Illinois Data Breach Law

Illinois Data Breach Law — What Every Business Owner Must Know

Any business that processes personal data is probably familiar with the GDPR by now. However, the GDPR is not the only data protection law that businesses must be familiar with. Illinois has its own data protection law called the “Personal Information Protection Act,” 815 ILCS §§ 530/1, et seq. (“Act”), that governs the actions businesses who store personal information must take in the event of a data breach. A violation of the Illinois’ data protection law constitutes a per se unfair practice under the Illinois Consumer Fraud Act, meaning business owners cannot afford to ignore the Act.

Unlike the European Union, the United States has no comprehensive data protection regulatory scheme. Protection of personal information is handled on a state-by-state basis. Each state, however, has its own law requiring notification of individuals affected by a data breach or data leak. These laws are generally known as “breach notification laws.”

Given the potentially serious consequences of a violation, businesses must know whether the Act applies to them and what they must do to ensure compliance.

Who is Subject to the Act?

The Act applies to all “data collectors.”

According to the Act, “data collector[s] may include, but are not limited to:”

• government agencies,
• public and private universities,
• corporations,
• financial institutions,
• retail operators, and
• any other entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information.

What is “Personal Information”?

The Act defines “Personal information” as either (1) an individual’s first name or first initial and last name in combination with any one or more “data elements” which include SSNs, driver’s license or state ID numbers, account or credit card number, medical information, health insurance information, and certain biometric data or (2) a username or email address in combination with a password or security question and answer. As is common among breach notification statutes, information is only considered “personal information” if it is unredacted/unencrypted or if the keys to unredact/unencrypt the information are lost in the data breach as well. Additionally, information publicly available from government records is not considered “personal information” under the Act.

What Must Businesses do to Comply with the Act?

The Act requires data collectors to “implement and maintain reasonable security measures to protect [records containing personal information] from unauthorized access, acquisition, destruction, use, modification, or disclosure.”

In the event of a data breach involving the personal information of Illinois residents, the Act requires the data collector to “notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.”

Notice of the breach must “be made in the most expedient time possible and without unreasonable delay.” Notice can be written or electronic (so long as the notice meets federal laws concerning electronic writings and signatures). If more than 500,000 people are affected or the data collector can demonstrate that the cost of notice would exceed $250,000 or that it lacks sufficient information to provide notice, notice may be given by alternative means including by e-mail, conspicuous posting on the data collector’s website, or notification to major statewide media.

What are the Consequences of a Violation?

The costs of violating the Act can be substantial. A violation of the Act constitutes a per se unlawful practice under the Illinois Consumer Fraud Act. The Attorney General may bring an action for injunctive relief, restitution, and civil penalties against the data collector. The data collector may also find itself the defendant in a class action lawsuit brought on behalf of affected individuals. In such suits, the plaintiffs may recover any actual damages as well as costs and attorney’s fees. This can add up to millions of dollars.

The best way to avoid liability is to prevent data breaches in the first place. If you do find yourself in the unfortunate position of having violated the Act, the next best thing is to retain an experienced class-action defense and consumer fraud defense attorney. Super Lawyers named Chicago and Oak Brook business trial attorney Peter Lubin a Super Lawyer in the Categories of Class Action, Business Litigation, and Consumer Rights Litigation. DiTommaso Lubin’s Oak Brook and Chicago business trial lawyers have over thirty years of experience in litigating complex class action, consumer rights, and business and commercial litigation disputes. We handle emergency business lawsuits involving injunctions and TROs, defamation, libel, and covenant not to compete, franchise, distributor and dealer wrongful termination and trade secret lawsuits and many different kinds of business disputes involving shareholders, partnerships, closely held businesses and employee breaches of fiduciary duty. We also assist businesses and business owners who are victims of fraud or defamatory attacks on their business and reputations.

Our Schaumburg and Evanston consumer and business dispute attorneys provide assistance in data breach, privacy violation, fair debt collection, consumer fraud, and consumer rights cases including in Illinois and throughout the country. You can click here to see a description of the some of the many individual and class-action consumer cases our Chicago consumer and business dispute lawyers have handled. We also assist Chicago and Oak Brook area businesses and business owners who are victims of data breaches. You can contact us by calling 630-333-0333. You can also contact us online here.