As we wrote in May 2016, Illinois was one of many states that revised their breach notification laws. That revision became effective this week. As part of the change, the definition of personal information now includes name and medical information, health insurance information, and biometric data. Biometric information is defined as including fingerprints, retina or iris images, or other “unique physical... or digital representation[s] of biometric data.” Personal information now also includes usernames or email addresses, in combination with a password or security question and answer “that would permit access to an online account.”
TIP: Companies with nationwide breach notice plans that include definitions of personal information which, if breached, would give rise to a duty to notify should check and ensure that these plans have been updated to address the Illinois change.