Effective January 1, 2017, Illinois House Bill 1260 significantly broadened the scope of the state’s Personal Information Protection Act. Included in the bill are key provisions that follow trends we identified in 2015 and 2016 as states continue to enact increasingly stringent and complex data breach notification legislation including amendments that significantly expand the scope of personal information. Illinois HB 1260:
- Expands the definition of personal information to include medical information, health insurance information to include medical information, health insurance information, certain unique biometric data, and a username or email address in combination with a password or security question and answer
- Requires that the attorney general be notified of a breach in certain circumstances (more below)
- Limits the encryption safe harbor if the encryption key was or is reasonably believed to have been acquired in the data breach
Attorney general notification for HIPAA-regulated entities
One of the changes to the Illinois Personal Information Protection Act is a bit unusual relative to other state data breach notification legislation. In recent years, we’ve seen a number of states add a requirement for private entities to notify the attorney general in the event of a breach. In the case of HB 1260, the amendment does not specify that the notification requirement applies specifically to private entities, but rather applies to HIPAA-regulated entities that are required to notify the Secretary of Health and Human Services (HHS) in the event of a breach.
This trigger for attorney general notification is a first in state breach laws. “Notably, private companies are not required to notify the Attorney General of data breaches that do not trigger notice to the Secretary of HHS under the HITECH Act,” writes Bruce Sarkisian on the Alston & Bird Privacy & Data Security Blog.
In her article, Illinois data breach law amended and includes new twists, Linn Freedman also comments: “Interestingly, the new law also requires health care providers to notify the Illinois Attorney General within 5 days of notifying the Office for Civil Rights of a data breach pursuant to the HIPAA breach notification regulations. This is a first of its kind and is significant since the definition of a breach of security is not the same in the two statutes.”
Additional reading on Illinois HB 1260:
- Data Privacy Security Insider: Illinois data breach law amended and includes new twists
- Alston & Bird Privacy & Data Security Blog: Illinois makes extensive changes to data breach notification law
- Health IT Security: IL data breach notification law to include healthcare data
- Lexology: Nebraska and Illinois Update Breach Notice Requirements
- McDonald Hopkins: Illinois toughens up on privacy by bolstering its breach notification law
What this means for privacy and security teams
Companies dealing with data that includes the personal information of Illinois residents should know that their breach notification obligations have changed significantly, particularly in regards to the type of personal information that can trigger notification to affected individuals. For HIPAA-regulated entities, the additional layer of complexity in determining whether an Illinois incident is a breach under state and federal regulations adds quite a twist to the assessment process.
Best practices to prepare for a privacy incident remain:
- Review your incident response process and know your procedures
- Prepare your core and extended team
- Button up business associate agreements
If you’re a RADAR customer, the RADAR regulatory team continuously tracks changes in data breach notification laws for you. You can also expect to see changes in state data breach notification laws applied in RADAR the same day the law goes into effect.