On January 1, 2017, Illinois ushered in a broader and stronger personal information and data breach regime. The Illinois Personal Information Act (PIPA), 815 ILCS § 530, applies any entity that “handles, collects, disseminates, or otherwise deals with nonpublic personal information” and imposes certain obligations on those entities in the event of a breach of Illinois residents’ “personal information.” The changes run throughout the law, with key revisions or additions including:
- Definition of “personal information”: the definition grew in two ways. First, the definition as tied to a person’s name and some other identifying information was expanded to mean a person’s first name or initial and their last name along with certain details such as a Social Security number, when such information is not encrypted or redacted or when the access to the shielded information has been hacked. In addition, the list of identifying details has grown to include medical information, health insurance information and “unique biometric data” such as a fingerprint. Second, a new definition of “personal information” was added to concern a person’s “user name or email address, in combination with a password or security question and answer that would permit access to an online account,” with the same new language about encryption and redaction as in the first definition. 815 ILCS § 530/5.
- Notice of breach: the notice obligation was amended to address the new online account definition of “personal information.” When the breach concerns this type of personal information, “notice may be provided in electronic or other form” and is to direct the Illinois resident “to promptly change” the information that has been breached for not only the resident’s account identified by the entity providing notice but also all other accounts for which the resident uses the same user name, password or security question and answer. 815 ILCS § 530/10.
- Data Security requirements: A new section extends to any entity covered by the Act that “owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident.” Under the amended Act, such an entity “shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” 815 ILCS § 530/45(a). In addition, if an entity has a contract for the disclosure of such information, it must specify that the person obtaining the information must also maintain such security measures. 815 ILCS § 530/45(b). The Act confirms that an entity’s compliance with an applicable state or federal law (including the Gramm-Leach-Bliley Act of 1999) that calls for “greater protection” constitutes compliance with the Act. 815 ILCS § 530/45(c) and (d). As to entities subject to the federal Health Insurance Portability and Accountability Act of 1995 and the Health Information Technology for Economic and Clinical Health Act, the Act says that compliance with those federal laws is sufficient so long as notification of a breach made to the Secretary of Health and Human Services is also given to the state Attorney General within five business days thereafter. 815 ILCS § 530/50.