Illinois Strengthens Data Breach Notification Law

Compliance is one of those challenges for companies big and small.  One of those compliance requirements is to keep abreast of changes to or new laws that apply to your organization.  While we don’t offer legal advice, when we see items related to compliance, we will bring them to your attention.  In the case of information security breach laws, most states have their own law as do some commonwealths and other protectorates.

It is important to remember that these laws, for the most part, apply based on where the user is, not where the business is.  So, if you are located in New Mexico (which is one of only three states that does NOT have a data breach notification law), but you have customers who live in California and Arizona, say, the California law applies to California residents and the Arizona law applies to Arizona residents.  This is why most companies would prefer a national law.  Due to national politics, a federal law would likely be weaker than many of the state laws, which would make privacy friendly legislators tend to vote against it.  In order for a national law to be effective, it would have to preempt states’ rights, which would tend to make those legislators who support a less intrusive Federal government vote against it.

This week it is Illinois and Its Personal Information Protection Act.  Some of the changes to PIPA, which go into effect on Jan. 1, 2017,  include:

  • Expanded the definition of personal information to include a person’s first and last name along with medical information, health insurance information or unique biometric information (such as, but not limited to fingerprints and retina image).  It also will include a person’s username or email address in combination with your password or security question and answer if that allows access to an account.
  • PIPA clarifies the safe harbor exception to breach notification.   Before, if the data was encrypted, you didn’t have to notify people.  Apparently that was misused.  Now it will say that if the data was encrypted, but the decryption key was taken, then you have to notify.  This is similar to changed made this year in Tennessee and Nebraska.
  • With the changes to the law, in the case of userid/password breaches, the notification must state that you should change your username or password and/or security question and answer promptly (really, do you  have to tell people that?) and that you should change it on ALL accounts that used that same login information, not just at the one site that was compromised.
  • While including healthcare and biometric information could increase the number of companies covered, there are two very important exceptions:
  • (1) Companies “subject to and in compliance with Section 501(b) of Gramm-Leach-Bliley” will be deemed to be in compliance with PIPA.  501 (b) covers a wide array of companies enumerated in section 505 (a).  These include national banks, member banks of the federal reserve system, banks insured by the FDIC (basically every bank in the country), savings banks, credit unions, brokers and dealers, investment companies, investment advisors, insurance companies regulated by the various states,  or any other business not listed that is engaged in financial services.  Notice that it does say that you  must be in compliance with GLB.
  • (2) Companies subject to and adhering to requirements under HIPAA and HITECH are also deemed to be compliant with PIPA with the extra stipulation that if you do something that requires you to notify the U.S. Department of Health and Human Services (i.e. some form of breach), you are required to also notify the Illinois AG within 5 days.

For companies with an online presence, you likely have customers in many states if not all states.  This means that you have to understand the requirements for responding to breaches in each state where your customers live.  This post represents changes to just one law.

Information for this post came from the Consumer Financial Services Law Blog.

Leave a Reply

Your email address will not be published.