Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- $100 per person, up to $50,000 per incident

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Businesses who experience a breach of personal information involving more than 500 Illinois residents must report to the Attorney General without delay, but no later than when the business provides breach notification to affected consumers.
  • Specific information such as nature of the breach, number of affected residents and any mitigation taken must be included in the notification.
  • The Attorney General may publish the names of businesses who experience a data breach, type of information involved, including date range.
  • If a vendor breached, they must notify the data owner with specific details of the breach. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses subject to HIPPA and HITECH regulations who experience a breach must notify the Attorney General within 5 days after notification is made to the Secretary of Health and Human Services.
  • Data owners and contracted vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
  • Data owners and contracted vendors must have measures in place for the secure disposal of personal information, so it cannot be read or reconstructed.
  • Businesses in possession of biometric identifiers must ensure adequate and highly restrictive measures are in place for the storage, disclosure and protection of biometric identifiers. In addition, they must have a publicly available written policy which states their retention schedule and disposal guidelines.
  • A private right of action can be brought with fines up to $5,000 or actual damages for violations of the Biometric Information Privacy Act.
  • Violations of the Personal Information Protection regulations constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.
  • Violations of the disposal regulations may result in a civil penalty of up to $100 for each affected individual, up to $50,000 for each instance of improper disposal.
  • Sector-specific regulations provide for an individual’s right to access their personal information.
Statutes and Laws
  • 740 ILCS 14 Biometric Information Privacy Act
  • 815 ILCS 530 Personal Information Protection Act
  • 815 ILCS 530/40 Disposal of material containing personal information; Attorney General
  • 815 ILCS 530/45 Data security
  • 815 ILCS 530/50 Entities subject to the federal Health Insurance Portability and Accountability Act of 1996
  • 815 ILCS 505 Consumer Fraud and Deceptive Business Practices Act
  • 105 ILCS 10 Illinois School Student Records Act
  • 105 ILCS 85 Student Online Personal Protection Act
BAck to map