On May 6, 2016, Illinois expanded its definition of protected personal information, joining a number of states in a similar movement. A change this significant affects everyone currently managing a business or those trying to start one up. Compliance is as simple as setting everything up, but this article will explain everything that the Illinois Personal Information Protection Act changed so that you are better prepared to work with it.
Originally, the only personal information required was a first name or initial and last name in combination with a Social Security number, driver’s license number or state identification card number, or an account number or credit/debit card number or an account number with access code or password that would permit access to an individual’s financial account.
The new definition includes an individual’s first name or initial and last name in combination with medical information, health insurance information, or unique biometric data such as fingerprints or retina image. It also includes personal information like a user name or email address with a password. It also clarifies that if personal information is encrypted or redacted but the decryption keys or readable data elements have been acquired, then notification may be required.
Furthermore, under the new law, if notice is required and the breach of security involves an individual’s user name or email address, the notice should ask the user to “promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.”
For companies that haven’t already done so, the law requires companies that deal with records that contain personal information about Illinois residents to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” The same applies to any person receiving said information.
Finally, the new law deems entities to comply with PIPA if those entities are “subject to and in compliance with” the Gramm-Leach-Bliley Act Safeguards Rule. Additionally, entities subject to and in compliance with the Privacy and Security Rules for the protection of electronic personal health information under the federal Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act (HITECH) are deemed to comply with PIPA. But if an entity is required by HITECH to notify the U.S. Department of Health and Human Services (HHS) of a breach, the entity must also provide notification to the Illinois Attorney General within five business days of notifying HHS.
It’s quite a lot to take in, but following everything that has been laid out keeps you within the safety net of the law while also making sure your customers feel safe using your business. It may be a lot of paperwork, but their safety is your primary concern, so the end result is worth the effort.