Earlier this year, Illinois enacted a number of changes to the Illinois Personal Information Protection Act (“PIPA”). PIPA requires any entity covered by the law to protect sensitive personal information that it maintains and issue notices to Illinois residents if their personal information is compromised. The new legislation, among other things, expands the definition of protected personal information and changes the contents of the required notice in the event of a data breach. PIPA covers personal information that entities store in either paper or electronic format, but the legislative revisions mainly address data that is stored electronically. The legislation takes effect January 1, 2017.
Expanded Definition of Personal Information and Increased Notice Obligations
Any business or other entity (public or private) that maintains, collects, or disseminates personal information belonging to Illinois residents is a “data collector” and subject to PIPA’s data protection rules. When enacted in 2006, PIPA required data collectors handling certain personal information to issue notices to Illinois residents upon discovery that personal information that it handled had been the subject of a data breach. As initially drafted, PIPA defined “personal information” as an individual’s first name or first initial and last name when combined with an individual’s social security number, driver’s license number, or certain credit card or debit card information.
The 2016 revisions expand the definition of personal information to include an individual’s health insurance information, sensitive medical information, and biometric data. Biometric data includes retina or iris images and other biometric data that an entity maintains in digital format. Personal information will now also include an individual’s username or email address when paired with a password or security question that, if breached, would permit unauthorized access to an online account.
Email addresses and usernames are also part of PIPA’s expanded notice requirements. Specifically, if a data breach involves this type of data, the required notice should direct the affected Illinois resident to promptly change their username or password or to take additional steps to protect their online accounts.
Helpful Guidance for Entities Subject to HIPAA
While the new legislation provides increased compliance obligations with respect to the types of personal data that entities need to protect, the legislation also provides that a covered entity for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”) is deemed in compliance with PIPA to the extent that it meets HIPAA’s privacy and security standards. The legislation provides that in the event of a security breach, a HIPAA covered entity only needs to report details of the data breach to the Illinois Attorney General within five days of reporting such breach to the Secretary of the federal Department of Health and Human Services. This will provide some relief to health providers, group health plans, and similar HIPAA covered entities when responding to data breaches that are limited to personal information involving Illinois residents.
Federal and state regulators are increasingly focused on data privacy. Accordingly, entities that maintain the personal information of Illinois residents should implement appropriate security measures to mitigate the risk of a data breach. Some common sense steps include encrypting personal information that it uses or stores and protecting access to associated encryption keys. Trusted IT professionals can further assist in enhancing security measures.