The State of Illinois has enacted the “Personal Information Protection Act,” 815 ILCS §§ 530/1 – 530/25. The Act includes important provisions about how to respond to a data breach. The law also details who are subject to Illinois’ law, and the proper method of notification.
Am I Subject to the Illinois Data Breach Law?
- Are you a data collector?
- Do you own or license personal information of an Illinois resident?
- Was there an unauthorized acquisition of personal information of an Illinois resident?
What is Personal Information?
Illinois data breach law defines “personal information” as: the “first name or first initial and last name” in combination with at least one of the unencrypted or redacted “data elements.”
Data elements include:
- a social security number;
- driver’s license or state identification number;
- credit or debit card number along with the password or access code;
- medical information;
- health insurance information; or
- unique biometric information from a fingerprint, retina or iris scan.
- email address or
- user name with an accompanying password.
Who is a Data Collector?
Under Illinois law, possible “data collector[s]” include:
- government agencies,
- public and private universities,
- financial institutions,
- retail operators, and
- any other entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information.
When Do I Need to Notify Illinois Residents of my Data Breach?
Illinois law requires notification at no charge when there has been a breach or notice of the breach. The notification must be made “without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”
Notification may can be delayed if a law enforcement agency determines that the notification will interfere with a criminal investigation. Law enforcement must provide a written request for the delay to the data collector.
How Do I Notify Illinois Residents of a Data Breach?
Illinois data breach law allows written notice, electronic notice, or substitute notice. Substitute notice occurs if:
- the data collector shows that the cost of notice is more than $250,000,
- if the affected group of people is more than 500,000, or
- the data collector does not have enough contact information.
In those situations, substitute notice consist of email, posting on the data collector’s web site, or notification to major statewide or local media. Illinois also allows notice based on the data collector’s own procedures as part of its information security policy as long as the timing of the notice is consistent with the requirements of the Act.
What Does the Notice Need to Include?
The Illinois data breach law requires all notices to include:
- The toll-free numbers and addresses for consumer reporting agencies;
- The toll-free number, address, and website address for the Federal Trade Commission; and
- A statement that the individual can get information from these sources about fraud alerts and security freezes.
But, the notice must not include information relating to the number of Illinois residents that were affected by the breach.
Do I Need to Notify Anyone Else of the Data Breach?
State agencies that collect data need to submit a report within 5 business days of discovery. They need to submit that report of the breach to the General Assembly. This includes a listing of the breaches, measures taken to prevent future breaches and requires the agency to submit an annual report.
What Are the Penalties For Failing to Provide Notice?
If notification isn’t made, it is a violation of the Consumer Fraud and Deceptive Business Practices Act. A violation is subject to civil liability from the Attorney General.
Talk to a Data Breach Lawyer
If a data breach occurred involving the personal information of Illinois residents, you likely must follow Illinois’ data breach notification law. If you have concerns about your exposure or have received notice that a breach has occurred affecting you website, contact the experienced data breach attorneys at Revision Legal. Civil fines are available in some states for a failure to notify those affected by breaches. If a breach has occurred, you need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.