Illinois’ New Data Protection Law

Chris Merritt - August 24th, 2011

News today, courtesy of Brendon Tavelli at Proskauer’s Privacy Law blog via the always excellent Office of Inadequate Security, of a new data breach notification bill just signed by Governor Pat Quinn of Illinois. Interesting to me both personally (Go Illini!!) and professionally, this bill (HB 3025) amends Illinois Public Act 097-0483 (the Personal Information Protection Act) and brings the state in-line with a small but growing number of states which mandate what information must be contained in a breach notification as well as the cooperation between the “data collector” and anyone holding or storing the data.

Let’s look a little more closely at the Illinois law as it will stand when the provisions of HB3025 take effect at the start of 2012.

• Personal Information is defined as: an individual’s first name or first initial and last name in combination with “data elements” such as Social Security number, driver’s license number or State identification card number, and/or account number or credit / debit card number (either with or without password or security / access code).
  • Note that if either the name or the data elements are encrypted or redacted, then this does not apply.
  • Note also this does not apply to lawfully available public information.
• Covered Entities now include not only the “data collectors” that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information, but also anyone who maintains or stores, but does not own or license, personal information.
  • This includes both private (e.g., companies, financial institutions, retail operators, etc.) and public (e.g., government agencies, universities, etc.) entities.
• Notification Timeline is “as quick as possible” (or, in legalese, in the most expedient time possible and without unreasonable delay).
  • This is similar to most, but not all, State laws which do not put a specific timeline on the notification (AFAIK, only Ohio and Wisconsin have a 45 day outer limit).
  • Note there is an exception which allows for delays if criminal investigation is on-going.
• Notification Content must now include, at a minimum, contact information for consumer reporting agencies, contact information for the Federal Trade Commission (FTC), and a statement that the individual can obtain information from these sources about fraud alerts and security freezes.
  • Note that, unlike some States, Illinois explicitly excludes the number of residents impacted by the breach from the notification.
• Notification Method is via letter, email or, under certain conditions, “substitute notification” (such as posting in newspapers), which is fairly common in the State laws I’ve studied.
  • There is an interesting aside that let’s data collectors that maintains its own notification procedures as part of an information security policy for the treatment of personal information to follow that procedure as long as it meets the timing set forth in the law. As I’ve said several times before, IANAL, but this seems to be an “out” in terms of notification content and method.
  • State agencies are subject to some additional requirements, such as notifying all consumer reporting agencies if more than 1,000 records are lost / stolen.
• Cooperation with the notification process by the non-owner/licensee is now mandated in matters relating to the breach. This includes, at a minimum:
  • Notifying the owner/licensee of the breach, including (approximate) date and nature of the breach and the nature of the breach.
  • Telling the owner/licensee of any corrective steps taken or planned.
  • None of this, however, requires direct notification or the disclosure of confidential business information or trade secrets.
• Information Disposal includes both paper and electronic data, and must be in a manner that renders the personal information unreadable, unusable, and undecipherable.
  • No specific methods are mentioned, but suggestions such as burning / shredding (for paper records) and erasing (for electronic records) are supplied.
  • It allows for 3rd party data destruction, provided they implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information.
  • Note that financial institutions subject to 15 U.S.C. 6801 et. seq. and anyone subject to 15 U.S.C. 1681w are exempt from this disposal requirement (and, if I understand these things properly, the penalties).
• Violations are subject to civil penalty of not more than $100 per individual impacted by the breach, not to exceed $50,000 per instance.
  • This means if three credit cards from a specific person are involved in a breach, the entity losing the data only pays $100.
  • Note that the AG may seek any appropriate relief for violations of the provisions of this law.

What’s not included? Here are some things that do not seem to be required in the new Illinois law:

• Breach notification information (timing, records impacted, etc.) provided to the State AG (like MA or NY)
• An exemption for “immaterial” breaches (like CO or CT)
• A formal information security policy (like MA; for more on this, see here or here)
• PCI compliance (like NV; for more on this, see here)
• The inclusion of health information (like TX or MN; for more on the MN law, see here)

Bottom line. Well, I think Brendon put it well when he wrote:

If you operate nationwide, HB3025 won’t add much to your breach response plan, since other state breach notification laws have already included similar requirements. If not, HB3025 and the wave of recent amendments to state information security breach notice laws only further complicates an already difficult compliance landscape. So exactly when, you ask, will we get some federal relief from the burden of tracking and complying with almost fifty different breach notification laws? Good question.

###

Some Resources, if you are interested in additional information on the Illinois data privacy law:

• Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation – in Office of Inadequate Security (24 August 2011)
• “Illinois-ed” About the Lack of Useful Information in Breach Notices? Illinois Amends Breach Notice Law to Specify Notice Content, Cooperation – by Brendon Tavelli, Privacy Law blog (August 24, 2011)
• The Personal Information Protection Act (Public Act 097-0483) can be found here
• House Bill 3025 can be found here

IT Secured. Success Optimized.™

Contact Lumension | Privacy Policy

Have You Removed the Risk of Removable Media?

FREE Scanner
quantify the risk of removable devices to your organization.

FREE Device Scanner »

1