Breach Notification, Disposal Standards Added to Illinois Personal Information Protection Act

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

The Illinois Personal Information Protection Act has been amended to provide additional safeguards and penalties surrounding the protection of personal information, including prevention of and response to a security breach.

A new provision added to the Act requires the disposal of “materials containing personal information in a manner that renders the information unreadable, unusable and undecipherable.” The law containing the amendments (H. 3025, Public Act No. 483) was approved on August 22, 2011 and will be effective on January 1, 2012.

Detailed Notification of Breach

The amended Act provides additional details as to what security breach notifications must contain. Previously, the Act required entities to notify affected individuals that a breach had occurred, but it did not specify what the notification should include.

The changes require notifications to include:

• Toll-free numbers and addresses for consumer reporting agencies;

• The toll-free number, address, and website for the Federal Trade Commission; and

• A statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Application to Storage of Data

The amended Act will apply security breach notification requirements to any data collector that maintains or stores computerized data. The current version of the Act does not apply to data collectors that merely stored data for others. Moreover, service providers will be required to cooperate with data owners or licensees in regard to the breach.

Data Disposal Requirements

The new data disposal provision specifies the following proper methods for disposal of personal information:

• Paper documents containing personal information may be redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed; and

• Electronic media or other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Any person, entity, or third-party is subject to a civil penalty of $100 (capped at $50,000) per individual whose personal information was not disposed of properly, and the attorney general may bring a civil suit to impose a penalty.

Text of Public Act No. 483 appears here. The current version of the Illinois Personal Information Protection Act is reported at CCH Privacy Law in Marketing ¶31,300.