It seems that every other month we wake up to a news story outlining the details of a massive personal information breach. These breaches of information leave enormous amounts of personal and sensitive information at risk. As the world we live in becomes more mobile and electronic, the risk to our personal information is ever increasing. No single, comprehensive federal law provides for the safety of personal information. As such, a number of states have taken it upon themselves to protect their residents. Currently, 48 states, including Illinois, have their own data breach and personal information protection laws. These laws vary in terms of what is required in the event of a breach and the protections the laws afford.

In 2005 the Illinois legislature adopted the Illinois Personal Information Protection Act (“PIPA”). 815 ILCS 530/1 et seq. PIPA protects the nonpublic personal information of Illinois residents from unauthorized disclosure. When there has been an unauthorized disclosure of personal information, a breach occurs. Under PIPA, a breach is “an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.”

“Personal Information” is defined as:

[a]n individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(1) Social Security number.

(2) Driver’s license number or State identification card number.

(3) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

PIPA applies to all corporations or entities that collect nonpublic personal information outlined above. The entities subject to PIPA are vast and are known as “Data Collectors.”  The Act defines Data Collector as, “government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.” This definition, however, is not an exhaustive list of entities subject to PIPA. Thus, it is vital that a company evaluate whether or not it collects the sort of information defined within the Act.

Following the discovery or notification of a breach, a data collector that owns or licenses an Illinois resident’s personal information must notify the resident of the breach. The notification is at the expense of the data collector and not the Illinois resident. A violation of PIPA is considered an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Act. Under the statute, the Illinois Attorney General has broad enforcement powers and may seek remedies against a business in violation of the Act. Those remedies include injunctive relief, suspension of licenses, revocation of the right to do business in Illinois, restitution, and civil penalties up to $50,000. If the violation is performed with the intent to defraud a resident, a court may impose a civil penalty of up to $50,000 for each violation. Additional penalties apply to violations involving a person over the age of 65. PIPA also allows for a private right of action.

The question of a data breach in today’s electronic world is not if, but when. Failure to comply with data breach notification laws could result in a crippling effect to your business. If your company collects the personal data of Illinois residents, it is crucial to understand the legal requirements under Illinois law in order to ensure compliance. It is equally as important to understand the legal requirements of any other state in which your consumers are located, as their laws may also apply. 

–  Beermann Business Law Group