Possibly adding to the list of states that have updated their privacy and breach notification laws this year, the Illinois legislature passed Senate Bill 1624 which would update the state’s current breach notification law to require most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, to notify the State’s Attorney General of certain data breaches. The state’s current statute already requires notification of a data breach to the Attorney Generals’ office, but only in the event of data breach affecting state agencies, and only if those breaches affect more than 250 Illinois residents.
Under the Senate Bill, if a data collector is required to notify more than 500 Illinois residents as a result of a single data breach, that data collector also must notify the Illinois Attorney General’s office. Similar to the requirements in other states requiring Attorney General notification, the law requires certain content be included in the notification:
- A description of the nature of the breach of security or unauthorized acquisition or use.
- The number of Illinois residents affected by such incident at the time of notification.
- Any steps the data collector has taken or plans to take relating to the incident.
In addition, if the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector must inform the Attorney General of the date of the breach as soon as possible. Note, some states have more extensive content requirements, such as Massachusetts, which requires covered entities that experience a breach to inform the Attorney General (and the Commonwealth’s Office of Consumer Affairs and Business Regulation) about whether the organization maintains a written information security program. The change in Illinois would exclude covered entities or business associates that are subject to the privacy and security regulations under HIPAA, provided they are compliant with those regulations. Of course, covered entities and business associates would still have to notify the federal Office of Civil Rights in the event of a data breach affecting unsecured protected health information.
The change would require the notification to be made in the most expedient time possible and without unreasonable delay, but not later than when the data collector provides notice to individuals affected by the breach. Also joining some other states, such as Massachusetts and New Hampshire, the Senate Bill provides that the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.
Should these changes become law, the patchwork of state breach notification laws continues to grow more complex, particularly for organizations that experience multistate data breaches. It is critical, therefore, that organizations are prepared with an incident response plan, one that not only addresses steps to drive systems-related investigations and recovery, but also a timely and compliant communication and notification strategy.