Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Illinois residents.
The general definition of “personal information” used in the majority of statutes is: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state-issued identification card number, and (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. The general definition generally applies to computerized data that includes personal information and usually excludes publicly available information that is lawfully made available to the general public from federal, state or local governments or widely distributed media. When a statute varies from this general definition, it will be pointed out and underlined in the chart.
“Security Breach” means an unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.
"Medical information" means any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.
"Health insurance information" means an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.
Covered Entities* / Third Party Recipients
Subject to statute:
Any private university, privately held corporation, financial institution, retail operation, and any other entity that handles, collects, disseminates or otherwise deals with nonpublic personal information.
Third party recipients:
Any covered entity that maintains computerized data that includes personal information that the covered entity does not own or license must give notice to and cooperate with the owner or licensee of the personal information.
Illinois may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation regardless of materiality/ownership of the data.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay. Notification may be delayed if law enforcement agency determines notification will interfere with a criminal investigation and such agency provides the covered entity with a written request.
- Notice to affected residents is required to contain specific content described in statute.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity does not have sufficient contact information.
- If user name(s) or email address in combination with password(s) or security question(s) and answer(s) constitute the extent of the security breach, notice may be provided in electronic form pursuant to the Illinois statute.
A covered entity must dispose of material containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.
A covered entity must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure. Any contracts that the covered entity has with third party recipients must require reasonable security measures for the protection of personal information.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is fully encrypted or redacted.
Safe harbor will not be applicable if the keys to unencrypt or unredact or otherwise read the personal information have also been acquired without authorization.
Exemption for good faith acquisition of personal information by an employee or agent of covered entity for a legitimate purpose of the covered entity so long as personal information is not used for a purpose unrelated to covered entity’s business and is not subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Illinois statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Illinois statute.
Notification to Regulator / Waiver
[Effective January 1, 2020: Notice in the “most expedient time possible” (but in no event later than notice to consumers). must be given to the Attorney General when 500 or more Illinois residents are affected by a single breach of a security system. Statute contains specific content required in notice]
A determination of no likelihood of harm:
A waiver of the statute is void and unenforceable.
Exemption for data security provisions for entities subject to a state or federal law requiring greater protection or GLBA.
Covered entities subject to HIPAA are exempt from the entirety of the Illinois statute provided that any covered entity or business associate required to notify the Secretary of Health and Human Services also provides notification to the Illinois Attorney General within five (5) business days of notifying the Secretary.
A violation of the statute constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.
Private Cause of Action / Enforcement
Private Cause of Action: No.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute