Under the Illinois data breach reporting law, data breaches involving the personal information of more than 500 Illinois residents must be reported to the Illinois Attorney General.

What is Required Under the New Illinois Data Breach Reporting Law?

SB 1624, signed by Illinois governor J.B. Pritzker, and effective January 1, 2020, is an amendment to the Illinois Personal Information Protection Act (“PIPA”). Illinois’ current data breach reporting law, PIPA, imposes obligations on data collectors that own or license personal information.

Under PIPA, the term “data collector” includes (but is not limited to):

• A government agency;
• A public or a private university;
• A privately or publicly held corporation;
• A financial institution; 
• A retail operator; and
• Any other entity

That, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.

“Personal information” under the data breach reporting law is defined as either:

1. A person’s first name, or initial, and their last name, along with certain details such as a Social Security number, when such information is not encrypted or redacted, or when the access to the shielded information has been hacked.  
2. A person’s username or email address, in combination with a password or security question and answer, that would permit access to an online account, when either:
   1. The username, email address, password, or security question and answer are not encrypted or redacted; or 
   2. The username, email address, password, or security question and answer are encrypted or redacted, but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through a breach of security.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. 

The amendment to the data breach reporting law requires that any breach involving the personal information of more than 500 Illinois residents must be reported to the Illinois Attorney General.

What Must the Notice to the Attorney General Contain?

Under the new data breach reporting law, the notice must include the following:

• A description of the nature of the breach of security or unauthorized acquisition or use;
• The number of Illinois residents affected by the incident at the time of the notification; and
• Any steps the data collector has taken or plans to take relating to the incident.

The notice to the Attorney General must be made “in the most expedient time possible and without unreasonable delay,” and in any event must be no later than when the data collector provides notice to consumers.

Does the Law Contain a HIPAA/HITECH Safe Harbor Provision?

The new data breach reporting law contains a “HIPAA Safe Harbor” provision. Under the safe harbor provision, any covered entity or business associate that is subject to, and in compliance with, the privacy and security standards for protection of ePHI under HIPAA and the HITECH Act, is deemed to automatically be in compliance with the new data breach reporting law, provided that:

• Any covered entity or business associate required to provide notice of a breach to the Secretary of HHS under the HITECH Act, also provides such notice to the Illinois Attorney General within 5 business days of notifying the HHS Secretary.