Illinois
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Without unreasonable delay
FINES & PENALTIES – Violations
$100 up to $50,000
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Illinois Privacy Law Information
Organizations must contract with Vendors if they disclose personal information including data disposal vendors. Organizations and their contracted vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure and must have measures in place for the secure disposal of personal information making so it cannot be read or reconstructed. Organizations in possession of biometric identifiers must ensure measures are in place for the storage, disclosure and protection of biometric identifiers. In addition, they must have a publicly available written policy that states their retention schedule and disposal guidelines.
Sector-specific regulations provide for an individual’s right to access their personal information. A private right of action can be brought with fines up to $5,000 or actual damages for violations of the Biometric Information Privacy Act.
Organizations that experience a breach, internally or through a third party, are responsible for all regulatory reporting and consumer notification for breaches of personal information involving more than 500 Illinois residents. Reporting must be submitted to the Attorney General without delay, but no later than when the breach notification is provided to affected consumers. Reporting must include the nature of the breach, the number of affected residents and any mitigation actions. Vendors must notify Organizations upon discovery of a breach or suspected breach. Vendors must cooperate with Organizations and provide all necessary information relative to the breach or suspected breach.
If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Vendors contracted to dispose of an Organization’s records containing personal information must maintain policies and procedures for the protection of the records from unauthorized access, acquisition, or use while in the Vendor’s possession and during disposal.
Violations of the Personal Information Protection regulations constitute an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. Violations of the disposal regulations may result in a civil penalty of up to $100 for each affected individual, up to $50,000 for each instance of improper disposal. The Attorney General may publish the names of organizations who experience a data breach, type of information involved, including data range. Organizations may be fined or penalized for Vendor violations.
Illinois Statutes and Laws
Illinois School Students Records Act
Student Online Personal Protection Act
Biometric Information Privacy Act
Consumer Fraud and Deceptive Business Practices Act
Personal Information Protection Act
Notice of breach
Disposal of materials containing personal information; Attorney General
Data security
Entities subject to the federal Health Insurance Portability and Accountability Act of 1996
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.