Illinois

Information Covered / Important Definitions

Information covered:

Personal information of Illinois residents.

Definition to include (i) medical information, (ii) health insurance information, (iii) unique biometric data generated from measurements or technical analysis of human body characteristics used by the covered entity to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data, and (iv) a user name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the security breach. 

Important definitions:

“Security Breach” means an unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information.

"Medical information" means any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.

"Health insurance information" means an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.

Covered Entities* / Third Party Recipients

Subject to statute:

Any private university, privately held corporation, financial institution, retail operation, and any other entity that handles, collects, disseminates or otherwise deals with nonpublic personal information.

Third party recipients:

Any covered entity that maintains computerized data that includes personal information that the covered entity does not own or license must give notice to and cooperate with the owner or licensee of the personal information.

Illinois may take the position that any unauthorized acquisition or use by a third party triggers the notification obligation regardless of materiality/ownership of the data.

Notice Procedures & Timing / Other Obligations

Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay.  Notification may be delayed if law enforcement agency determines notification will interfere with a criminal investigation and such agency provides the covered entity with a written request.

• Notice to affected residents is required to contain specific content described in statute.
• Substitute notice is available by means prescribed in the statute if costs to exceed 
• $250,000, affected class exceeds 500,000 persons, or covered entity does not have sufficient contact information.
• If user name(s) or email address in combination with password(s) or security question(s) and answer(s) constitute the extent of the security breach, notice may be provided in electronic form pursuant to the Illinois statute.

Other obligations:

A covered entity must dispose of material containing personal information in a manner that renders the personal information unreadable, unusable and undecipherable.

A covered entity must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.  Any contracts that the covered entity has with third party recipients must require reasonable security measures for the protection of personal information.

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is fully encrypted or redacted.

Safe harbor will not be applicable if the keys to unencrypt or unredact or otherwise read the personal information have also been acquired without authorization.

Other exemptions:

Exemption for good faith acquisition of personal information by an employee or agent of covered entity for a legitimate purpose of the covered entity so long as personal information is not used for a purpose unrelated to covered entity’s business and is not subject to further unauthorized disclosure.

A covered entity is deemed in compliance with the Illinois statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Illinois statute.

Notification to Regulator / Waiver

A determination of no likelihood of harm:

Notice in the “most expedient time possible” (but in no event later than notice to consumers) must be given to the Attorney General when 500 or more Illinois residents are affected by a single breach of a security system. Statute contains specific content required in notice.

A waiver of the statute is void and unenforceable.

Other exemptions

The data security provisions of the Illinois statute will not apply to a covered entity subject to a state or federal law requiring greater protection for records containing personal information or to covered entities that are subject to the GLBA.

Covered entities subject to HIPAA are exempt from the entirety of the Illinois statute provided that any covered entity or business associate required to notify the Secretary of Health and Human Services also provides notification to the Illinois Attorney General within five (5) business days of notifying the Secretary.

Penalties

A violation of the statute constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.

Private Cause of Action / Enforcement

Private Cause of Action: No.

^* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Subscribe To Viewpoints