The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice.
Illinois
Data Breach Notification Statute
Highlights
Covered Entities: Any data collector, including but not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information of an Illinois resident.
Consumer Notification: Notification must be provided to any Illinois resident whose “unencrypted or unredacted computerized data that compromises the security, confidentiality, or integrity of personal information” has been acquired without authorization.
Regulatory Notification: Notification must be provided to the Illinois Attorney General where “more than 500 Illinois residents” are required to be notified as the result of a single breach.
Any State agency that collects personal data and has had a breach of security of the system data or written material shall submit a report within 5 business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.
Notification Timeline: Notification must be provided “in the most expedient time possible and without unreasonable delay…”
Data Format: Electronic.
Citations: 815 ILCS 530/1-530/50.
More Details
Definitions:
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.
- Personal Information (PI):
- An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization
- Social Security Number
- Driver’s license number or State identification card number
- Account number or credit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to the financial account
- Medical information
- Health insurance information
- Unique biometric data used to authenticate an individual (fingerprint, retina or iris image, or other unique physical or digital representation of biometric data).
- Username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the username or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
- An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization
- Medical Information: Information regarding medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application.
- Health Insurance Information: Health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any medical information in an individual's health insurance application and claims history, including any appeals records.
Safe Harbors:
- Encryption: Notification is not required where the potentially impacted PI was encrypted, or redacted, unless the encryption key or security credential were noy also acquired without authorization.
- Good Faith: A breach does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure.
- Risk of Harm: Notification is not dependent on risk of harm to the consumer.
- Law Enforcement Delay: Notification may be delayed if a law enforcement agency determines that the notification will interfere with a criminal investigation and provides a written request for a delay.
Direct Notice:
- Timing: Notification must be provided in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
- Format: N/A
- Content: Notice shall include, but not be limited to, the following:
- The definition of personal information
- The toll-free number and addresses for consumer reporting agencies
- The toll-free number and address for the Federal Trade Commission
- A statement that the individual can obtain information from these sources about fraud alerts and security freezes.
- If username or email addresses are involved, notice should direct the individual to promptly change their username or password and security question or answer, or to take other steps appropriate to protect online accounts using the same login information.
- The notification shall not include information concerning the number of Illinois residents affected by the breach.
- Method: Notification letters must be provided in written form unless provided electronically if consistent with the provisions regarding electronic records and signatures in 15 U.S. Code § 7001.
Substitute Notice:
Substitute notice may be provided if the entity (1) demonstrates that the cost of providing notice will exceed $250,000, (2) that the affected class to be notified exceeds 500,000, or (3) does not have sufficient contact information to provide notice. Substitute notice must include (1) email notice, if an email address is available, (2) a conspicuous posting onto the entity’s website, if one is maintained, and (3) notice to major statewide media or, if the breach impacts residents in one geographic area, to prominent local media in areas where affected individuals are likely to reside if such notice is reasonably calculated to give actual notice to persons who notice is required.
Remediation Services:
N/A
Regulatory Notice:
Notification must be provided to the Illinois Attorney General where “more than 500 Illinois residents as the result of a single breach” are required to be notified. Such notice shall include: (1) description of the nature of the breach of security or unauthorized acquisition or use, (2) the number of Illinois residents affected by such incident at the time of notification, (3) any steps the data collector has taken or plans to take relating to the incident
Regulatory Notice Timing:
Regulatory notification must be provided in the most expedient time possible and without unreasonable delay but in no event later than when the data collector provides notice to consumers.
Credit Reporting Agencies Notice:
N/A
Third-Party Notice:
If a data collector stores or maintains PI that it does not own, the data collector must notify and cooperate with the owner or licensee of the PI of a “breach” immediately following discovery.
HIPAA:
Any “covered entity” or “business associate” for purposes of the Health Insurance Portability and Accountability Act (HIPAA) will be deemed to have complied with relevant notice content requirements of this Act, provided that any covered entity or business associate required to provide notification of a breach to the Secretary of Health and Human Services pursuant to the Health Information Technology for Economic and Clinical Health Act also provides such notification to the Attorney General within 5 business days of notifying the Secretary.
Private Action:
N/A
Associated Regulations:
- 815 ILCS 530/1-530/50, Personal Information Protection Act.
Insurance Data Security Statute
Highlights
Covered Entities: Any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Illinois, not including a purchasing group or a risk retention group chartered and licensed in a state other than Illinois or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
Security Standard: A licensee must develop, implement, and maintain a comprehensive written information security program based on the licensee’s risk assessment that contains administrative, technical, and physical safeguards for nonpublic information and the licensee’s information systems. Certain licensees may be exempt as set forth in Section 35 of HB2130.
Consumer Notification: A licensee shall comply with the Personal Information Protection Act (815 ILCS §§ 530/1–530/50), as applicable.
Regulatory Notification: A licensee shall notify the Commissioner of Insurance as promptly as possible, but in no event later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred, when either of the criteria referenced below has been met.
Notification Timeline: As promptly as possible, no later than three business days from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred.
Citations: HB2130 (Public Act 103-0142)
More Details
Definitions:
- Consumer: An individual, including, but not limited to, an applicant, policyholder, insured, beneficiary, claimant, or certificate holder, who is a resident of Illinois and whose nonpublic information is in the possession, custody, or control of a licensee.
- Cybersecurity Event: An event resulting in unauthorized access to, disruption, or misuse of an information system or nonpublic information stored on an information system, not including an event resulting in the unauthorized acquisition of encrypted nonpublic information or an event where the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.
- Licensee: Any person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of Illinois, not including a purchasing group or a risk retention group chartered and licensed in a state other than Illinois or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction.
- Nonpublic Information: Electronic information that is not publicly available information and is any of the following:
- Business-related information of a licensee that if tampered with, or disclosed, accessed, or used without authorization, would cause a material adverse impact to the business, operations, or security of the licensee.
- Any information concerning a consumer which because of name, number, personal mark, or other identifier can be used to identify the consumer, in combination with:
- Social Security number;
- Driver’s license number or nondriver identification card number;
- Financial account number or credit or debit card number;
- Security code, access code, or password that would permit access to a consumer’s financial account; or
- Biometric records.
- Any information or data, except age or gender, created by or derived from a health care provider or a consumer, that can be used to identify a consumer and relates to:
- The past, present, or future physical, mental, or behavioral health or condition of a consumer or a member of the consumer’s family;
- The provision of health care to any consumer; or
- The payment for the provision of health care to any consumer.
Regulatory Notice:
A licensee shall notify the Commissioner of Insurance as promptly as possible, no later than three business days from a determination that a cybersecurity event involving nonpublic information has occurred, when either of the following criteria has been met:
- Illinois is the state of domicile of the licensee, in the case of an insurer, or the home state of the licensee, in the case of a producer, as those terms are defined in Article XXXI of the Illinois Insurance Code, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing Illinois or any material part of licensee’s operations.
- The licensee reasonably believes that the nonpublic information involves 250 or more consumers residing Illinois and the cybersecurity event is either:
- A cybersecurity event impacting the licensee that the licensee is required to notify any government body, self-regulatory agency, or any other supervisory body about pursuant to any state or federal law, or
- A cybersecurity event that has a reasonable likelihood of materially harming either a consumer residing in Illinois or a material part of licensee’s operations.
Content Requirements:
When notifying the Commissioner of Insurance of a cybersecurity event, a licensee shall provide as much of the following information as possible:
- The date of the cybersecurity event.
- A description of how the information was exposed, lost, stolen, or breached, including the specific roles and responsibilities of any third-party service providers.
- How the cybersecurity event was discovered.
- Whether any lost, stolen, or breached information has been recovered and if so, how this was done.
- The identity of the source of the cybersecurity event.
- Whether the licensee has filed a police report or has notified any regulatory, government, or law enforcement agencies and, if so, when the notification was provided.
- A description of the specific types of information acquired without authorization. Specific types of information means particular data elements including, for example, types of medical information, types of financial information, or types of information allowing identification of the consumer.
- The period during which the information system was compromised by the cybersecurity event.
- The number of total consumers in this state affected by the cybersecurity event. The licensee shall provide the best estimate in the initial report to the commissioner and update this estimate with each subsequent report to the commissioner pursuant to this section.
- The results of any internal review identifying a lapse in either automated controls or internal procedures, or confirming that all automated controls or internal procedures were followed.
- A description of efforts being undertaken to remediate the situation which permitted the cybersecurity event to occur.
- A copy of the privacy policy of the licensee and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event.
- The name of a contact person who is both familiar with the cybersecurity event and authorized to act for the licensee.
Third-Party Notice Requirements:
If a licensee discovers that a cybersecurity incident in a system maintained by a third-party service provider, the licensee shall treat the event in the same manner for purposes of notification to the Commissioner of Insurance unless the third-party service provider provides the notice. The computation of licensee's deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner.
Penalties:
In the case of a violation a licensee may be penalized in accordance with the provisions of the Illinois Insurance Code, including Section 403A of the Illinois Insurance Code.
Associated Regulations:
N/A
Information Security Standard
Highlights
Covered Entities: Any data collector, including but not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information of an Illinois resident.
First Party Security Standard: A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
Third Party Security Standard: N/A
Disposal/Destruction Standard: An entity must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. Proper disposal methods include, but are not limited to, the following: (1) paper documents containing personal information may be either redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed; and (2) electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.
Any entity disposing of materials containing personal information may contract with a third party to dispose of such materials. Any third party that contracts with a person to dispose of materials containing personal information must implement and monitor compliance with policies and procedures that prohibit unauthorized access to or acquisition of or use of personal information during the collection, transportation, and disposal of materials containing personal information.
Data Format: Electronic and physical.
Citations: 815 ILCS 530/5 – 530/45.
More Details
Definitions:
- Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization:
- Social Security number;
- Driver’s license number or California identification card number;
- Account number or credit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to the financial account;
- Medical information;
- Health insurance information; or
- Unique biometric data used to authenticate an individual (fingerprint, retina or iris image, or other unique physical or digital representation of biometric data).
PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Methods of Compliance:
The statute does not define methods of compliance.
Exclusions:
- Health Care: N/A
- Financial: These requirements do not apply to financial institutions defined under 15 U.S.C. 6801 et. seq. or any person subject to 15 U.S.C. 1681w
- Other: N/A
Enforcement/Penalties:
Any entity, including but not limited to a third party, who violates the requirements is subject to a civil penalty of not more than $100 for each individual with respect to whom personal information is disposed of. A civil penalty may not, however, exceed $50,000 for each instance of improper disposal of materials containing personal information. The Attorney General may impose a civil penalty after notice to the entity accused of violating this Section and an opportunity for that entity to be heard in the matter. The Attorney General may file a civil action in the circuit court to recover any penalty imposed under this Section.
In addition, the Attorney General may bring an action in the circuit court to remedy a violation of this Section, seeking any appropriate relief.
Associated Regulations:
- 815 ILCS 530/1-530/50, Personal Information Protection Act.