Illinois Governor Pat Quinn approved a measure on August 22, 2011, amending his state’s data breach notification law. The changes, which become effective January 1, 2012, are designed to increase protections for Illinois residents in the following ways:
New information that must be included in breach notifications:
- the toll-free numbers and addresses for consumer reporting agencies,
- the toll-free number, address, and website address for the Federal Trade Commission, and
- a statement that the individual can obtain information from these sources about fraud alerts and security freezes.
Information that may not be included in breach notifications:
- information concerning the number of Illinois residents affected by the breach.
New requirements for "data collectors" that maintain or store, but do not own or license, computerized data:
As with most breach notification statutes, entities that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of the security of that data. Generally, the obligation is to notify the owner of the breach. So, for example, a third party claims administrator or an accounting firm might perform services for ABC Corp. (the owner) requiring the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.’s personal information, or the employee or some third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp. which, in turn, would need to notify the affected individuals.
As amended, Illinois’ breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of:
- the date or approximate date of the breach and the nature of the breach, and
- any steps the entity has taken or plans to take relating to the breach.
However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.
New Mandates for Disposing of Materials Containing Personal Information
The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods:
- Paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
- Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Companies may engage third parties to carry out the disposal of personal information, provided that third parties performing these services must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.
Penalties for violations of the disposal requirements can be up to $100 for each individual with respect to whom personal information is disposed, subject to a maximum penalty of $50,000 for each instance of improper disposal.