Illinois toughens up on privacy by bolstering its breach notification law
Illinois became the latest state to fortify its data breach notification law – the Personal Information Protection Act (PIPA) – when Gov. Bruce Rauner signed House Bill 1260 into law on May 6, 2016. PIPA’s amendments, which take effect on January 1, 2017, will make Illinois one of the most progressive states for the regulation of breach reporting and the protection of electronic personal information. Specifically, the changes will principally:
i. broaden the statute’s definition of protected “personal information,”ii. limit the safe harbor exemption for encrypted data,iii. expand notice obligations to residents for breaches involving their log-in credentials (i.e., email address and password),iv. require entities in possession of “personal information” concerning an Illinois resident to implement and maintain reasonable security safeguards to protect that information, andv. establish limited exemptions from PIPA.
Below is a summary highlighting the key statutory amendments warranting particular attention before the new law takes effect next year.
PIPA applies broadly to – and imposes notification obligations on – government agencies, universities, corporations, financial institutions, retail operators, and any other entity that handles, collects, disseminates, or otherwise deals with nonpublic “personal information” concerning Illinois residents (collectively referred to as “data collectors”). The Act recognizes two different types of data collectors: (1) those that own or license Illinois residents’ personal information and (2) those that only maintain or store such data for others. Notwithstanding this distinction, both groups are subject to virtually the same set of notice requirements under PIPA, with one exception.
Upon discovering or receiving notification of a “breach” – defined as an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of any Illinois resident’s personal information – a data collector that owns or licenses the compromised personal information must notify the affected Illinois resident(s) of the breach in the most expedient time possible and without unreasonable delay. Under the same scenario, however, a data collector that merely maintains or stores the information is required to notify the data owner/licensor of the breach immediately following discovery so that the data owner/licensor can then notify the resident(s) whose personal information was compromised.
Illinois’ statutory definition of a “breach” is noteworthy for two reasons. First, unauthorized access to personal information, alone, does not constitute a “breach” under PIPA and therefore would not trigger a data collector’s notice obligations. However, if the data is accessed without authorization and is subsequently made available to further unauthorized disclosure, this would be considered a “breach.” Additionally, both the existing and amended versions of PIPA continue to apply only to computerized data. As a result, data collectors that suffer a breach involving non-computerized (paper) data regarding Illinois residents are not required to inform those residents of the security breach.
Expanded definition of “personal information”
Prior to the amendments, PIPA defined “personal information” to merely include an individual’s first name or first initial and last name, in combination with one or more of the following data elements: (1) Social Security number, (2) driver’s license number or state identification number, or (3) account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. 815 ILCS § 530/5.
Notably, the amendments to PIPA significantly expand the definition of protected “personal information” to now include an individual’s first name or first initial and last name in combination with:
- Medical information (such as an individual’s medical history, mental or physical condition, diagnosis, or medical treatment by a healthcare professional, including such information provided to a website or mobile application );
- Health insurance information (such as an individual’s health insurance policy number or subscriber identification number, a unique identifier used by a health insurer to identify the individual, or any medical information in an individual’s health insurance application and claims history); or
- Unique biometric data (such as “fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data”).
Moreover, the amended definition will also encompass a new category of data, namely, an individual’s “user name or email address in combination with a password or security question and answer that would permit access to an online account.” Illinois’ inclusion of log-in credentials as a form of “personal information” reflects an emerging trend among states that have recognized the exponential growth in online transactions and have deemed such data to be protectable under those states’ respective breach notification laws. See generally, California, Florida, Nevada, Florida, Wyoming, Rhode Island, and Nebraska (effective July 20, 2016).
Erosion of the encryption safe harbor
Importantly, the amendments to PIPA also narrow the law’s prior “encryption safe harbor,” which limited a data collector’s obligation to notify affected Illinois residents that their personal information had been acquired through a security breach when the data was encrypted.
Under the new law, the notification requirement will apply even to encrypted or redacted personal information if the password/keys to unencrypt or unredact that information was also acquired through the breach.
Expanded notice obligations
For security breaches involving a user name or email address in combination with a password or security question and answer, the amended law will permit data collectors that own or license such information to provide notice electronically (or, alternatively, in another form – e.g., paper) to affected Illinois residents directing such individuals “to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.”
In addition, beginning in January 2017, PIPA will require state agencies that suffer a single data security breach affecting more than 250 Illinois residents provide notice to the Illinois Attorney General. Specifically, this notice must inform the state’s Attorney General of the following:
- The types of personal information compromised in the breach;
- The number of Illinois residents affected by such incident at the time of notification to the Attorney General;
- Any steps the State agency has taken or plans to take relating to notification of the breach to consumers; and
- The date and timeframe of the breach, if known at the time notification is provided.
The notification must be sent to the Illinois’ Attorney General either within 45 days of the date that the compromised entity discovers the breach, or within 45 days of the date the entity informs Illinois residents of the breach – whichever is shorter. However, this time period can be extended if the entity can demonstrate that additional time is needed to assess the scope of the breach and restore its data security system, or as a result of a written request from law enforcement to withhold notification of the security breach.
Effective January 1, 2017, data collectors in possession of personal information on Illinois residents will also be required to implement and maintain “reasonable security measures” to protect those records from unauthorized access, destruction, use, modification, or disclosure. In the event that one of these data collectors discloses “personal information” to a third party pursuant to a contract, that contract must include provisions requiring the third party to implement and maintain similar reasonable security measures. This contract requirement is generally similar to the requirement under the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules that a covered entity (the data collector that owns or licenses personal information) enter into a business associate agreement with its business associate, and that the business associate enter into similar business associate agreements with its subcontractors that access the protected health information (the data collectors that store or maintain the information). Unfortunately, as is the case with so many other similar laws, PIPA does not define “reasonable security measures,” leaving it up to data collectors to figure out what exactly constitutes a reasonable safeguard in relation to protecting “personal information.”
Notwithstanding the expansion of “personal information” and the range of new obligations imposed on data collectors, the PIPA amendments also provide certain carve-outs for companies subject to other privacy and security laws. For instance, a data collector that has implemented security standards in compliance with Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) – in relation to financial institution customers’ nonpublic personal information – will be deemed PIPA compliant.
Additionally, HIPAA-covered entities and business associates will also be considered to be in compliance with PIPA, provided that if, under the Breach Notification Rule the covered entity is required to notify the U.S. Department of Health and Human Services (HHS) of a breach, it must also notify the Illinois Attorney General within five (5) business days of notifying HHS. This change, in combination with the expansion of the personal information section, will make it even more important for HIPAA covered entities and business associates to satisfy all applicable requirements under the HIPAA Privacy, Security and Breach Notification Rules, as failure to do so would also subject the covered entity or business associate to potential exposure under PIPA when personal information of Illinois residents is involved. Moreover, healthcare providers that may have been able to avoid HIPAA covered entity status by avoiding involvement in HIPAA standard transactions (such as electronic claims and payment arrangements with third party payors) will now be subject to similar security standards.
Those holding personal information on Illinois residents in electronic form should review and update their security safeguards and related privacy, security, and breach notification policies, procedures and training prior to the January 1, 2017, effective date of the PIPA amendments to ensure that the amended PIPA standards are satisfied. This may also be an appropriate time to update risk analysis and review compliance under other applicable laws and regulations, such as the HIPAA Privacy, Security and Breach Notification Rules.