On August 22, Illinois Governor Pat Quinn (D) signed H.B. 3025 into law as Public Act 97-0483, amending Illinois’ data security law to specify the types of data that must be provided to those receiving notices of breaches and the requirements of service providers that maintain or store, but don’t own or license, personal data about Illinois residents. It also requires appropriate methods of data disposal. This new law takes effect January 1, 2012.
Disclosure notifications now must "include, but need not be limited to, (i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The notification shall not, however, include information concerning the number of Illinois residents affected by the breach."
Illinois law now also encompasses not only data collectors that maintain covered computerized data but also those that store but do not own or license it. In addition to notifying the data owner or licensee of a breach, "the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. The data collector's cooperation shall not, however, be deemed to require either the disclosure of confidential business information or trade secrets or the notification of an Illinois resident who may have been affected by the breach."
The new Act also adds a data disposal standard, requiring that, "A person must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following: (1) Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed. (2) Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed."
Third parties may be contracted to take care of the data disposal, but such entities "must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information."
Violations of the data disposal provisions is subject to civil penalties "of not more than $100 for each individual with respect to whom personal information is disposed of in violation of this Section. A civil penalty may not, however, exceed $50,000 for each instance of improper disposal of materials containing personal information. The
Attorney General may impose a civil penalty after notice to the person accused of violating this Section and an opportunity for that person to be heard in the matter. The Attorney General may file a civil action in the circuit court to recover any penalty imposed under this Section." The Attorney General may also "bring an action
in the circuit court to remedy a violation of this Section, seeking any appropriate relief."
Financial institutions subject to GLB or FCRA are exempt from these data disposal provisions.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.