On May 6, 2016, Illinois joined a growing number of states that have strengthened their data breach notification requirements and expanded the definition of protected personal information. Effective January 1, 2017, HB1260 amends the Illinois Personal Information Protection Act (PIPA) to broaden the definition of protected personal information, which will now include an individual’s first name or first initial and last name in combination with medical information, health insurance information, or unique biometric data (such as “a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data”). Additionally, Illinois will join several other states in defining personal information to include a user name or email address (with a password or a security question and answer that would permit access to an online account). Under the current law, personal information is limited to an individual’s first name or first initial and last name in combination with any one or more of the following data elements: (1) Social Security number; (2) driver’s license number or state identification card number; or (3) account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 815 ILCS § 530/5.
HB1260 also clarifies the existing encryption safe harbor. Under the new law, if personal information is encrypted or redacted but the keys to decrypt or otherwise read the data elements have been acquired, notification may be required.
Additionally, the amendment requires certain notices of a breach of security to include specific content. Under the new law, if notice is required and the breach of security involved an individual’s user name or email address, the notice should direct the individual “to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.”
For those companies that have not already done so, the new law will require companies that deal with records that contain personal information of Illinois residents to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” And, similarly, any contract for the disclosure of personal information concerning an Illinois resident must include a provision requiring the person receiving the information to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”
Finally, the new law deems entities to be in compliance with PIPA if those entities are “subject to and in compliance with” the Gramm-Leach-Bliley Act Safeguards Rule. Additionally, entities subject to and in compliance with the Privacy and Security Rules for the protection of electronic personal health information under the federal Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) are deemed to be in compliance with PIPA. But if an entity is required by HITECH to notify the U.S. Department of Health and Human Services (HHS) of a breach, the entity must also provide notification to the Illinois Attorney General within five business days of notifying HHS.
For assistance with tracking the continuing developments in state breach notification laws, please refer to BakerHostetler’s regularly updated state-by-state survey.