Share this article on:
Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches.
A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements:
- Driver’s license number
- Social Security number
- Credit or debit card number
- Biometric data
- Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained)
- Medical information
- Health insurance information
Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available.
The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition.
The exposure of information relating to a person’s mental or physical condition, medical history, or diagnosis and treatment information is also now specified. The law applies to companies that store these data, but also data submitted via mobile applications and websites.
The definition of personal information has been expanded to include usernames if combined with a password or answers to security questions, as has occurred in California, Florida, and Nebraska. However, rather than requiring a written notification to be sent to affected individuals, notifications of breaches of “online information” can be issued electronically. Breach victims will need to be instructed how they can change their login names, passwords, or security questions as appropriate, and should be instructed to do so promptly.
Organizations that are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) – including business associates of HIPAA-covered entities – will be deemed to be in compliance with the new state laws, although only if a breach notification is required to be issued to the HHS’ Office for Civil Rights (OCR).
HIPAA-covered entities will be required to issue a breach notification to the state attorney general within 5 days of the notice being provided to the OCR.
State governor Bruce Rauner signed the new law earlier this month and the updates will come into effect on January 1, 2017.