New Data Breach Law in Illinois, Harsher Penalties

New Data Breach Law in Illinois, Harsher Penalties

815 ILCS §§ 530/1 to 530/25 is a data breach notification law that was originally passed in the U.S. state of Illinois in 2006 and was recently amended in 2020. 815 ILCS §§ 530/1 to 530/25 sets forth the legal requirements that businesses and organizations within Illinois must follow in the event that they experience a data or security breach. Furthermore, 815 ILCS §§ 530/1 to 530/25 also establishes the various penalties that can be imposed against agencies, businesses, and organizations that fail to comply with the provisions that were established, which can include both monetary penalties and civil liability.

How is a security breach defined under 815 ILCS §§ 530/1 to 530/25?

Under 815 ILCS §§ 530/1 to 530/25, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of PI maintained by the entity.” Conversely, the “good-faith acquisition of PI by an employee or agent of the Entity for a legitimate purpose of the Entity does not constitute a security breach, provided that the PI is not used for a purpose unrelated to the Entity’s business or subject to further unauthorized disclosure.” Moreover, in terms of the scope and application of the law, 815 ILCS §§ 530/1 to 530/25 applies to all data collectors within the state of Illinois, which can include government agencies, financial institutions, and private and public universities, among others.

What are the requirements of organizations and businesses under 815 ILCS §§ 530/1 to 530/25?

Under 815 ILCS §§ 530/1 to 530/25, agencies, businesses, and organizations that collect personal information from residents within the state of Illinois are responsible for providing residents of the state with data breach notifications in the event that said entities experience a data or security breach. These breach notifications must provide citizens with information concerning the security breach including the categories of personal information that were disclosed, as well as the scope and severity of the breach, among other pertinent details. Alternatively, businesses and organizations are also required to provide notice to the Illinois Attorney General in instances where a data breach affects more than 500 residents within the state.

What’s more, the law also contains further requirements as it relates to state agencies within Illinois. Under 815 ILCS §§ 530/1 to 530/25, state agencies within Illinois that experience a data breach that leads to the disclosure of “system data or written material shall submit a report within five business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches. Any agency that has submitted a report under the statute shall submit an annual report listing all breaches of security and the corrective measures that have been taken to prevent future breaches.”

What categories of personal information are protected under 815 ILCS §§ 530/1 to 530/25?

Under 815 ILCS §§ 530/1 to 530/25, the following categories of personal information are covered under the law, in conjunction with an Illinois resident’s first name or initial and last name, permitting that either the name or associated data elements are not redacted or encrypted, or the keys to unredact or unencrypt said data have been accessed illegitimately:

  • Social security numbers.
  • Driver’s license numbers and State identification card numbers.
  • Account numbers, debit card numbers, and credit card numbers, as well as any security codes, access codes, or passwords that may be used to grant access to such financial accounts.
  • “Medical information (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application).”
  • “Health insurance information (health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual’s health insurance application and claims history, including any appeals records).”
  • “Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.”

What are the penalties for violating 815 ILCS §§ 530/1 to 530/25?

The provisions set forth in 815 ILCS §§ 530/1 to 530/25 are enforced by the Illinois Attorney General. Additionally, violations of 815 ILCS §§ 530/1 to 530/25 are also considered to be “unlawful practices under the Consumer Fraud and Deceptive Business Practices Act and are subject to all applicable penalties under the CFDBPA.” To this end, businesses and organizations within the state that fail to comply with the law are subject to both monetary and civil liability penalties. Such punishments include:

  • An injunction.
  • The revocation of the right to conduct business within the state of Illinois.
  • Civil penalties of up to $50,000.
  • Monetary penalties of up to $50,000 per violation, in instances where an entity within the state of Illinois is found to have intentionally defrauded citizens within the state as it pertains to the unauthorized access or use of personal information.
  • Further penalties of up to $10,000 in instances where the victims of a data or security breach include residents of the state of Illinois that are 65 or older.

As all 50 states and all other territories within the U.S. have passed some form of data breach legislation as of 2022, 815 ILCS §§ 530/1 to 530/25 represents the foremost legal means upon which the personal information is protected in the event that said information is illegally accessed as a result of a data or security breach. However, the penalties that can be imposed against businesses and organizations who fail to comply with 815 ILCS §§ 530/1 to 530/25 are extremely robust when compared with other data breach notification laws that have been in other U.S. states. As such, residents within the state of Illinois can have the peace of mind that their personal information is being protected at one of the highest levels that can be currently offered as it relates to state legislation.