The State of Illinois has enacted the “Personal Information Protection Act,” 815 ILCS §§ 530/1 – 530/25. The Act includes important provisions about how to respond to a data breach. The law also details who is subject to Illinois’ law, and the proper method of notification.

Am I Subject to the Illinois Data Breach Law?

1. Are you a data collector?
2. Do you own or license personal information of an Illinois resident?
3. Was there an unauthorized acquisition of personal information of an Illinois resident?

What is Personal Information?

Illinois data breach law defines “personal information” as: the “first name or first initial and last name” in combination with at least one of the unencrypted or redacted “data elements.”

Data elements include:

• a social security number;
• driver’s license or state identification number;
• account, credit or debit card number along with the password or access code;
• medical information;
• health insurance information; or
• unique biometric information from a fingerprint, retina or iris scan;
• email address; or
• user name with an accompanying password.

Who is a Data Collector?

Under Illinois law, possible “data collector[s]” include:

• government agencies,
• public and private universities,
• corporations,
• financial institutions,
• retail operators, and
• any other entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information.

When Do I Need to Notify Illinois Residents of my Data Breach?

Illinois law requires notification at no charge when there has been a breach or notice of the breach. The notification must be made “without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.”

Notification may be delayed if a law enforcement agency determines that the notification will interfere with a criminal investigation. Law enforcement must provide a written request for the delay to the data collector.

How Do I Notify Illinois Residents of a Data Breach?

Illinois data breach law allows written notice, electronic notice, or substitute notice. Substitute notice occurs if:

• the data collector shows that the cost of notice is more than $250,000,
• if the affected group of people is more than 500,000, or
• the data collector does not have enough contact information.

In those situations, substitute notice consists of email, posting on the data collector’s web site, or notification to major statewide or local media. Illinois also allows notice based on the data collector’s own procedures as part of its information security policy as long as the timing of the notice is consistent with the requirements of the Act.

What Does the Notice Need to Include?

The Illinois data breach law requires all notices to include:

1. The toll-free numbers and addresses for consumer reporting agencies;
2. The toll-free number, address, and website address for the Federal Trade Commission; and
3. A statement that the individual can get information from these sources about fraud alerts and security freezes.

But, the notice must not include information relating to the number of Illinois residents that were affected by the breach.

Do I Need to Notify Anyone Else of the Data Breach?

State agencies that collect data need to submit a report within 5 business days of discovery to the General Assembly. This includes a listing of the breaches, measures taken to prevent future breaches, and requires the agency to submit an annual report.

What Are the Penalties For Failing to Provide Notice?

If notification isn’t made, it is a violation of the Consumer Fraud and Deceptive Business Practices Act. A violation is subject to civil liability from the Attorney General.

Illinois Data Breach Law in Context: What Businesses Must Know

Illinois’ Personal Information Protection Act (PIPA) sits within a broader Illinois legal landscape that is among the most consumer-protective in the country. Understanding PIPA alongside Illinois’ Biometric Information Privacy Act (BIPA) and the state’s consumer fraud statute gives a complete picture of the legal exposure Illinois businesses face in data security matters.

The 2021 Amendments to Illinois PIPA

Illinois amended PIPA in 2021 to expand its scope. The amendments added a requirement that data collectors that experience a breach affecting more than 500 Illinois residents must also notify the Illinois Attorney General. The notification to the AG must be provided “in the most expedient time possible” and must include a description of the nature of the breach, the number of individuals affected, the categories of personal information involved, and any steps taken to address the breach. The AG notification requirement runs concurrently with the notification-to-individuals requirement and cannot be delayed pending investigation of the breach’s full scope.

The 2021 amendments also expanded the definition of “personal information” to include additional categories of data, including user credentials for online accounts and genetic information. The broader definition means that a breach of what might previously have seemed like low-sensitivity data — a username and password for a non-financial account, for example — may now trigger Illinois’ notification requirements.

Illinois Biometric Information Privacy Act (BIPA)

Any Illinois business that collects biometric data — including fingerprints, facial geometry scans, iris scans, or voiceprints — must comply with the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. BIPA is the most stringent biometric privacy law in the United States and has generated an enormous volume of class action litigation.

BIPA requires covered entities to: inform the subject in writing that biometric data is being collected and the specific purpose and length of time for which the data is being stored; obtain a written release from the subject before collecting biometric data; refrain from selling, leasing, trading, or otherwise profiting from biometric data; implement a publicly available written policy establishing a retention schedule and destruction guidelines; and maintain biometric data using a reasonable standard of care within the industry.

BIPA’s most significant feature is its private right of action with statutory damages: $1,000 per negligent violation, $5,000 per intentional or reckless violation, plus attorneys’ fees. The Illinois Supreme Court held in Rosenbach v. Six Flags that a plaintiff need not allege actual harm — a technical violation of BIPA is sufficient to trigger statutory damages. The practical consequence is that a company that collects biometric data from 1,000 employees without proper BIPA disclosures faces $1 million in statutory damages with no requirement to prove that anyone was actually harmed. Class actions aggregating BIPA claims have resulted in billion-dollar settlements, including a $650 million settlement by Facebook and a $228 million settlement by BNSF Railway.

Illinois Consumer Fraud and Deceptive Business Practices Act

Failure to comply with PIPA’s notification requirements is specifically incorporated into the Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505/1 et seq. The Consumer Fraud Act authorizes the Illinois Attorney General to bring enforcement actions and seek civil penalties, injunctive relief, and restitution. Individual consumers also have a private right of action under the Consumer Fraud Act for damages resulting from deceptive or unfair practices. A business that fails to notify affected individuals as required by PIPA can face both an AG enforcement action under the Consumer Fraud Act and individual consumer claims asserting that the failure to notify constituted an unfair or deceptive practice that caused harm.

Interaction Between PIPA and Federal Law

PIPA coexists with federal notification requirements that may apply simultaneously to the same breach event. If the breach involves protected health information, HIPAA’s 60-day notification rule applies in addition to PIPA’s “without unreasonable delay” standard. Because HIPAA’s 60-day window is longer than what Illinois’ “without unreasonable delay” standard typically requires in practice, a healthcare entity experiencing a breach affecting Illinois residents may need to provide PIPA-required notification to those individuals before the HIPAA 60-day deadline. If the breach involves financial institution data covered by the GLBA Safeguards Rule, that rule’s 30-day FTC notification requirement may also apply.

Businesses operating in multiple states must analyze which state notification laws apply simultaneously based on the residence of affected individuals. A business headquartered in Illinois that experiences a breach affecting customers in Illinois, California, New York, and Texas must comply with the most demanding requirements of each applicable state law, not just Illinois’ requirements.

Talk to a Data Breach Lawyer

If a data breach occurred involving the personal information of Illinois residents, you likely must follow Illinois’ data breach notification law. If you have concerns about your exposure or have received notice that a breach has occurred affecting your business, contact the experienced data breach attorneys at Revision Legal. Civil fines are available for a failure to notify those affected by breaches. If a breach has occurred, you need the legal team from Revision Legal in your corner today. Contact us using the form on this page or call us at 855-473-8474.