On May 6, 2016, Illinois Governor Bruce Rauner signed HB1260, which significantly updates the state’s Personal Information Protection Act. The changes take effect on January 1, 2017. When the new law becomes effective, Illinois’ data breach notification statute will include one of the broader definitions of the information which, if breached, will trigger notification to individuals.
Starting in 2017, the definition of personal information in the Act will include an individual’s full name, or first initial and last name in combination with their health insurance policy number or subscriber identification number, or any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, “including such information provided to a website or mobile application.” Illinois is the first state to expressly include medical information provided to a website or mobile application in the definition of information triggering breach notification, but it is unclear whether calling out the method of providing medical information in the statute will impact a company’s notice obligations. A company that has been provided medical information, by whatever means, is likely to be required to notify affected individuals if that information is compromised.
Joining California, Florida and Nebraska, Illinois will now require individuals to be notified if either their username in combination with a password or security question and answer that would permit access to an online account are acquired without authorization. When credentials to an online account are affected, the breached entity may notify individuals via electronic or other form directing the affected individual to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the individual uses the same user name or email address and password or security question and answer. This electronic notice may be provided in lieu of notice about the breach by mail.
In addition, the Act now expressly provides that entities that are subject to and in compliance with the “safeguards” provisions of Gramm-Leach-Bliley Act are deemed to be in compliance with the Illinois Personal Information Protection Act. Entities subject to privacy and security standards for the protection of electronic health information under HIPAA and the HITECH Act are deemed to be in compliance with the provisions of the Act; provided, however that if notification of a breach to the Secretary of Health and Human Services is required under the HITECH Act, the entity must also provide notification to the Illinois Attorney General within five business days of notifying the Secretary. Notably, private companies are not required to notify the Attorney General of data breaches that do not trigger notice to the Secretary of HHS under the HITECH Act.