Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.

ILLINOIS DATA PRIVACY REGULATIONS

Did You Know?

 
  • Limited methods of notification delivery
  • Comprehensive information requirements for notifications
  • Data owners are responsible for the reporting and notifications
  • Vendors have specific responsibilities
  • Laws also cover PII data disposal
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?

 

Illinois breach and notification laws may apply if you: 

  • Are a Data Collector that owns or licenses data that includes PII of an IL resident (IL Data Owner), including state agencies
  • Maintains or stores personal information from an IL data owner (vendor)

There are exemptions.

What is PII?

 

PII relevant to a breach in Illinois includes an individual’s name with one or more of the following:

  • Social security number;
  • Driver’s license or state identification card number;
  • Financial account numbers or credit/debit card numbers or the same with security or access codes or passwords, etc.
  • Medical and health insurance information, or Biometric data

User name or emails address in combination with encrypted confidential process or key

LAWS

APPLICABLE LAW

A few applicable statutes include, but are not limited to:

Illinois Compiled Statutes:

  • Chapter 815 Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505
  • Personal Information Protection Act, 815 ILCS 530/1 through 815 ILCS 530/50

RELATED LAWS

A few related statutes include, but are not limited to:

Illinois Compiled Statutes:

  • Personal Information Protection Act, 815 ILCS 530/40
  • Health Insurance Portability and Accountability Act, 1996

Health Information Technology for Economic and Clinical Health Act

PENALTIES

COMPLIANCE PENALTIES

In Illinois, violations constitute an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.  The Attorney General may investigate and promulgate rules with the force of law. 

BREACH REPORTING

MULTIPLE FACTORS TO CONSIDER

When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached;
  • If the data was computerized;
  • If the data was encrypted or redacted;
  • If the data included any kind of key or password; and
  • If it was acquired by an unauthorized person.

TIME LIMITS

The notification may be delayed if law enforcement indicates the notification may interfere with an investigation, otherwise, notification is required to be made in the most expedient time possible and without unreasonable delay.

Illinois also specifies notice to the attorney general, within five days in certain circumstances, for businesses subject to Health Insurance Portability and Accountability Act (HIPAA) and/or Health Information Technology for Economic and Clinical Health Act (HITECH). 

State agencies must notify the Attorney General within 45 days (or sooner) if more than 250 Illinois residents affected.

State agencies must notify credit reporting agencies if more than 1,000 persons affected.

CONSUMER NOTIFICATION

Requires detailed information and potential provision of services

Illinois has a wide-ranging list of detailed information to be included in the notification.  The notification may only be delivered by mail or sent electronically (with stipulations)

A substitute notice, with specific requirements, may be sent if the cost of providing the notice would exceed $250,000 or persons notified exceeds 500,000 or they do not have sufficient contact information.  

Contact the Privacy Experts at CSR