Illinois Modifies Data Breach Statute | Practical Law

Illinois Modifies Data Breach Statute | Practical Law

The Illinois Legislature has passed HB1260, amending the Personal Information Protection Act (PIPA) by expanding the personal information definition to include health insurance information, medical information, and user names with access credentials, requiring state agencies that suffer a breach to notify the Attorney General, and adding new data security requirements.

Illinois Modifies Data Breach Statute

Practical Law Legal Update w-002-2366 (Approx. 3 pages)

Illinois Modifies Data Breach Statute

by Practical Law Intellectual Property & Technology
Published on 09 May 2016USA (National/Federal)
The Illinois Legislature has passed HB1260, amending the Personal Information Protection Act (PIPA) by expanding the personal information definition to include health insurance information, medical information, and user names with access credentials, requiring state agencies that suffer a breach to notify the Attorney General, and adding new data security requirements.
On May 6, 2016, the governor of Illinois approved HB1260, which amends the Personal Information Protection Act (PIPA) (815 Ill. Comp. Stat. Ann. 530/1). Effective January 1, 2017, PIPA will be amended to:
  • Add definitions of "health insurance information" and "medical information."
  • Modify the definition of "personal information" to include:
    • health insurance information, medical information, or biometric data when combined with a person's unencrypted first name or initial and last name; or
    • an unencrypted user name or email address combined with a password or security question and answer that would permit online access to an account.
  • Modify PIPA's encrypted information exception to exclude situations when the keys to unencrypt or otherwise read the encrypted name or data elements were obtained through the security breach.
  • Modify the breach notification content requirements, depending on the type of personal information exposed.
  • Expand the substitute notice provision to allow notification through prominent local media instead of statewide media, if the:
    • breach only impacts residents in that geographic area, and
    • local notice is reasonably calculated to give affected persons actual notice.
  • Add a requirement for state agencies to notify the Attorney General if they suffer a personal information security breach affecting more than 250 Illinois residents.
HB1260 also creates a new data security section requiring data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure. Entities that are subject to and in compliance with the privacy and security requirements of the Gramm-Leach-Bliley Act (GLBA) or other state or federal laws setting greater personal information security protections, are deemed in compliance with this new data security section.
HB1260's last section establishes a HIPAA related exemption. Covered entities or business associates will be deemed in compliance with PIPA if they both:
  • Are subject to and in compliance with privacy and security standards established by HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
  • Provide the Illinois Attorney General with a copy of any breach notifications reported to the Secretary of Health and Human Services within 5 days of notifying the Secretary.