Illinois Governor Vetoes Data Breach Bill

King & Spalding

On August 21, 2015, Illinois Governor Bruce Rauner vetoed legislation that would have modified the state’s data breach notification law.  Illinois’ Personal Information Protection Act (the “Act”) was enacted in 2005 to protect consumers from the consequences of a data breach.  The legislation, Senate Bill 1833, proposed to amend the Act by expanding the scope of protected information to encompass medical, health insurance, biometric, consumer marketing and geolocation information.  The measure also would have required that notification of a covered breach be provided to the state Attorney General within 30 business days, and that affected entities post their privacy policies online.   

In his veto message to the General Assembly, Governor Rauner expressed concern that the bill as currently written went too far and imposed “duplicative and burdensome requirements that are out-of-step with other states.”  He further contended that the bill’s requirements would hinder the state’s economic competitiveness.  Governor Rauner, a Republican who is serving his first term, also lamented “over-regulation” in the state, indicating that Illinois already suffers from a “hostile economic environment” that impedes efforts to “grow [Illinois’] economy, create new jobs, and generate more tax revenue through economic expansion.”

The Governor proposed removing “consumer marketing information” and “geolocation information” from the types of protected personal information, contending that both represent significant departures from other states’ data protection laws.  Along these lines, he also recommended changing the time period within which notice of security breaches must be made to the Attorney General from 30 business days to within 45 calendar days, and deleting language regarding the posting of privacy policies. 

The Governor indicated that he would sign the legislation once his recommended changes have been adopted.  The Illinois legislature is expected to return from summer recess on September 9 and, upon receiving the Governor’s veto message, will have 15 days to accept the recommended amendments, or override the veto.  A 3/5 vote in both houses is required to override the veto. 

The Illinois business community has engaged in significant lobbying on this legislation since its introduction in February of this year.  While the Governor’s veto is seen as a victory for business, it remains unclear the next steps that the General Assembly will take, particularly with a battle looming in the fall between the Governor and the General Assembly over budget matters. 

In related activity, the National Association of Attorneys General recently sent a letter to Congress criticizing pending federal legislation that would preempt the states’ role in data breach notification and data security matters.  

Reporters, Claudia A. Hrvatin, Washington, DC, + 1 202 661 7950, and Lauren M. Donoghue, Washington, DC, +1 202 626 8999,

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.