Earlier this year, Illinois enacted a number of changes to the Illinois Personal Information Protection Act (“PIPA”). The amendments to PIPA, among other things, expand the definition of personal information subject to protection and change the contents of the notice that entities are required to send to affected Illinois residents in the event of a data breach. PIPA generally covers personal information that entities handle in either paper or electronic format, but the legislative revisions mainly address electronic data.  The amendments take effect January 1, 2017.

Expanded Definition of Personal Information and Increased Notice Obligations

Any business or other entity (public or private) that maintains, collects, or disseminates personal information belonging to Illinois residents is a “data collector” and subject to PIPA’s data protection rules. When enacted in 2006, PIPA required data collectors handling certain personal information involving Illinois residents to issue notices to those residents upon discovery that personal information that it handled had been the subject of a data breach.  As initially drafted, PIPA defined “personal information” as an individual’s first name or first initial and last name when combined with an individual’s social security number, driver’s license number, or certain credit card or debit card information.

The 2016 amendments to PIPA expand the definition of personal information to include an individual’s health insurance information, sensitive medical information, and biometric data. Biometric data includes retina or iris images and other biological data that an entity maintains in digital format.  Personal information will now also include an individual’s username or email address when paired with a password or security question that, if breached, would permit unauthorized access to an online account.

Email addresses, usernames and login information are also part of PIPA’s expanded notice requirements.  Specifically, if a data breach involves this type of data, the required notice should direct the affected Illinois resident to promptly change their username or password or to take additional steps to protect their online accounts.

Helpful Guidance for Entities Subject to HIPAA

While the updates to PIPA provide increased compliance obligations with respect to the types of personal data that entities need to protect, the legislation also provides that a covered entity for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”) is deemed in compliance with PIPA to the extent that it meets HIPAA’s privacy and security standards.  The legislation provides that in the event of a security breach, a HIPAA covered entity only needs to report details of the data breach to the Illinois Attorney General within five days of reporting such breach to the Secretary of the federal Department of Health and Human Services.  This will provide some relief to health providers, group health plans, business associates, and similar HIPAA covered entities when responding to data breaches of protected health information involving Illinois residents.

Federal and state regulators are increasingly focused on data privacy.  Accordingly, entities that maintain the personal information of Illinois residents should implement appropriate security measures to mitigate the risk of a data breach. Some common sense steps include encrypting sensitive personal information that it uses or stores and protecting access to associated encryption keys.  Trusted IT professionals can further assist in enhancing security measures.