On June 25, the Illinois Legislature sent Senate Bill 1624 to Gov. J. B. Pritzker. The legislation adds a requirement to Illinois’ data breach notification law to notify the attorney general in the event of certain data breaches. The bill will become law if not returned by the governor by Aug. 24, 2019.

The legislation would amend the Personal Information Protection Act, 815 ILCS 530/10, by requiring that any data collector who must inform more than 500 Illinois residents of a data breach also provide notice to the attorney general describing:

  1. the nature of the breach;
  2. the number of affected residents; and
  3. any steps taken or intended to be taken.

The notice must be provided “in the most expedient time possible and without unreasonable delay but in no event later than when the data collector provides notice to consumers pursuant to this Section.”

Under existing law, if the data collector owns or licenses personal information, notice of the breach must be provided “in the most expedient time possible and without unreasonable delay . . .” 815/ILCS 530/10(a). If the data collector maintains or stores, but does not own or license the computerized data that includes personal information, notice of the breach must be given “immediately after discovery.” 815/ILCS 530/10(b).

The legislation allows the attorney general to “publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.”