Key Point: The Illinois data breach notification statute will now require entities to notify the Illinois Attorney General if a breach affects 500 or more Illinois residents.
The Illinois General Assembly recently voted to approve an amendment to the state’s Personal Information Protection Act (“PIPA”) (815 ILCS 530/1 et seq.) with regards to companies’ and organizations’ obligations when a data breach occurs. Illinois Governor J.B. Pritzker is expected to sign the amendment into law.PIPA requires companies and other organizations that handle, collect, disseminate, or otherwise deal with non-public personal information to implement and maintain reasonable security measures to protect data from unauthorized access, acquisition, destruction, use, modification, or disclosure. It also outlines the procedures companies and organizations must follow if a security breach occurs. Non-public personal information includes either (a) a username or e-mail address along with its accompanying password or other method to access an online account or (b) an individual’s first name or first initial and last name in combination with a social security number, driver’s license number, state identification card number, an account number, credit or debit card number, medical information, health insurance information, or unique biometric data (such as scans of hand or face geometry).
PIPA requires data collectors who deal with non-public personal information to notify affected Illinois residents at no charge if there has been a breach of the security of the system data following discovery or notification of the breach.
The recent amendment to PIPA strengthens those requirements by requiring data collectors to also notify the office of the Illinois Attorney General of any breach affecting more than 500 residents in the most expedient time possible, but in no event later than when notice is provided to the consumer. Data collectors must provide the Attorney General with a description of the breach, the number of affected residents and details of any steps taken related to the breach. Lastly, the amendment gives the Attorney General the authority to publish information regarding the breach.
The Illinois amendment follows the recent trend of state legislatures amending their data breach notification statutes to require that notice be provided to state Attorneys General. This allows state Attorneys General to better monitor and investigate data breaches.