Effective Now: New Data Breach Reporting Requirements in Illinois
On January 1, 2017, the recent revision of the Illinois Personal Information Protection Act, 815 ILCS 530, et seq., went into effect. The amendments include several key revisions which, taken together, have a significant impact on health care and other organizations vis-à-vis their obligations to secure the information they collect on patients, customers, and clients.
Expanded Definition of Personal Information
The definition of “personal information” was expanded in two ways:
An Illinois resident’s first name or first initial, combined with his or her last their last name and certain other information such as a social security number, credit card number, or password, now qualifies as personal information subject to protection under the Act. Also included in the list of additional information that, together with first name (or first initial) and last name, qualifies as personal information is “[u]nique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.” In other words, a person’s name in combination with a fingerprint or other biometric data is now protected by the Act.
Likewise, “personal information” was also expanded to include a user name or email address in combination with a password or security question response that would allow access to the account. (815 ILCS 530/5.)
Additional State Notification Requirement
The Act also now confirms that compliance with certain federal laws, such as HIPAA or the Gramm-Leach-Bliley Act of 1999, constitutes compliance with Illinois state law, including 815 ILCS 530/45(c) and (d). But the amendment now requires that notification must also be provided to the Illinois Attorney General within five business days if a breach report is made to the Office for Civil Rights of the U.S. Department of Health & Human Services, pursuant to HIPAA. (815 ILCS 530/50.) (As a reminder, under HIPAA, data breaches exceeding 500 individuals generally must be reported within 60 days following discovery of the breach. Breaches involving less than 500 individuals may be reported at the end of the calendar year.)
At a minimum, affected organizations will need to examine and revise any policies and procedures now in effect concerning breach reporting to Illinois state authorities. They may also wish to update employee training initiatives to reflect the expanded definitions of personal information.