Illinois Governor Bruce Rauner signed HB1260 into law, amending the state’s Personal Information Protection Act and adding to the law’s breach notification requirements. The new law will be in effect January 1, 2017.
The amendments expand the definition of personal information to include the bolded items below:
Individual’s first and last name in combination with any of the following:
- Social Security number
- Driver’s license number
- State identification card number
- Financial account number with password to access the account
- Medical information
- Health insurance information
- Unique biometric information
- Username or email address in combination with the password or security question and answer to allow access to the account
The amendments provide some clarity to the encryption safe harbor provision. If personal information is encrypted, but the data can be read through the decryption key or other means, the safe harbor does not apply.
There are several changes to the requirements when issuing notice of a breach:
Individuals: If personal information that falls under the username or email address category of personal information has been breached, notice should be provided in electronic form, prompting the individual to change the username, password, or security question and answer to protect the security of the account.
Attorney General: If an entity is required to notify HHS of a breach under HITECH, they must also notify the Illinois Attorney General within five days of notifying HHS.
State Agencies: If a State agency suffers a breach affecting more than 250 Illinois residents, it shall notify the Attorney General within 45 days of discovery of the breach or when it notifies affected individuals, whichever is sooner. The notice shall include the following:
- The types of personal information compromised;
- The number of Illinois residents affected;
- Any steps the State agency has taken to notify affected individuals; and
- The date and time-frame of the breach.
The amendments create a new provision in the law requiring any entity that controls personal information about an Illinois resident to maintain reasonable safeguards to protect the information from unauthorized access.
A similar provision applies to contracts between entities that control the personal information and any third-party to whom they disclose the information. The contracts must include a provision requiring the third-party to adhere to the same standards of maintaining reasonable safeguards to protect the information from unauthorized access.
Under the new law, entities complying with the following regulations are considered compliant with the law’s standards:
- GLBA: An entity compliant with the Gramm-Leach-Bliley Act is deemed compliant with this law.
- HIPAA: A covered entity or business associate compliant with HIPAA and HITECH is deemed compliant with this law.