Illinois Data Breach Law Amendment in Effect, New Security Provisions Added: Are You Compliant?

Illinois has had a data breach notification law since 2005, but on January 1, 2012, an amendment went into effect. Under this amendment companies must include specific disclosures in their notices to consumers. These notices must be sent if covered information has been breached, as defined by Illinois law. This amendment brings the Illinois law into harmony with the requirements of other states. The new requirements include telling consumers that they can file a police report, how to place a freeze on their credit report (this same requirement exists under Massachusetts law), as well as give contact information for the FTC. In addition, the law now requires vendors that house data on behalf of others to notify those companies in the event of a breach. This, too, exists under the laws of other states. Now, the law also includes data security provisions, mirroring those that exist in other states. In particular, companies that dispose of materials that include covered personal information must do so in a secure manner. This could include shredding the documents for paper material, and erasing electronic media so that it cannot be read or reconstructed. Companies might find this guidance from the Illinois Attorney General’s office helpful.

TIP: For companies that have a nationwide approach to data breach notification and data security, the requirements under Illinois law are not new. They do, however, serve as a reminder to such companies to make sure that they have addressed these requirements. For companies that have taken a more state-by-state approach, they should make sure to take Illinois into account. As other states’ requirements may change, companies may want to consider taking a more national approach.