Illinois Attorney General Issues Guidance on Newly Amended Personal Information Protection Act

In the wake of amendments to the Illinois Personal Information Protection Act, 815 ILCS 530 et seq., Illinois Attorney General Lisa Madigan has issued an Information Security and Security Breach Notification Guidance (the “Guidance”). The amendments and Guidance are aimed at curtailing identity theft and fraud which occur as a result of security breaches. In the announcement accompanying the Guidance, Lisa Madigan focused on the problems of identity theft citing reports that more than 550 breaches involving more than 30 million records occurred in 2011. The Guidance encourages businesses and government agencies “to understand the scope of the personal information they collect and to train employees on how to properly maintain and handle information to prevent security breaches which in turn can help prevent identity theft.” This is advisable not only because of Illinois state law, but also because of obligations on businesses under federal law regarding identity theft prevention and claims handling.

Illinois’ Personal Information Protection Act was originally adopted in 2005 in response to an October 2004 incident involving Georgia-based ChoicePoint. ChoicePoint reportedly had sold the personal information of more than 145,000 people, including 5,000 Illinois residents, to identity thieves who pretended to be legitimate businesses. As originally enacted, the Personal Information Protection Act focused on requiring notice of data breaches to consumers. Notice was required by the Act when there was “unauthorized acquisition of computerized data that compromised the security, confidentiality or integrity of personal information maintained by a data collector.” The Act defines “personal information” consistent with the core of other states’ laws as an individual’s name in combination with the individual’s Social Security number, driver’s license number or financial account number (such as a bank account, credit or debit card number) in combination with any required security code or password that would permit access to that account.