Illinois Governor Vetoes Expansion of Breach Notice Requirements

A recent attempt by the Illinois legislature to significantly expand the scope of the Illinois data breach notification legislation was vetoed by Governor Rauner. As passed by the General Assembly, Illinois Senate Bill 1833 would have extended the type of information covered by the state’s breach notification law to include medical, health insurance, biometric, consumer marketing, and geolocation information.

In vetoing the legislation, the governor argued that the bill “goes too far” and adds burdensome requirements that other states do not have. He particularly focused on the bill’s inclusion of geolocation information and customer marketing data, arguing that including those types of data in information covered by the statute was unnecessary. The governor stated that “an authorized release of consumer marketing and geolocation information does not pose the same risk of identity theft that justifies the extraordinary and costly security notice requirements imposed by the Personal Information Protection Act.”

Other provisions vetoed included reducing the data breach notification timeline to 30 days and requiring the operator of a website to post a privacy policy.