The Illinois breach notification law was amended on August 22 to add specifics for breach notifications to Illinois residents. The notifications now must include contact information for the credit reporting agencies and the Federal Trade Commission as well as a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The amended statute also requires a third party that stores (but does not own or license) personal data to cooperate with the owner or licensee of that data in matters related to the breach. This includes informing the owner or licensee of the breach, the approximate date of the breach and the nature of the breach as well as any steps the third party has taken with regard to the breach. The third party is not required to either disclose any trade secrets or inform anyone affected by the breach. Finally, the statute adds a new provision regarding disposal of media containing personal information. Under the amended statute, such media (either paper or electronic) must be disposed of in a way that renders the information “unreadable, unusable and undecipherable.”
Similarly, on August 31, California amended its data breach notification law also to add notification specifics. The California law requires notifications to be written in plain language, contain specific information about the dates of the breach and a list of the types of personal information that was breached. Further, the statute now requires that the notification inform affected individuals of what was done to protect them and provide advice on what the individuals can do to protect themselves. If a breach affects more than 500 California residents, it must be reported to the Attorney General’s office.