Skip to content
DWT logo
People Services Insights
About Offices Careers
Search
People
Services
Insights
About
Offices
Careers
Search

Illinois

See the Summary of U.S. State Data Breach Maps

Quick Facts

Breach Based on Harm Threshold: No
Deadline for Consumer Notice: Most expedient time possible without unreasonable delay
Government Notification Required: Yes, if>500 residents notified

815 Ill. Comp. Stat. §§ 530/1 to 530/50

Scope of this Summary:

Notification requirements applicable to commercial entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.

Risk of Harm Threshold

N/A

Breach Defined

Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.

Encryption Safe Harbor

Statute does not apply to information that is encrypted or redacted, so long as encryption key was not acquired.

Form of Covered Info

Electronic Only

Covered Info

  • An individual's first name or first initial and last name in combination with any one or more of the following data elements:
    • Social Security number.
    • Driver's license number or state identification card number.
    • Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
    • Medical information, meaning information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.
    • Health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.
    • Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account.

Consumer Notice Timing

Must be made in the most expedient time possible and without unreasonable delay following discovery or notification of the breach, consistent with any measures to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the system.

Consumer Notice Method

By written notice or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.

Consumer Notice Content

The notice shall include, but need not be limited to, information as follows:

  • With respect to personal information as defined in paragraph 1 of the "Personal information definition":
    • The toll-free numbers and addresses for Consumer Reporting Agencies.
    • The toll-free number, address, and website address for the Federal Trade Commission.
    • A statement that the individual can obtain information from these sources about fraud alerts and security freezes.
    • The notification shall not, however, include information concerning the number of Illinois residents affected by the breach.
  • With respect to personal information as defined in paragraph 2 of the "Personal information" definition:
    • Notice may be provided in electronic or other form directing the Illinois resident whose personal information has been breached to promptly change his or her username or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same username or email address and password or security question and answer.

Delayed Notice

Notification may be delayed if law enforcement determines notification will impede a criminal investigation and provides a written request for the delay.

Government Notice

If more than 500 Illinois residents are notified, must notify Director of the Attorney General no later than when residents are notified. Notice must include a description of the breach, number of residents affected, and steps taken in response. AG may publish name of company that suffered the breach, the types of personal information compromised, and the date range of the breach.

Consumer Reporting Agency Notice

N/A

Exceptions for Other Laws

Covered entities or business associates subject to and in compliance with Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) privacy and security standards shall be deemed in compliance with the statute if they provide the Attorney General with a copy of any breach notifications reported to the Secretary of Health and Human Services within five days of notifying the Secretary.

Third-Party Notice

If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach and must cooperate in matters relating to the breach as specified in the statute.

Private Right of Action

A violation of the Illinois general data breach notification statute is an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. Any person who suffers actual damages may bring an action under the statute.

Potential Penalties

Violations may result in civil penalties.

This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.

Last revised on June 15, 2023

DWT logo
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.
Media Kit Affiliations Legal notices
Privacy policy Employees DWT Collaborate EEO
SUBSCRIBE
©1996-2025 Davis Wright Tremaine LLP. ALL RIGHTS RESERVED. Attorney Advertising. Not intended as legal advice. Prior results do not guarantee a similar outcome.