In response to trends, heightened public awareness, and a string of large-scale data breaches, states continue to enhance their data breach notification laws. Illinois Governor J.B. Pritzker recently signed into law an amendment to the Personal Information Protection Act (PIPA), SB 1624, effective January 1, 2020. PIPA will now require that most “data collectors,” which includes entities that, for any purpose, handle, collect, disseminate, or otherwise deal with nonpublic personal information, notify the State’s Attorney General of certain data breaches. PIPA had already required notification of a data breach to the Attorney Generals’ office, but only in the event of data breach affecting state agencies, and only if those breaches affect more than 250 Illinois residents.
Under the amendment to PIPA, if a data collector is required to notify more than 500 Illinois residents as a result of a single data breach, that data collector also must notify the Illinois Attorney General’s office. Similar to the requirements in other states requiring Attorney General notification, the law requires certain content be included in the notification:
- A description of the nature of the breach of security or unauthorized acquisition or use.
- The number of Illinois residents affected by such incident at the time of notification.
- Any steps the data collector has taken or plans to take relating to the incident.
Furthermore, if the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector must inform the Attorney General of the date of the breach as soon as possible. Note, some states have more extensive content requirements, such as Massachusetts, which requires covered entities that experience a breach to inform the Attorney General (and the Commonwealth’s Office of Consumer Affairs and Business Regulation) about whether the organization maintains a written information security program.
Notification to the Attorney General must be made in the most expedient time possible and without unreasonable delay, but not later than when the data collector provides notice to individuals affected by the breach. Also joining some other states, including Massachusetts and New Hampshire, Illinois now provides that the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.
The update to Illinois law excludes covered entities or business associates that are subject to the privacy and security regulations under HIPAA, provided they are compliant with those regulations. Of course, covered entities and business associates would still have to notify the federal Office of Civil Rights in the event of a data breach affecting unsecured protected health information.
The patchwork of state breach notification laws continues to grow more complex, particularly for organizations that experience multistate data breaches. It is important, therefore, that organizations across the United States continue to evaluate and enhance their data breach prevention and response capabilities.