Illinois Personal Information Protection Act (Data breach)
815 ILCS § 530/1 - § 530/50
SUMMARY:
EFFECTIVE. June 27, 2006
WHO DOES THIS LAW APPLY TO. (1) Any person, business or government agency that owns or licenses Personal Information concerning an Illinois resident; and (2) any person, business or government agency that maintains or stores Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition of computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person, business, or government agency. A good faith acquisition of Personal Information by an employee or agent of the person, business or government agency for internal purposes only is not a breach, if it is not used outside the business or subject to further unauthorized disclosure.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted or redacted:
-
Social Security Number.
-
Driver’s license number or State identification card number.
-
Account number, credit card number, OR an account number or credit card number in combination with any required security code, access code, or password that would permit access to a resident’s financial account.
-
Medical information, unique biometric data used to authenticate an individual (i.e., fingerprint, retina, or iris image, other unique physical or digital representation).
-
Health insurance information.
-
An individual’s unencrypted or unredacted username or email address, in combination with a password or security question and answer that permits access to an online account.
Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the Illinois residents affected. Such notices shall not include the number of residents affected by the breach. If notice must be issued to more than 500 Illinois residents as a result of a single breach, notice must also be provided to the Illinois Attorney General. This notice must include a description of the breach, the number of affected Illinois residents, and any steps that have been taken or are planned relating the incident. If a State agency is required to notify more than 1,000 individuals of a security breach, it shall also notify all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the timing, distribution, and content of the notices.
EXCEPTION. This Section does not apply to the following:
-
Does not apply to personal information that is encrypted or redacted unless the keys to unencrypt or unredact, or means of otherwise reading the name or data elements, have been acquired without authorization.
-
A person, business or government agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person or business in accordance with its policies.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or government agency discovers or is notified of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with measures necessary to determine the scope of the breach, and to restore the reasonable integrity, security, and confidentiality of the data system. Notification may be delayed if it law enforcement determines it will impede a criminal investigation, and is requested in writing. In that instance, notification will be made as soon as possible following clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if notice is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
The notice shall include, but is not limited to:
-
The toll-free numbers and addresses for consumer reporting agencies.
-
The toll-free number, address, and website for the Federal Trade Commission.
-
A statement that information may be obtained from the above sources regarding fraud alerts and security freezes.
-
If the breach involves usernames or email addresses, notice should direct the individual to promptly change his or her username or password and security question or answer, or to take other steps appropriate to protect online accounts using the same login information.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or government agency can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person, business or government agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or government agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business, or government agency if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or government agency maintains or stores computerized data that includes Personal Information that it does not own, then the person, business or government agency shall notify the owner or licensee of the breach immediately upon discovery. In addition, the person, business, or government agency shall cooperate with the owner or licensee concerning the breach to include providing the date and nature of the breach, and steps taken or plans relating to the breach. Such cooperation does not include disclosing confidential or trade secret information, or notification to the affected residents. The person, business or government agency that owns or licenses the computerized data shall provide notice to the affected individual(s).
CONSEQUENCES FOR FAILING TO NOTIFY. Any violation of this Section constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.
PRIVATE RIGHT OF ACTION. None provided in the statute.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. 815 ILCS 530/40. Disposal of materials containing personal information; Attorney General. (a) In this Section, "person" means: a natural person; a corporation, partnership, association, or other legal entity; a unit of local government or any agency, department, division, bureau, board, commission, or committee thereof; or the State of Illinois or any constitutional officer, agency, department, division, bureau, board, commission, or committee thereof; (b) A person must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following: (1) Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed; (2) Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed. (c) Any person disposing of materials containing personal information may contract with a third party to dispose of such materials in accordance with this Section.
LEGISLATIVE UPDATES.
H.B. 1633 – Signed into law on 6/16/2005, Effective 6/27/2006.
H.B. 3025 – Signed into law on 8/22/2011, Effective 1/1/2012.
H.B. 1260 – Signed into law 5/6/2016, Effective 1/1/2017.
S.B. 1624 – Signed into law 8/9/2019, Effective 1/1/2020.
For more information, see here: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67
AND
https://witnessslips.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.