Data Security Breaches: What You Need to Know about the Recent Amendment to the Illinois Personal Information Protection Act

The Illinois Personal Information Protection Act, which obligates “data collectors” (defined to include any public or private entity, including school districts, colleges, townships, park districts, and other local governmental entities that handle, collect, disseminate or otherwise deal with nonpublic personal information) to notify Illinois residents when their “personal information” has been breached, will be significantly expanded effective January 1, 2017, to cover breaches of health insurance information, medical information, unique biometric data, and online account information. 

The definition of “personal information” has been expanded to include:

1. An individual’s first name or first initial and last name in combination with any of the following when such information is not encrypted or when the keys to unencrypt such information have also been breached:

a. The individual’s social security number, drivers’ license number, state identification card number, account number, or credit or debit card number (or account numbers and security codes that would allow access to an individual’s financial account);

b. Medical information, which means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis, including such information provided to a website or mobile application;

c. Health insurance information, which means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual’s health insurance application and claims history; or

d. Unique biometric data, such as fingerprints, retina or iris images.

---

A breach of this type of personal information requires that “data collectors” issue notices to affected Illinois residents that provide a) the toll-free numbers and addresses for consumer reporting agencies; b) the toll-free number, address, and website for the Federal Trade Commission; and c) a statement that the affected individual can obtain information from these sources about fraud alerts and security freezes. 

2. User name or email address in combination with a password or security question and answer that would permit access to an online account, when such information is not encrypted or  the keys to unencrypt such information have also been breached.

A breach of this type of personal information requires that “data collectors” issue notices via electronic or other form directing the affected individual to promptly change his or her user name or password and security question and answer or to take other steps as appropriate to protect all online accounts that utilize the same log-in information.

Publicly available information that is “lawfully made available to the general public from federal, State, or local government records” will still be excluded from the definition of “personal information.”

Additionally, pursuant to the amendment, “data collectors” will be required to implement and maintain reasonable security measures to protect “personal information” from unauthorized access.  The amendment also requires that any contract for the disclosure of “personal information” must include a provision requiring the person or entity to whom the information is disclosed to implement and maintain reasonable security measures to protect that information from a breach.  

If you have any questions or require assistance with determining compliance with the amendment to the Personal Information Protection Act, please feel free to contact any of the firm’s Labor and Employment or Local Government attorneys.