Mandated Timeframe for Breach Reporting and/or Consumer Notification
Without unreasonable delay
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of breach notification laws:
- $100 per person, up to $50,000 per incident
None to minimal
Businesses who experience a breach of personal information involving more than 500 Illinois residents must report to the Attorney General without delay, but no later than when the business provides breach notification to affected consumers.
Specific information such as nature of the breach, number of affected residents and any mitigation taken must be included in the notification.
The Attorney General may publish the names of businesses who experience a data breach, type of information involved, including date range.
If a vendor breached, they must notify the data owner with specific details of the breach. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Businesses subject to HIPPA and HITECH regulations who experience a breach must notify the Attorney General within 5 days after notification is made to the Secretary of Health and Human Services.
Data owners and contracted vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
Data owners and contracted vendors must have measures in place for the secure disposal of personal information, so it cannot be read or reconstructed.
Businesses in possession of biometric identifiers must ensure adequate and highly restrictive measures are in place for the storage, disclosure and protection of biometric identifiers. In addition, they must have a publicly available written policy which states their retention schedule and disposal guidelines.
A private right of action can be brought with fines up to $5,000 or actual damages for violations of the Biometric Information Privacy Act.
Violations of the Personal Information Protection regulations constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.
Violations of the disposal regulations may result in a civil penalty of up to $100 for each affected individual, up to $50,000 for each instance of improper disposal.
Sector-specific regulations provide for an individual’s right to access their personal information.
Statutes and Laws
740 ILCS 14 Biometric Information Privacy Act
815 ILCS 530 Personal Information Protection Act
815 ILCS 530/40 Disposal of material containing personal information; Attorney General
815 ILCS 530/45 Data security
815 ILCS 530/50 Entities subject to the federal Health Insurance Portability and Accountability Act of 1996
815 ILCS 505 Consumer Fraud and Deceptive Business Practices Act
105 ILCS 10 Illinois School Student Records Act
105 ILCS 85 Student Online Personal Protection Act