Definition of Breach
Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.
Definition of Personally Identifiable Information
An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted, or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired through a breach of security: (1) SSN; (2) driver’s license number or state ID card number; (3) Account number or credit or debit card number, or an account number or credit card number in combination with any required code or password that would permit access to an individual’s financial account; (4) Medical information; (5) Health insurance information; or (6) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
Personal information may also include a user name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
Form of Data
Paper Records Covered
Encrypted Data Covered When the Encryption Key Has Been Accessed or Acquired
Yes, if breach involves encrypted or redacted data along with the keys needed to unencrypt, unredact, or otherwise read the name or data elements, notification is required.
Any government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.
Notification Obligation Triggers After Discovery or After Reasonable Investigation
For any data collector that owns or licenses personal information: “following discovery or notification of the breach”.
For any data collector that maintains or stores, but does not own or license, computerized data: “following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Time for Notification Once an Obligation is Triggered
If owns or licenses personal information, “without unreasonable delay, in the most expedient time possible.”
If data collector maintains personal information, “immediately” following discovery.
Risk of Harm Trigger for Notification Exists
(1) Written notice; (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; or (3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250K, or that the affected class of subject persons to be notified exceeds 500,000, or that the data collector does not have sufficient contact information. Substitute notice shall consist of (A) E-mail notice if the data collector has the email addresses to the affected persons; (B) Conspicuous posting of the notice on the data collector’s website if one is maintained; and (C) Notification to major statewide media. If breach impacts residents in one geographic area, notification to media may be made to prominent local media in areas where affected individuals are likely to reside if such notice is reasonably calculated to give actual notice to persons whom notice is required.
Mandatory Notification Items
Disclosure to an IL resident shall include, but need not be limited to, (i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address and website address for the FTC, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes. Notification shall not include information concerning the number of IL residents affected by the breach.
If compromised data is a user name or email address, in combination with password or security question and answer that would permit access to an online account, notice may be provided in electronic or other form directing the IL resident to change his/her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.
When informing data owner, entity must “cooperate with the owner or licensee,” which shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approx. date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach.
Any affected resident, data owner or licensee if notifier is not owner or licensee. If State agency required to notify more than 1,000 persons, it must also notify, without unreasonable delay, all national consumer reporting agencies.
If State agency required to notify more than 250 IL residents, must notify AG within 45 days of discovery of breach or when the State agency notifies individuals affected by breach, whichever is sooner. Further instructions for notifying AG can be found here. Notice to AG must include (A) types of personal information compromised in breach; (B) number of IL residents affected by the breach at the time of notification; (C) any steps the State agency has taken or plans to take relating to notification of the breach to consumers; and (D) date and timeframe of the breach, if known at the time of notification (if not known at the time of notification, must send to AG as soon as possible).
If the State agency that suffers breach determines the identity of the actor who perpetrated the breach, the State agency must notify the General Assembly within 5 days after the determination, provided that the disclosure would not jeopardize the security of IL residents or compromise a security investigation.
If a State agency directly responsible to the Governor has been or has reason to believe it has been subject to a data breach of more than 250 IL residents, must notify Office of the Chief Information Security Officer of the Illinois Department of Innovation and Technology and AG no later than 72 hours following discovery of the breach.
Attorney General Publishes Breach Data
Private Right of Action Included
Exception to Notification Obligation Exists if the Entity is Complying with Other Laws (HIPAA, GLB, etc.)
Yes if: (1) the entity complies with state or federal laws that provide greater protection to personal information than this section; (2) the entity is subject to and in compliance with standards established by §501(b) of GLB Act; or (3) the entity is subject to and in compliance with the privacy and security standards for the protection of electronic health information set by HIPAA.
Allows Flexibility in Notification Requirements to Entities that Maintain Their Own Notification Procedures Consistent with the Statute
Penalties for Violations
Violation of the Consumer Fraud and Deceptive Business Practices Act. Any person who improperly disposes of materials containing personal information is subject to a civil penalty of not more than $100 for each individual with respect to whom personal information is disposed of, NTE $50,000 for each instance of improper disposal of materials containing personal information. As amended, Attorney General may file a civil action to recover any penalty imposed for improper disposal or to seek any appropriate relief.
A person (including a natural person, a corporation, partnership, association or other legal entity, unit of local government or any agency, department, division, bureau, board, commission or committee thereof; or the State of IL or any constitutional officer, agency, department, division, bureau, board, commission or committee thereof) must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable and undecipherable.