Breach Based on Harm Threshold: No
Deadline for Consumer Notice: Most expedient time possible without unreasonable delay
Government Notification Required: Yes, if>500 residents notified
Scope of this Summary:
Notification requirements applicable to commercial entities that own, license, or maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted, so long as encryption key was not acquired.
Form of Covered Info
- An individual's first name or first initial and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number.
- Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Medical information, meaning information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.
- Health insurance information, meaning an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.
- Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.
- A username or email address, in combination with a password or security question and answer that would permit access to an online account.
Consumer Notice Timing
Must be made in the most expedient time possible and without unreasonable delay following discovery or notification of the breach, consistent with any measures to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the system.
Consumer Notice Method
By written notice or electronic notice if it is consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The notice shall include, but need not be limited to, information as follows:
- With respect to personal information as defined in paragraph 1 of the "Personal information definition":
- The toll-free numbers and addresses for Consumer Reporting Agencies.
- The toll-free number, address, and website address for the Federal Trade Commission.
- A statement that the individual can obtain information from these sources about fraud alerts and security freezes.
- The notification shall not, however, include information concerning the number of Illinois residents affected by the breach.
- With respect to personal information as defined in paragraph 2 of the "Personal information" definition:
- Notice may be provided in electronic or other form directing the Illinois resident whose personal information has been breached to promptly change his or her username or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same username or email address and password or security question and answer.
Notification may be delayed if law enforcement determines notification will impede a criminal investigation and provides a written request for the delay.
If more than 500 Illinois residents are notified, must notify Director of the Attorney General no later than when residents are notified. Notice must include a description of the breach, number of residents affected, and steps taken in response. AG may publish name of company that suffered the breach, the types of personal information compromised, and the date range of the breach.
Consumer Reporting Agency Notice
Exceptions for Other Laws
Covered entities or business associates subject to and in compliance with Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) privacy and security standards shall be deemed in compliance with the statute if they provide the Attorney General with a copy of any breach notifications reported to the Secretary of Health and Human Services within five days of notifying the Secretary.
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach and must cooperate in matters relating to the breach as specified in the statute.
Private Right of Action
A violation of the Illinois general data breach notification statute is an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. Any person who suffers actual damages may bring an action under the statute.
Violations may result in civil penalties.