Illinois recently amended its data breach notification law, with the changes going into effect on January 1, 2017. The amendment broadens the definition of personal information that if breached would require notification to include an individual’s first name or first initial and last name in combination with medical information, health insurance information, unique biometric data (i.e., “a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data”). The amendment also adds to the definition of triggering information user names or email addresses when paired with a password or security question that would allow access to an online account. The addition of username and password mirrors similar changes to the laws of California, Nevada, Florida, Wyoming, and Nebraska.
The amended law provides for different procedures for notices of a breach of username and password, namely that the notice can be provided electronically and should instruct the impacted individuals “to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.”
Similar to amendments to laws in Tennessee and Nebraska, the amendment also impacts the encryption “exception,” i.e., the carve-out that notification is not needed if the data elements are encrypted. Namely, notice must be made even if information is encrypted, if the bad actor also acquired the encryption key, or is otherwise able read the data elements.
TIP: Companies that maintain nationwide breach notice plans should ensure that they update their plans to address these revisions prior to the January 2017 effective date.