Illinois Broadens Data Breach Protections

Author: Marta Moakley, XpertHR Legal Editor

June 3, 2016

Illinois Governor Bruce Rauner has signed H.B. 1260 into law, which broadens the categories of protected information under the Illinois Personal Information Protection Act (PIPA). The amendments also expand notice requirements in the event of a security breach.

The definition of personal information has been expanded to include instances where information has been encrypted or redacted but the decryption key has been acquired without authorization through a breach of security.

Under the amendments, personal information includes an individual's first name or first initial and last name in combination with any of the following:

  • Social Security number;
  • Driver's license or state identification card number;
  • Account number or credit or debit card number, or an account number or credit card number in combination with any required code or password that would permit access to a financial account;
  • Medical information;
  • Health insurance information;
  • Unique biometric data (e.g., a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data); and
  • Username or email address, in combination with a password or security question and answer that would permit access to an online account, when either the information is not encrypted or redacted or has been the subject of a breach.

The amendments define health insurance information as:

  • An individual's insurance policy number;
  • An individual's subscriber identification number;
  • Any unique identifier used by a health insurer to identify the individual; or
  • Any medical information in an individual health insurance application and claims history, including any appeals records.

In addition, medical information is defined as any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including any such information that has been provided to a website or mobile application.

The inclusion of medical and health information in PIPA's coverage intersects with federal protections contained in the Gramm-Leach-Bliley Act (covering financial institutions' customer information), the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act (which cover health information). The amendments state that if a data collector is in compliance with provisions under those laws, or other federal or state laws with greater protections, then the data collector will be deemed to be in compliance with PIPA. However, any notification sent under the HITECH Act to the Secretary of Health and Human Services must also be submitted to the Illinois Attorney General within five business days of notifying the Secretary.

Notifications to those affected by a breach may be in electronic or other form, and any notification regarding the breach of individual usernames or email addresses must instruct the affected individual to promptly change his or her access information (e.g., passwords, security questions) or to take other steps to protect all online accounts for which the usernames or email addresses are required.

The PIPA amendments take effect on January 1, 2017.