A small, but hopeful sign in state breach legislation
A bill [link to http://www.ilga.gov/legislation/fulltext.asp?DocName=&SessionId=50&GA=94&DocTypeId=HB&DocNum=4449&GAID=8&LegID=22685&SpecSess=&Session= no longer works] sits on Illinois governor Rod Blagojevich’s desk. If he signs it, Illinois will take a step toward meaningful central reporting of breach notifications:
5 (815 ILCS 530/25 new) 6 Sec. 25. Annual reporting. Any State agency that collects 7 personal data and has had a breach of security of the system 8 data or written material shall submit a report within 5 9 business days of the discovery or notification of the breach to 10 the General Assembly listing the breaches and outlining any 11 corrective measures that have been taken to prevent future 12 breaches of the security of the system data or written 13 material. Any State agency that has submitted a report under 14 this Section shall submit an annual report listing all breaches 15 of security of the system data or written materials and the 16 corrective measures that have been taken to prevent future 17 breaches.
(emphasis added)
Unfortunately, this requirement only affects state agencies. After the VA fiasco, it would seem imprudent for the Governor not to sign this.
I am not a lawyer, but I’m optimistically thinking that such reports are not exempt from disclosure under Illinois’ Freedom of Information Act [link to http://www.illinoisattorneygeneral.gov//government/foia_illinois.html no longer works].
Cool! Does the bill also require general notice, like the others?
Yes. This bill amends the existing “Personal Information Protection Act” (http://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=094-0036)