Illinois data breach law amended and includes new twists

Robinson+Cole Data Privacy + Security Insider

Governor Bruce Rauner signed several new provisions into law amending Illinois’ Personal Information Privacy Act, including health insurance and medical information into the definition of personal information that triggers notification in the event of a breach.

Health insurance information under the law includes an individual’s health insurance policy number or subscriber identification number as well as the content of an individual’s application and information provided to a health insurer through a website or mobile application.

The law also includes biometric information as personal information that requires notification, including a fingerprint, retina, and iris images, as well as user names or email addresses in combinations with passwords or answers to security questions.

Interestingly, the new law also requires health care providers to notify the Illinois Attorney General within 5 days of notifying the Office for Civil Rights of a data breach pursuant to the HIPAA breach notification regulations. This is a first of its kind and is significant since the definition of a breach of security is not the same in the two statutes.

The new law does not recognize a safe harbor if the information was encrypted if the key was or is reasonably believed to have been acquired in the data breach.

Finally, following Massachusetts, Rhode Island and Connecticut, the Illinois law requires all businesses to “implement and maintain reasonable security measures” including adding data security provisions in all contracts when personal information is disclosed to a third party.

This provision emphasizes the continued interest in regulators that companies are requiring downstream vendors to protect the data in the same manner as the company and the importance of vendor management and contractual provisions.

The new law goes into effect on January 1, 2017.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.