Illinois is set to become the 29th state that will require data breaches affecting more than 500 residents to be reported to the state’s attorney general.
The proposed amendment to the state’s Personal Information Protection Act – which currently only requires notice to the affected residents – provides that, when more than 500 Illinois residents are affected by a “single breach of the security system,” notice must also be given to the Illinois Attorney General “in the most expedient time possible and without unreasonable delay but in no event later” than when the residents are notified of the incident. Notices to the AG’s office must include a description of the “breach of security or unauthorized acquisition or use;” the number of Illinois residents affected; and “[a]ny steps … taken or plans to take relating to the incident.”
Much like with healthcare-related breaches, the proposed amendment permits the AG to “publish” the name of the "data collector" that suffered the breach, the nature of the personal information that was compromised, and the dates of the incident.
The amendment to PIPA was sponsored by Senator Suzy Glowiak. In a blog post, Senator Glowiak said “[e]mpowering the Illinois Attorney General to step in on behalf of consumers will help ensure there are protections in place during these unfortunate events and give them enough notice to make sound decisions.”
Illinois Governor JB Pritzker is expected to sign the bill into law shortly.
In addition to the 28 states that currently require notification to their state attorneys general when a breach affects 500 residents, there are six states that require a similar notice but only when 1,000 individuals are affected.