[ Back ] [ Bottom ]
92_HB0522ham001
LRB9204515LDcsam01
1 AMENDMENT TO HOUSE BILL 522
2 AMENDMENT NO. . Amend House Bill 522 by replacing
3 everything after the enacting clause with the following:
4 "Section 1. Short title. This Act may be cited as the
5 Disclosure of Personal Information Act.
6 Section 5. Definitions. For the purpose of this Act:
7 "Insurance company" means an insurance or surety company
8 and includes a corporation, company, partnership,
9 association, society, order, individual, or aggregation of
10 individuals engaging in or proposing or attempting to engage
11 in any kind of insurance or surety business, including the
12 exchanging of reciprocal or inter-insurance contracts between
13 individuals, partnerships, and corporations.
14 "Financial institution" means any bank subject to the
15 Illinois Banking Act, including a branch of an out-of-state
16 bank as defined in Section 2 of the Illinois Banking Act, any
17 savings bank subject to the Savings Bank Act, any savings and
18 loan association subject to the Illinois Savings and Loan Act
19 of 1985, any credit union subject to the Illinois Credit
20 Union Act, and any federal chartered commercial bank, savings
21 bank, or savings and loan association organized and operated
22 in this State under the laws of the United States.
-2- LRB9204515LDcsam01
1 "OBRE" means the Office of Banks and Real Estate.
2 "Personal information" means personally identifiable
3 information provided by a consumer (i) to a financial
4 institution in connection with any transaction with a
5 consumer involving any financial product or any financial
6 service or otherwise obtained by the financial institution or
7 (ii) to an insurance company in connection with any
8 transaction with a consumer involving any insurance product
9 or insurance service otherwise obtained by the insurance
10 company.
11 "Unrelated use", when used with respect to information
12 collected by a financial institution or insurance company in
13 connection with any transaction with a consumer in any
14 financial product or any financial service or insurance
15 product or insurance service, means any use other than a use
16 that is necessary to effect, administer, or enforce such
17 transaction.
18 "Affiliate" means any company that controls, is
19 controlled by, or is under common control with another
20 company.
21 "Nonaffiliated third party" means any entity that is not
22 an affiliate of, related by common ownership to, or
23 affiliated by corporate control with a financial institution
24 or insurance company, but does not include a joint employee
25 of such institution or company.
26 "Consumer" means an individual who obtains (i) from a
27 financial institution any financial products or services or
28 (ii) from an insurance company any insurance products or
29 services that are to be used primarily for personal, family,
30 or household purposes and also includes the legal
31 representative of such an individual.
32 Section 10. Obligations with respect to personal
33 information.
-3- LRB9204515LDcsam01
1 (a) Except as otherwise provided in this Act, a
2 financial institution or insurance company may not, directly
3 or through any affiliate, disclose or make an unrelated use
4 of any personal information collected by the financial
5 institution or insurance company in connection with any
6 transaction with a consumer in any financial product or any
7 financial service or insurance product or insurance service.
8 (b) (1) A financial institution or insurance company
9 may not make available any personal information to any
10 affiliate or other person that is not an employee or agent of
11 the institution or company, unless the consumer to whom the
12 information pertains:
13 (A) has affirmatively consented to the
14 transfer of such information; and
15 (B) has not withdrawn the consent.
16 (2) A financial institution shall not deny any
17 consumer a financial product or a financial service for
18 the refusal by the consumer to grant the consent required
19 by paragraph (1) of this subsection (b). An insurance
20 company shall not deny any consumer an insurance product
21 or an insurance service for the refusal by the consumer
22 to grant the consent required under paragraph (1) of this
23 subsection (b).
24 (c) Each financial institution or insurance company that
25 maintains a system of records for personal information shall:
26 (1) upon request by any individual to gain access
27 to his or her record or to any information pertaining to
28 him or her that is contained in the system, permit him or
29 her and, upon his or her request, a person of his or her
30 own choosing to accompany him or her, to review the
31 record and have a copy made of all or any portion thereof
32 in a form comprehensible to him or her, except that the
33 financial institution or insurance company may require
34 the individual to furnish a written statement authorizing
-4- LRB9204515LDcsam01
1 discussion of that individual's record in the
2 accompanying person's presence;
3 (2) permit the individual to request amendment of a
4 record pertaining to him or her and:
5 (A) not later than 10 days (excluding
6 Saturdays, Sundays, and legal public holidays) after
7 the date of receipt of such request, acknowledge in
8 writing receipt of the request; and
9 (B) promptly, either (i) make any correction
10 of any portion thereof that the individual believes
11 is not accurate, relevant, timely, or complete; or
12 (ii) inform the individual of its refusal to amend
13 the record in accordance with his or her request,
14 the reason for the refusal, the procedures
15 established by the financial institution for the
16 individual to request a review of that refusal by
17 the head of the financial institution or an officer
18 designated by the head of the financial institution,
19 and the name and business address of that officer;
20 (3) permit an individual who disagrees with the
21 refusal of the financial institution or insurance company
22 to amend his or her record to request a review of such
23 refusal and, not later than 30 days (excluding Saturdays,
24 Sundays, and legal public holidays) from the date on
25 which the individual requests such review, complete such
26 review and make a final determination unless, for good
27 cause shown, the head of the financial institution or
28 insurance company extends such 30-day period; and if,
29 after his or her review, the reviewing officer also
30 refuses to amend the record in accordance with the
31 request, permit the individual to file with the financial
32 institution or insurance company a concise statement
33 setting forth the reasons for his or her disagreement
34 with the refusal of the financial institution or
-5- LRB9204515LDcsam01
1 insurance company and notify the individual of the
2 provisions for judicial review of the reviewing officer's
3 determination under subsection (d) of Section 20; and
4 (4) in any disclosure containing information about
5 which the individual has filed a statement of
6 disagreement occurring after the filing of the statement
7 under paragraph (3) of this subsection, clearly note any
8 portion of the record that is disputed and provide copies
9 of the statement and, if the financial institution or
10 insurance company deems it appropriate, copies of a
11 concise statement of the reasons of the financial
12 institution or insurance company for not making the
13 amendments requested, to persons or other agencies to
14 whom the disputed record has been disclosed. Nothing in
15 this subsection (c) shall allow an individual access to
16 any information compiled in reasonable anticipation of a
17 civil action or proceeding.
18 (d) A financial institution or insurance company shall
19 not disclose any personal information to any affiliate or any
20 nonaffiliated third party for use in telemarketing, direct
21 mail marketing, or other marketing through electronic mail or
22 other electronic means to the consumer.
23 (e) Except as otherwise provided in this Act, an
24 affiliate or a nonaffiliated third party that receives from a
25 financial institution or insurance company personal
26 information under this Section 10 shall not, directly or
27 through an affiliate of such receiving third party, disclose
28 such information to any other person that is an affiliate or
29 a nonaffiliated third party of both the financial institution
30 or insurance company and such receiving third party, unless
31 such disclosure would be lawful if made directly to such
32 other person by the financial institution or insurance
33 company.
34 (f) Subsections (a) and (b) of this Section 10 shall not
-6- LRB9204515LDcsam01
1 prohibit the disclosure of personal information:
2 (1) as necessary to effect, administer, or enforce
3 a transaction requested or authorized by the consumer, or
4 in connection with;
5 (A) servicing or processing a financial or
6 insurance product or service requested or authorized
7 by a consumer;
8 (B) maintaining or servicing a consumer's
9 account with the financial institution or insurance
10 company; or
11 (C) a proposed or actual securitization,
12 secondary market sale (including sales of servicing
13 rights), or similar transaction related to a
14 transaction of a consumer;
15 (2) with the consent or at the direction of the
16 consumer;
17 (3) to protect the confidentiality or security of
18 the financial institution's or insurance company's
19 records pertaining to the consumer, the service or
20 product, or the transaction therein;
21 (4) to protect against or prevent actual or
22 potential fraud, unauthorized transactions, claims, or
23 other liability;
24 (5) for required institutional risk control or for
25 resolving consumer disputes or inquiries;
26 (6) to persons holding a legal or beneficial
27 interest relating to the consumer;
28 (7) to persons acting in a fiduciary or
29 representative capacity on behalf of the consumer;
30 (8) to provide information to insurance rate
31 advisory organizations, guaranty funds or agencies,
32 applicable rating agencies of the financial institution,
33 and the institution's attorneys, accountants, and
34 auditors;
-7- LRB9204515LDcsam01
1 (9) to the extent specifically permitted or
2 required under other provisions of law and in accordance
3 with the Right to Financial Privacy Act of 1978, to law
4 enforcement agencies (including a federal functional
5 regulator, the Secretary of the Treasury with respect to
6 subchapter II of chapter 53 of title 31, United States
7 Code, and chapter 2 of title I of Public Law 91-508 (12
8 U.S.C. 1951-1959), a State insurance authority, or the
9 Federal Trade Commission), self-regulatory organizations,
10 or for an investigation on a matter related to public
11 safety;
12 (10) to a consumer reporting agency in accordance
13 with the Fair Credit Reporting Act,
14 (11) from a consumer report reported by a consumer
15 reporting agency in accordance with the Fair Credit
16 Reporting Act;
17 (12) in connection with a proposed or actual sale,
18 merger, transfer, or exchange of all or a portion of a
19 business or operating unit if the disclosure of personal
20 information concerns solely consumers of such business or
21 unit; or
22 (13) to comply with federal, State, or local laws,
23 rules, and other applicable legal requirements; to comply
24 with a properly authorized civil, criminal, or regulatory
25 investigation or subpoena or summons by federal, State,
26 or local authorities; or to respond to judicial process
27 or government regulatory authorities having jurisdiction
28 over the financial institution or insurance company for
29 examination, compliance, or other purposes as authorized
30 by law.
31 Section 15. Notice concerning disclosing information.
32 (a) All financial institutions and insurance companies,
33 through the use of a form that complies with subsection (b)
-8- LRB9204515LDcsam01
1 of this Section 15, must clearly and conspicuously disclose
2 to the consumer at the time of establishing a customer
3 relationship with a consumer and not less than annually
4 during the continuation of such relationship:
5 (1) the categories of personal information that are
6 collected by the financial institution or insurance company;
7 (2) the practices and policies of the financial
8 institution or insurance company with respect to disclosing
9 personal information or making unrelated uses of such
10 information, including:
11 (A) the categories of persons to whom the
12 information is or may be disclosed or who may be
13 permitted to make unrelated uses of such information,
14 other than the persons to whom the information must be
15 provided to effect, administer, or enforce a transaction;
16 and
17 (B) the practices and policies of the institution
18 with respect to disclosing or making unrelated uses of
19 personal information of persons who have ceased to be
20 consumers of the financial institution or insurance
21 company;
22 (3) the policies that the financial institution or
23 insurance company maintains to protect the confidentiality
24 and security of personal information;
25 (4) the practices and policies of the institution with
26 respect to providing consumers the opportunity to examine and
27 dispute information pursuant to subsection (c) of Section 10;
28 and
29 (5) the right of the consumer under Section 10 to
30 examine, upon request, the personal information, to dispute
31 the accuracy of any of such information, and to present
32 evidence thereon.
33 (b) Financial institutions and insurance companies must
34 provide consumers with a clear and conspicuous disclosure
-9- LRB9204515LDcsam01
1 that permits them to compare differences in the measures that
2 the financial institution takes and the policies that the
3 financial institution or insurance company has established to
4 protect the consumer's privacy as compared to the measures
5 taken and the policies established by other financial
6 institutions and insurance companies. The disclosure shall
7 specifically identify the rights the financial institution or
8 insurance company affords consumers to grant or deny consent
9 to (i) the disclosing of personal information for any purpose
10 other than as required in order to effect, administer, or
11 enforce the consumer's transaction, or (ii) the making of an
12 unrelated use of such information.
13 Section 20. Enforcement.
14 (a) This Act shall be enforced by OBRE and the Attorney
15 General with respect to banks and other persons subject to
16 their jurisdiction under applicable law and by the Department
17 of Financial Institutions and the Attorney General with
18 respect to financial institutions and other persons subject
19 to their jurisdiction under applicable law. This Act shall
20 be enforced by the Department of Insurance and the Attorney
21 General with respect to insurance companies and other persons
22 subject to their jurisdiction under applicable law.
23 (b) In addition to such other remedies as are provided
24 under State law, if the Department of Financial Institutions,
25 OBRE, the Department of Insurance, or the Attorney General
26 has reason to believe that any person has violated or is
27 violating this Act, the State:
28 (1) may bring an action to enjoin such violation in
29 any court of competent jurisdiction; and
30 (2) may bring an action on behalf of the residents
31 of this State to enforce compliance with this Act, to
32 obtain damages, restitution, or other compensation on
33 behalf of residents of this State, or to obtain such
-10- LRB9204515LDcsam01
1 further and other relief as the court may deem
2 appropriate.
3 (c) For purposes of bringing any action under this
4 Section 20, no provision of this Section shall be construed
5 as preventing the Director of Financial Institutions, the
6 Commissioner of OBRE, the Director of Insurance, or the
7 Attorney General from exercising the powers conferred to them
8 by the laws of this State to conduct investigations or to
9 administer oaths or affirmations or to compel the attendance
10 of witnesses or the production of documentary and other
11 evidence.
12 (d) If a financial institution or insurance company
13 fails to comply with any provision of this Act in such a way
14 as to have an adverse effect on an individual, the individual
15 may bring a civil action against the financial institution or
16 insurance company in any court of competent jurisdiction. In
17 any suit brought pursuant to this subsection (d), the court
18 may order the financial institution or insurance company to
19 take such action as is necessary to remedy violations of this
20 Act, including but not limited to:
21 (1) amending the individual's record in accordance
22 with his or her request or in such other way as the court
23 may direct;
24 (2) enjoining the financial institution or
25 insurance company from withholding the complainant's
26 records and order the production to the complainant of
27 any financial institution or insurance company records
28 improperly withheld from him or her, in which case the
29 court may examine the contents of any financial
30 institution or insurance company records in camera to
31 determine whether the records or any portion thereof may
32 be withheld; and
33 (3) enjoining the financial institution or
34 insurance company from transferring to any affiliate or
-11- LRB9204515LDcsam01
1 nonaffiliated third party financial or insurance
2 information.
3 (e) In any suit brought pursuant to subsection (d) of
4 this Section in which the court determines that the financial
5 institution or insurance company violated this Act, the
6 financial institution or insurance company shall be liable to
7 the individual in an amount equal to the sum of:
8 (1) actual damages sustained by the individual as a
9 result of the refusal or failure, but in no case shall a
10 person entitled to recovery receive less than the sum of
11 $1,000; and
12 (2) reasonable attorney fees and other litigation
13 costs reasonably incurred in any case brought under this
14 Section 20 related to those claims on which the
15 complainant has substantially prevailed.
16 (f) An action to enforce any liability created under
17 this Section may be brought in any court of competent
18 jurisdiction, without regard to the amount in controversy,
19 within 2 years from the date on which the cause of action
20 arises, except that where a financial institution or
21 insurance company has materially and willfully misrepresented
22 any information required to be disclosed to an individual
23 under this Section and the information so misrepresented is
24 material to establishment of the liability of the financial
25 institution or the insurance company to the individual under
26 this Section, the action may be brought at any time within 2
27 years after discovery by the individual of the
28 misrepresentation.
29 (g) For the purposes of this Section, the parent of any
30 minor or the legal guardian of any individual who has been
31 declared to be incompetent due to physical or mental
32 incapacity or age by a court of competent jurisdiction may
33 act on behalf of the individual.
34 (h) The terms used in subsection (a) that are not
-12- LRB9204515LDcsam01
1 defined in this Act or otherwise defined in section 3(s) of
2 the Federal Deposit Insurance Act shall have the meaning
3 given to them in section 1(b) of the International Banking
4 Act of 1978.
5 Section 25. Effect on Fair Credit Reporting Act. Nothing
6 in this Act shall be construed to modify, limit, or supersede
7 the operation of the Fair Credit Reporting Act and no
8 inference shall be drawn on the basis of the provisions of
9 this Act regarding whether information is transaction or
10 experience information under section 603 of the Fair Credit
11 Reporting Act.
12 Section 30. Relation to other State laws. This Act shall
13 not be construed as superseding, altering, or affecting any
14 statutes, rules, orders, or interpretations in effect in this
15 State, except to the extent that such statutes, rules,
16 orders, or interpretations are inconsistent with the
17 provisions of this Act and then only to the extent of the
18 inconsistency.
19 Section 35. Personal information that is necessary to
20 effect or administer a transaction. The disclosing or use of
21 personal information shall be treated as necessary to effect
22 or administer a transaction with a consumer if the disclosing
23 or use:
24 (1) is required or is a usual, appropriate, or
25 acceptable method to carry out the transaction or the product
26 or service business of which the transaction is a part and
27 record, service or maintain the consumer's account in the
28 ordinary course of providing a financial or insurance service
29 or a financial or insurance product or to administer or
30 service benefits or claims relating to the transaction or the
31 product or service business of which it is a part, and
-13- LRB9204515LDcsam01
1 includes:
2 (A) providing the consumer or the consumer's agent
3 or broker with a confirmation, statement, or other record
4 of the transaction or information on the status or value
5 of the financial or insurance service or financial or
6 insurance product; and
7 (B) the accrual or recognition of incentives or
8 bonuses associated with the transaction that are provided
9 by the financial institution, insurance company, or any
10 other party;
11 (2) is required or is one of the lawful or appropriate
12 methods to enforce the rights of the financial institution,
13 insurance company, or of other persons engaged in carrying
14 out the financial or insurance transaction or providing the
15 product or service;
16 (3) is required or is a usual, appropriate, or
17 acceptable method for insurance underwriting at the
18 consumer's request or for reinsurance purposes, or for any of
19 the following purposes as they relate to a consumer's
20 insurance: account administration, reporting, investigating,
21 or preventing fraud or material misrepresentation, processing
22 premium payments, processing insurance claims, administering
23 insurance benefits (including utilization review activities),
24 participating in research projects, or as otherwise required
25 or specifically permitted by federal or State law; or
26 (4) the disclosure is required or is a usual,
27 appropriate, or acceptable method in connection with:
28 (A) the authorization, settlement, billing,
29 processing, clearing, transferring, reconciling, or
30 collection of amounts charged, debited, or otherwise paid
31 using a debit, credit, or other payment card, check, or
32 account number, or by other payment means;
33 (B) the transfer of receivables, accounts, or
34 interests therein; or
-14- LRB9204515LDcsam01
1 (C) the audit of debit, credit, or other payment
2 information.".
[ Top ]