or destroyed.
14 "Department" means the Department of Insurance.
15 "Director" means the Director of Insurance.
16 "Encrypted" means the transformation of data into a form
17that results in a low probability of assigning meaning without
18the use of a protective process or key.
19 "Information security program" means the administrative,
20technical, and physical safeguards that a licensee uses to
21access, collect, distribute, process, protect, store, use,
22transmit, dispose of, or otherwise handle nonpublic
23information.
24 "Information system" means a discrete set of electronic
25information resources organized for the collection,
26processing, maintenance, use, sharing, dissemination, or

HB5397- 3 -LRB101 16602 BMS 65986 b
1disposition of electronic information, as well as any
2specialized system, such as an industrial or process control
3system, a telephone switching and private branch exchange
4system, or an environmental control system.
5 "Licensee" means any person licensed, authorized to
6operate, or registered as an insurer, or required to be
7licensed, authorized, or registered in accordance with the
8insurance laws of this State, but does not include a purchasing
9group or risk retention group chartered and licensed in a state
10other than this State or a licensee that is acting as an
11assuming insurer that is domiciled in another state or
12jurisdiction.
13 "Multi-factor authentication" means authentication through
14verification of at least 2 of the following types of
15authentication factors:
16 (1) knowledge factors, such as a password;
17 (2) possession factors, such as a token or text message
18 on a mobile phone; or
19 (3) inherence factors, such as a biometric
20 characteristic.
21 "Nonpublic information" means information that is not
22publicly available information and is:
23 (1) business-related information of a licensee the
24 tampering with which, or unauthorized disclosure, access,
25 or use of which, would cause a material adverse impact to
26 the business, operations, or security of the licensee;

HB5397- 4 -LRB101 16602 BMS 65986 b
1 (2) any information concerning a consumer that,
2 because of name, number, personal mark, or other
3 identifier, can be used to identify such consumer in
4 combination with any one or more of the following data
5 elements:
6 (a) Social Security number;
7 (b) driver's license number or non-driver
8 identification card number;
9 (c) account number and credit or debit card number;
10 (d) any security code, access code, or password
11 that would permit access to a consumer's financial
12 account; or
13 (e) biometric records; or
14 (3) any information or data, except age or gender, in
15 any form or medium created by or derived from a health care
16 provider or a consumer and that relates to:
17 (a) the past, present, or future physical, mental,
18 or behavioral health or condition of any consumer or a
19 member of the consumer's family;
20 (b) the provision of health care to any consumer;
21 or
22 (c) payment for the provision of health care to any
23 consumer.
24 "Person" means any individual or any non-governmental
25entity, including, but not limited to, any non-governmental
26partnership, corporation, branch, agency, or association.

HB5397- 5 -LRB101 16602 BMS 65986 b
1 "Publicly available information" means any information
2that a licensee has a reasonable basis to believe is lawfully
3made available to the general public from: federal, state, or
4local government records; widely distributed media; or
5disclosures to the general public that are required to be made
6by federal, state, or local law. For the purposes of this
7definition, a licensee has a reasonable basis to believe that
8information is lawfully made available to the general public if
9the licensee has taken steps to determine:
10 (1) that the information is of the type that is
11 available to the general public; and
12 (2) whether a consumer can direct that the information
13 not be made available to the general public and, if so,
14 that such consumer has not done so.
15 "Risk assessment" means the risk assessment that each
16licensee is required to conduct under subsection (c) of Section
1715 of this Act.
18 "State" means the State of Illinois.
19 "Third-party service provider" means a person, not
20otherwise defined as a licensee, that contracts with a licensee
21to maintain, process, store, or is otherwise permitted access
22to nonpublic information through its provision of services to
23the licensee.
24 Section 15. Information security program.
25 (a) No later than one year after the effective date of this

HB5397- 6 -LRB101 16602 BMS 65986 b
1Act, each licensee shall develop, implement, and maintain a
2comprehensive written information security program based on
3the licensee's risk assessment. The information security
4program shall contain administrative, technical, and physical
5safeguards for the protection of nonpublic information and the
6licensee's information system. The information security
7program shall be commensurate with the size and complexity of
8the licensee, the nature and scope of the licensee's
9activities, including its use of third-party service
10providers, and the sensitivity of the nonpublic information
11used by the licensee or in the licensee's possession, custody,
12or control.
13 (b) A licensee's information security program shall be
14designed to:
15 (1) protect the security and confidentiality of
16 nonpublic information and the security of the information
17 system;
18 (2) protect against any threats or hazards to the
19 security or integrity of nonpublic information and the
20 information system;
21 (3) protect against unauthorized access to or use of
22 nonpublic information and minimize the likelihood of harm
23 to any consumer; and
24 (4) define and periodically reevaluate a schedule for
25 retention of nonpublic information and a mechanism for its
26 destruction when no longer needed.

HB5397- 7 -LRB101 16602 BMS 65986 b
1 (c) The licensee shall:
2 (1) designate one or more employees, an affiliate, or
3 an outside vendor designated to act on behalf of the
4 licensee who is responsible for the information security
5 program;
6 (2) identify reasonably foreseeable internal or
7 external threats that could result in unauthorized access,
8 transmission, disclosure, misuse, alteration, or
9 destruction of nonpublic information, including the
10 security of information systems and nonpublic information
11 that is accessible to, or held by, third-party service
12 providers;
13 (3) assess the likelihood and potential damage of these
14 threats, taking into consideration the sensitivity of the
15 nonpublic information;
16 (4) assess the sufficiency of policies, procedures,
17 information systems, and other safeguards in place to
18 manage these threats, including consideration of threats
19 in each relevant area of the licensee's operations,
20 including:
21 (A) employee training and management;
22 (B) information systems, including network and
23 software design, as well as information
24 classification, governance, processing, storage,
25 transmission, and disposal; and
26 (C) detecting, preventing, and responding to

HB5397- 8 -LRB101 16602 BMS 65986 b
1 attacks, intrusions, or other system failures; and
2 (5) implement information safeguards to manage the
3 threats identified in its ongoing assessment, and assess
4 the effectiveness of the safeguards' key controls,
5 systems, and procedures no less than annually.
6 (d) Based on its risk assessment, the licensee shall:
7 (1) design its information security program to
8 mitigate the identified risks, commensurate with the size
9 and complexity of the licensee's activities, including its
10 use of third-party service providers, and the sensitivity
11 of the nonpublic information used by the licensee or in the
12 licensee's possession, custody, or control;
13 (2) determine which security measures listed below are
14 appropriate and implement such security measures:
15 (A) place access controls on information systems,
16 including controls to authenticate and permit access
17 only to authorized individuals to protect against the
18 unauthorized acquisition of nonpublic information;
19 (B) identify and manage the data, personnel,
20 devices, systems, and facilities that enable the
21 organization to achieve business purposes in
22 accordance with their relative importance to business
23 objectives and the organization's risk strategy;
24 (C) restrict access at physical locations
25 containing nonpublic information only to authorized
26 individuals;

HB5397- 9 -LRB101 16602 BMS 65986 b
1 (D) protect by encryption or other appropriate
2 means all nonpublic information while it is
3 transmitted over an external network and all nonpublic
4 information stored on a laptop computer or other
5 portable computing or storage device or media;
6 (E) adopt secure development practices for
7 in-house developed applications utilized by the
8 licensee and procedures for evaluating, assessing, or
9 testing the security of externally developed
10 applications utilized by the licensee;
11 (F) modify the information system in accordance
12 with the licensee's information security program;
13 (G) utilize effective controls, which may include
14 multi-factor authentication procedures for any
15 individual accessing nonpublic information;
16 (H) regularly test and monitor systems and
17 procedures to detect actual and attempted attacks on,
18 or intrusions into, information systems;
19 (I) include audit trails within the information
20 security program designed to detect and respond to
21 cybersecurity events and designed to reconstruct
22 material financial transactions sufficient to support
23 normal operations and obligations of the licensee;
24 (J) implement measures to protect against
25 destruction, loss, or damage of nonpublic information
26 due to environmental hazards, such as fire and water

HB5397- 10 -LRB101 16602 BMS 65986 b
1 damage or other catastrophes or technological
2 failures; and
3 (K) develop, implement, and maintain procedures
4 for the secure disposal of nonpublic information in any
5 format.
6 (3) include cybersecurity risks in the licensee's
7 enterprise risk management process;
8 (4) stay informed regarding emerging threats or
9 vulnerabilities and utilize reasonable security measures
10 when sharing information relative to the character of the
11 sharing and the type of information shared; and
12 (5) provide its personnel with cybersecurity awareness
13 training that is updated as necessary to reflect risks
14 identified by the licensee in the risk assessment.
15 (e) If the licensee has a board of directors, the board or
16an appropriate committee of the board shall, at a minimum:
17 (1) require the licensee's executive management or its
18 delegates to develop, implement, and maintain the
19 licensee's information security program; and
20 (2) require the licensee's executive management or its
21 delegates to report in writing, at least annually, the
22 following information:
23 (A) the overall status of the information security
24 program and the licensee's compliance with this Act;
25 and
26 (B) material matters related to the information

HB5397- 11 -LRB101 16602 BMS 65986 b
1 security program, addressing issues such as risk
2 assessment, risk management and control decisions,
3 third-party service provider arrangements, results of
4 testing, cybersecurity events or violations and
5 management's responses thereto, and recommendations
6 for changes in the information security program.
7 If executive management delegates any of its
8responsibilities under this Section, it shall oversee the
9development, implementation, and maintenance of the licensee's
10information security program prepared by the delegates and
11shall receive a report from the delegates complying with the
12requirements of the report to the board of directors as
13provided in paragraph (2) of this subsection (e).
14 (f) A licensee shall exercise due diligence in selecting
15its third-party service provider and, no later than 2 years
16after the effective date of this Act, shall require a
17third-party service provider to implement appropriate
18administrative, technical, and physical measures to protect
19and secure the information systems and nonpublic information
20that are accessible to, or held by, the third-party service
21provider.
22 (g) The licensee shall monitor, evaluate, and adjust, as
23appropriate, the information security program consistent with
24any relevant changes in technology, the sensitivity of its
25nonpublic information, internal or external threats to
26information, and the licensee's own changing business

HB5397- 12 -LRB101 16602 BMS 65986 b
1arrangements, such as mergers and acquisitions, alliances and
2joint ventures, outsourcing arrangements, and changes to
3information systems.
4 (h) As part of its information security program, each
5licensee shall establish a written incident response plan
6designed to promptly respond to and recover from any
7cybersecurity event that compromises the confidentiality,
8integrity, or availability of nonpublic information in its
9possession, the licensee's information systems, or the
10continuing functionality of any aspect of the licensee's
11business or operations.
12 Such incident response plan shall address the following
13areas:
14 (1) the internal process for responding to a
15 cybersecurity event;
16 (2) the goals of the incident response plan;
17 (3) the definition of clear roles, responsibilities,
18 and levels of decision-making authority;
19 (4) external and internal communications and
20 information sharing;
21 (5) identification of requirements for the remediation
22 of any identified weaknesses in information systems and
23 associated controls;
24 (6) documentation and reporting regarding
25 cybersecurity events and related incident response
26 activities; and

HB5397- 13 -LRB101 16602 BMS 65986 b
1 (7) the evaluation and revision as necessary of the
2 incident response plan following a cybersecurity event.
3 (i) Annually by February 15, each insurer domiciled in this
4State shall submit to the Director a written statement
5certifying that the insurer is in compliance with the
6requirements set forth in this Section. Each insurer shall
7maintain for examination by the Department all records,
8schedules, and data supporting this certificate for a period of
95 years. To the extent an insurer has identified areas,
10systems, or processes that require material improvement,
11updating, or redesign, the insurer shall document the
12identification and the remedial efforts planned and underway to
13address such areas, systems, or processes. Such documentation
14must be available for inspection by the Director.
15 Section 20. Investigation of a cybersecurity event.
16 (a) If the licensee learns that a cybersecurity event has
17or may have occurred, the licensee, or an outside vendor or
18service provider designated to act on behalf of the licensee,
19shall conduct a prompt investigation.
20 (b) During the investigation, the licensee, or an outside
21vendor or service provider designated to act on behalf of the
22licensee, shall perform or oversee reasonable measures to
23restore the security of the information systems compromised in
24the cybersecurity event in order to prevent further
25unauthorized acquisition, release, or use of nonpublic

HB5397- 14 -LRB101 16602 BMS 65986 b
1information in the licensee's possession, custody, or control,
2and shall, at a minimum, determine as much of the following
3information as possible:
4 (1) whether a cybersecurity event has occurred;
5 (2) the nature and scope of the cybersecurity event;
6 and
7 (3) any nonpublic information that may have been
8 involved in the cybersecurity event.
9 (c) If the licensee learns that a cybersecurity event has
10or may have occurred in a system maintained by a third-party
11service provider, the licensee shall complete the steps listed
12in subsection (b) or confirm and document that the third-party
13service provider has completed those steps.
14 (d) The licensee shall maintain records concerning all
15cybersecurity events for a period of at least 5 years after the
16date of the cybersecurity event and shall produce those records
17upon demand of the Director.
18 Section 25. Notification of a cybersecurity event.
19 (a) Each licensee shall notify the Director as promptly as
20possible, but in no event later than 72 hours from a
21determination that a cybersecurity event has occurred, when
22either of the following criteria has been met:
23 (1) this State is the licensee's state of domicile or
24 home state; or
25 (2) the licensee reasonably believes that the

HB5397- 15 -LRB101 16602 BMS 65986 b
1 nonpublic information involved is of 250 or more consumers
2 residing in this State and that the cybersecurity event is
3 either of the following:
4 (A) a cybersecurity event impacting the licensee
5 of which notice is required to be provided to any
6 government body, self-regulatory agency, or any other
7 supervisory body pursuant to any state or federal law;
8 or
9 (B) a cybersecurity event that has a reasonable
10 likelihood of materially harming: (i) any consumer
11 residing in this State; or (ii) any material part of
12 the normal operations of the licensee.
13 (b) The licensee shall provide as much of the following
14information as possible in electronic form as directed by the
15Director:
16 (1) the date of the cybersecurity event;
17 (2) a description of how the information was exposed,
18 lost, stolen, or breached, including the specific roles and
19 responsibilities of third-party service providers, if any;
20 (3) how the cybersecurity event was discovered;
21 (4) whether any lost, stolen, or breached information
22 has been recovered and, if so, how it was recovered;
23 (5) the identity of the source of the cybersecurity
24 event;
25 (6) whether the licensee has filed a police report or
26 has notified any regulatory, government, or law

HB5397- 16 -LRB101 16602 BMS 65986 b
1 enforcement agencies and, if so, when such notification was
2 provided;
3 (7) a description of the specific types of information
4 acquired without authorization; in this paragraph,
5 "specific types of information" means particular data
6 elements, including types of medical information, types of
7 financial information, or types of information allowing
8 identification of the consumer;
9 (8) the period during which the information system was
10 compromised by the cybersecurity event;
11 (9) the number of total consumers in this State
12 affected by the cybersecurity event; the licensee shall
13 provide the best estimate in the initial report to the
14 Director and shall update this estimate with each
15 subsequent report to the Director;
16 (10) the results of any internal review identifying a
17 lapse in either automated controls or internal procedures
18 or confirming that all automated controls or internal
19 procedures were followed;
20 (11) a description of events being undertaken to
21 remediate the situation that permitted the cybersecurity
22 event to occur;
23 (12) a copy of the licensee's privacy policy and a
24 statement outlining the steps the licensee will take to
25 investigate and notify consumers affected by the
26 cybersecurity event; and

HB5397- 17 -LRB101 16602 BMS 65986 b
1 (13) the name of a contact person who is both familiar
2 with the cybersecurity event and authorized to act for the
3 licensee.
4 The licensee has a continuing obligation to update and
5supplement initial and subsequent notifications to the
6Director concerning the cybersecurity event.
7 (c) The licensee shall comply with the Personal Information
8Protection Act, as applicable, and provide a copy of the notice
9sent to consumers under that statute to the Director when a
10licensee is required to notify the Director under subsection
11(a).
12 (d) If the licensee has become aware of a cybersecurity
13event in a system maintained by a third-party service provider,
14the licensee shall treat the event as it would under subsection
15(a).
16 The computation of licensee's deadlines shall begin on the
17day after the third-party service provider notifies the
18licensee of the cybersecurity event or the licensee otherwise
19has actual knowledge of the cybersecurity event, whichever is
20sooner.
21 Nothing in this Act shall prevent or abrogate an agreement
22between a licensee and another licensee, a third-party service
23provider, or any other party to fulfill any of the
24investigation requirements imposed under Section 20 or notice
25requirements imposed under this Section.
26 (e)(1) In the case of a cybersecurity event involving

HB5397- 18 -LRB101 16602 BMS 65986 b
1nonpublic information that is used by the licensee that is
2acting as an assuming insurer or in the possession, custody, or
3control of a licensee that is acting as an assumed insurer and
4that does not have a direct contractual relationship with the
5affected consumers, the assuming insurer shall notify its
6affected ceding insurers and the Director of its state of
7domicile within 72 hours of making the determination that a
8cybersecurity event has occurred.
9 The ceding insurers that have a direct contractual
10relationship with the affected consumers shall fulfill the
11consumer notification requirements imposed under the Personal
12Information Protection Act and any other notification
13requirements relating to a cybersecurity event under this
14Section.
15 (2) In the case of a cybersecurity event involving
16nonpublic information that is in the possession, custody, or
17control of a third-party service provider of a licensee that is
18an assuming insurer, the assuming insurer shall notify its
19affected ceding insurers and the Director of its state of
20domicile within 72 hours of receiving notice from its
21third-party service provider that a cybersecurity event has
22occurred.
23 The ceding insurers that have a direct contractual
24relationship with affected consumers shall fulfill the
25consumer notification requirements imposed under the Personal
26Information Protection Act and any other notification

HB5397- 19 -LRB101 16602 BMS 65986 b
1requirements relating to a cybersecurity event imposed under
2this Section.
3 (f) In the case of a cybersecurity event involving
4nonpublic information that is in the possession, custody, or
5control of a licensee that is an insurer or its third-party
6service provider and for which a consumer accessed the
7insurer's services through an independent insurance producer,
8the insurer shall notify the producers of record of all
9affected consumers as soon as practicable as directed by the
10Director.
11 The insurer is excused from this obligation for those
12instances in which it does not have the current producer of
13record information for any individual consumer.
14 Section 30. Power of the Director.
15 (a) The Director has power to examine and investigation
16into the affairs of any licensee to determine whether the
17licensee has been or is engaged in any conduct in violation of
18this Act. This power is in addition to the powers the Director
19has under the Illinois Insurance Code. Any such investigation
20or examination shall be conducted pursuant to the requirements
21of the Illinois Insurance Code.
22 (b) Whenever the Director has reason to believe that a
23licensee has been or is engaged in conduct in this State that
24violates this Act, the Director may take action that is
25necessary or appropriate to enforce the provisions of this Act.

HB5397- 20 -LRB101 16602 BMS 65986 b
1 Section 35. Confidentiality.
2 (a) Any documents, materials, or other information in the
3control or possession of the Department that is furnished by
4the licensee or an employee or agent thereof acting on behalf
5of the licensee in accordance with subsection (i) of Section 15
6or paragraph (2), (3), (4), (5), (8), (10), or (11) of
7subsection (b) of Section 25 or that are obtained by, created
8by, or disclosed to the Director in an investigation or
9examination under Section 30 is confidential by law and
10privileged, is not subject to the Freedom of Information Act,
11is not subject to subpoena, and is not subject to discovery or
12admissible in evidence in any private civil action. However,
13the Director may use the documents, materials, or other
14information in the furtherance of any regulatory or legal
15action brought as a part of the Director's duties. The Director
16shall not otherwise make the documents, materials, or other
17information public without the prior written consent of the
18licensee.
19 (b) Neither the Director nor any person who received
20documents, materials, or other information while acting under
21the authority of the Director shall be permitted or required to
22testify in any private civil action concerning any confidential
23documents, materials, or information subject to subsection
24(a).
25 (c) In order to assist in the performance of the Director's

HB5397- 21 -LRB101 16602 BMS 65986 b
1duties under this Act, the Director:
2 (1) may share documents, materials, or other
3 information, including the confidential and privileged
4 documents, materials, or information subject to subsection
5 (a), with other state, federal, and international
6 regulatory agencies, with the National Association of
7 Insurance Commissioners, its affiliates or subsidiaries,
8 and with state, federal, and international law enforcement
9 authorities, provided that the recipient agrees in writing
10 to maintain the confidentiality and privileged status of
11 the document, material, or other information;
12 (2) may receive documents, materials, or information,
13 including otherwise confidential and privileged documents,
14 materials, or information, from the National Association
15 of Insurance Commissioners, its affiliates or
16 subsidiaries, and from regulatory and law enforcement
17 officials of other foreign or domestic jurisdictions, and
18 shall maintain as confidential and privileged any
19 document, material, or information received with notice or
20 the understanding that it is confidential or privileged
21 under the laws of the jurisdiction that is the source of
22 the document, material, or information;
23 (3) may share documents, materials, or other
24 information subject to subsection (a) with a third-party
25 consultant or vendor, if the consultant agrees in writing
26 to maintain the confidentiality and privileged status of

HB5397- 22 -LRB101 16602 BMS 65986 b
1 the document, material, or other information; and
2 (4) may enter into agreements governing sharing and use
3 of information consistent with this subsection.
4 (d) No waiver of any applicable privilege or claim of
5confidentiality in the documents, materials, or information
6shall occur as a result of disclosure to the Director under
7this Section or as a result of sharing as authorized in
8subsection (c).
9 (e) Nothing in this Act shall prohibit the Director from
10releasing final, adjudicated actions that are open to public
11inspection pursuant to the Illinois Insurance Code to a
12database or other clearinghouse service maintained by the
13National Association of Insurance Commissioners, its
14affiliates, or its subsidiaries.
15 Section 40. Exceptions.
16 (a) The following exceptions shall apply to this Act:
17 (1) A licensee with fewer than 10 employees, including
18 any independent contractors, is exempt from Section 15 of
19 this Act.
20 (2) A licensee subject to the federal Health Insurance
21 Portability and Accountability Act that has established
22 and maintains an information security program pursuant to
23 such statutes, rules, regulations, procedures, or
24 guidelines established thereunder will be considered to
25 meet the requirements of Section 15, provided that licensee

HB5397- 23 -LRB101 16602 BMS 65986 b
1 is compliant with, and submits a written statement
2 certifying its compliance with, the same.
3 (3) An employee, agent, representative, or designee of
4 a licensee, who is also a licensee, is exempt from Section
5 15 and need not develop its own information security
6 program to the extent that the employee, agent,
7 representative, or designee is covered by the information
8 security program of the other licensee.
9 (b) If a licensee ceases to qualify for an exception, such
10licensee has 180 days to comply with this Act.
11 Section 45. Penalties. In the case of a violation of this
12Act, a licensee may be penalized in accordance with the
13provisions of the Illinois Insurance Code.
14 Section 50. Rules. The Department may, in accordance with
15the Illinois Administrative Procedure Act, adopt rules to
16implement the provisions of this Act.
17 Section 55. Severability. If any provision of this Act or
18its application to any person or circumstance is for any reason
19held to be invalid, the remainder of this Act and the
20application of such provision to other persons or circumstances
21shall not be affected.
22 Section 900. The Freedom of Information Act is amended by

HB5397- 24 -LRB101 16602 BMS 65986 b
1changing Section 7.5 as follows:
2 (5 ILCS 140/7.5)
3 Sec. 7.5. Statutory exemptions. To the extent provided for
4by the statutes referenced below, the following shall be exempt
5from inspection and copying:
6 (a) All information determined to be confidential
7 under Section 4002 of the Technology Advancement and
8 Development Act.
9 (b) Library circulation and order records identifying
10 library users with specific materials under the Library
11 Records Confidentiality Act.
12 (c) Applications, related documents, and medical
13 records received by the Experimental Organ Transplantation
14 Procedures Board and any and all documents or other records
15 prepared by the Experimental Organ Transplantation
16 Procedures Board or its staff relating to applications it
17 has received.
18 (d) Information and records held by the Department of
19 Public Health and its authorized representatives relating
20 to known or suspected cases of sexually transmissible
21 disease or any information the disclosure of which is
22 restricted under the Illinois Sexually Transmissible
23 Disease Control Act.
24 (e) Information the disclosure of which is exempted
25 under Section 30 of the Radon Industry Licensing Act.

HB5397- 25 -LRB101 16602 BMS 65986 b
1 (f) Firm performance evaluations under Section 55 of
2 the Architectural, Engineering, and Land Surveying
3 Qualifications Based Selection Act.
4 (g) Information the disclosure of which is restricted
5 and exempted under Section 50 of the Illinois Prepaid
6 Tuition Act.
7 (h) Information the disclosure of which is exempted
8 under the State Officials and Employees Ethics Act, and
9 records of any lawfully created State or local inspector
10 general's office that would be exempt if created or
11 obtained by an Executive Inspector General's office under
12 that Act.
13 (i) Information contained in a local emergency energy
14 plan submitted to a municipality in accordance with a local
15 emergency energy plan ordinance that is adopted under
16 Section 11-21.5-5 of the Illinois Municipal Code.
17 (j) Information and data concerning the distribution
18 of surcharge moneys collected and remitted by carriers
19 under the Emergency Telephone System Act.
20 (k) Law enforcement officer identification information
21 or driver identification information compiled by a law
22 enforcement agency or the Department of Transportation
23 under Section 11-212 of the Illinois Vehicle Code.
24 (l) Records and information provided to a residential
25 health care facility resident sexual assault and death
26 review team or the Executive Council under the Abuse

HB5397- 26 -LRB101 16602 BMS 65986 b
1 Prevention Review Team Act.
2 (m) Information provided to the predatory lending
3 database created pursuant to Article 3 of the Residential
4 Real Property Disclosure Act, except to the extent
5 authorized under that Article.
6 (n) Defense budgets and petitions for certification of
7 compensation and expenses for court appointed trial
8 counsel as provided under Sections 10 and 15 of the Capital
9 Crimes Litigation Act. This subsection (n) shall apply
10 until the conclusion of the trial of the case, even if the
11 prosecution chooses not to pursue the death penalty prior
12 to trial or sentencing.
13 (o) Information that is prohibited from being
14 disclosed under Section 4 of the Illinois Health and
15 Hazardous Substances Registry Act.
16 (p) Security portions of system safety program plans,
17 investigation reports, surveys, schedules, lists, data, or
18 information compiled, collected, or prepared by or for the
19 Regional Transportation Authority under Section 2.11 of
20 the Regional Transportation Authority Act or the St. Clair
21 County Transit District under the Bi-State Transit Safety
22 Act.
23 (q) Information prohibited from being disclosed by the
24 Personnel Record Review Act.
25 (r) Information prohibited from being disclosed by the
26 Illinois School Student Records Act.

HB5397- 27 -LRB101 16602 BMS 65986 b
1 (s) Information the disclosure of which is restricted
2 under Section 5-108 of the Public Utilities Act.
3 (t) All identified or deidentified health information
4 in the form of health data or medical records contained in,
5 stored in, submitted to, transferred by, or released from
6 the Illinois Health Information Exchange, and identified
7 or deidentified health information in the form of health
8 data and medical records of the Illinois Health Information
9 Exchange in the possession of the Illinois Health
10 Information Exchange Authority due to its administration
11 of the Illinois Health Information Exchange. The terms
12 "identified" and "deidentified" shall be given the same
13 meaning as in the Health Insurance Portability and
14 Accountability Act of 1996, Public Law 104-191, or any
15 subsequent amendments thereto, and any regulations
16 promulgated thereunder.
17 (u) Records and information provided to an independent
18 team of experts under the Developmental Disability and
19 Mental Health Safety Act (also known as Brian's Law).
20 (v) Names and information of people who have applied
21 for or received Firearm Owner's Identification Cards under
22 the Firearm Owners Identification Card Act or applied for
23 or received a concealed carry license under the Firearm
24 Concealed Carry Act, unless otherwise authorized by the
25 Firearm Concealed Carry Act; and databases under the
26 Firearm Concealed Carry Act, records of the Concealed Carry

HB5397- 28 -LRB101 16602 BMS 65986 b
1 Licensing Review Board under the Firearm Concealed Carry
2 Act, and law enforcement agency objections under the
3 Firearm Concealed Carry Act.
4 (w) Personally identifiable information which is
5 exempted from disclosure under subsection (g) of Section
6 19.1 of the Toll Highway Act.
7 (x) Information which is exempted from disclosure
8 under Section 5-1014.3 of the Counties Code or Section
9 8-11-21 of the Illinois Municipal Code.
10 (y) Confidential information under the Adult
11 Protective Services Act and its predecessor enabling
12 statute, the Elder Abuse and Neglect Act, including
13 information about the identity and administrative finding
14 against any caregiver of a verified and substantiated
15 decision of abuse, neglect, or financial exploitation of an
16 eligible adult maintained in the Registry established
17 under Section 7.5 of the Adult Protective Services Act.
18 (z) Records and information provided to a fatality
19 review team or the Illinois Fatality Review Team Advisory
20 Council under Section 15 of the Adult Protective Services
21 Act.
22 (aa) Information which is exempted from disclosure
23 under Section 2.37 of the Wildlife Code.
24 (bb) Information which is or was prohibited from
25 disclosure by the Juvenile Court Act of 1987.
26 (cc) Recordings made under the Law Enforcement

HB5397- 29 -LRB101 16602 BMS 65986 b
1 Officer-Worn Body Camera Act, except to the extent
2 authorized under that Act.
3 (dd) Information that is prohibited from being
4 disclosed under Section 45 of the Condominium and Common
5 Interest Community Ombudsperson Act.
6 (ee) Information that is exempted from disclosure
7 under Section 30.1 of the Pharmacy Practice Act.
8 (ff) Information that is exempted from disclosure
9 under the Revised Uniform Unclaimed Property Act.
10 (gg) Information that is prohibited from being
11 disclosed under Section 7-603.5 of the Illinois Vehicle
12 Code.
13 (hh) Records that are exempt from disclosure under
14 Section 1A-16.7 of the Election Code.
15 (ii) Information which is exempted from disclosure
16 under Section 2505-800 of the Department of Revenue Law of
17 the Civil Administrative Code of Illinois.
18 (jj) Information and reports that are required to be
19 submitted to the Department of Labor by registering day and
20 temporary labor service agencies but are exempt from
21 disclosure under subsection (a-1) of Section 45 of the Day
22 and Temporary Labor Services Act.
23 (kk) Information prohibited from disclosure under the
24 Seizure and Forfeiture Reporting Act.
25 (ll) Information the disclosure of which is restricted
26 and exempted under Section 5-30.8 of the Illinois Public

HB5397- 30 -LRB101 16602 BMS 65986 b
1 Aid Code.
2 (mm) Records that are exempt from disclosure under
3 Section 4.2 of the Crime Victims Compensation Act.
4 (nn) Information that is exempt from disclosure under
5 Section 70 of the Higher Education Student Assistance Act.
6 (oo) Communications, notes, records, and reports
7 arising out of a peer support counseling session prohibited
8 from disclosure under the First Responders Suicide
9 Prevention Act.
10 (pp) Names and all identifying information relating to
11 an employee of an emergency services provider or law
12 enforcement agency under the First Responders Suicide
13 Prevention Act.
14 (qq) Information and records held by the Department of
15 Public Health and its authorized representatives collected
16 under the Reproductive Health Act.
17 (rr) Information that is exempt from disclosure under
18 the Cannabis Regulation and Tax Act.
19 (ss) Data reported by an employer to the Department of
20 Human Rights pursuant to Section 2-108 of the Illinois
21 Human Rights Act.
22 (tt) Recordings made under the Children's Advocacy
23 Center Act, except to the extent authorized under that Act.
24 (uu) Information that is exempt from disclosure under
25 Section 50 of the Sexual Assault Evidence Submission Act.
26 (vv) Information that is exempt from disclosure under

HB5397- 31 -LRB101 16602 BMS 65986 b
1 subsections (f) and (j) of Section 5-36 of the Illinois
2 Public Aid Code.
3 (ww) Information that is exempt from disclosure under
4 Section 16.8 of the State Treasurer Act.
5 (xx) Information that is exempt from disclosure or
6 information that shall not be made public under the
7 Illinois Insurance Code.
8 (yy) (oo) Information prohibited from being disclosed
9 under the Illinois Educational Labor Relations Act.
10 (zz) (pp) Information prohibited from being disclosed
11 under the Illinois Public Labor Relations Act.
12 (aaa) (qq) Information prohibited from being disclosed
13 under Section 1-167 of the Illinois Pension Code.
14 (bbb) Information that is exempt from disclosure under
15 Section 35 of the Insurance Data Security Act.
16(Source: P.A. 100-20, eff. 7-1-17; 100-22, eff. 1-1-18;
17100-201, eff. 8-18-17; 100-373, eff. 1-1-18; 100-464, eff.
188-28-17; 100-465, eff. 8-31-17; 100-512, eff. 7-1-18; 100-517,
19eff. 6-1-18; 100-646, eff. 7-27-18; 100-690, eff. 1-1-19;
20100-863, eff. 8-14-18; 100-887, eff. 8-14-18; 101-13, eff.
216-12-19; 101-27, eff. 6-25-19; 101-81, eff. 7-12-19; 101-221,
22eff. 1-1-20; 101-236, eff. 1-1-20; 101-375, eff. 8-16-19;
23101-377, eff. 8-16-19; 101-452, eff. 1-1-20; 101-466, eff.
241-1-20; 101-600, eff. 12-6-19; 101-620, eff 12-20-19; revised
251-6-20.)
26 Section 999. Effective date. This Act takes effect on

HB5397- 32 -LRB101 16602 BMS 65986 b
1January 1, 2021.
feedback