The Illinois Personal Information Privacy Act (PIPA) primarily covers data collectors, including government agencies, corporations, and any other entity that collects, disseminates, or otherwise deals with nonpublic personal information. However, the statute also specifically covers a “person” disposing of materials containing personal information.
The statute protects the personal information of Illinois residents through provisions requiring data security measures, proper data disposal methods, and data breach notification. The term personal information includes an individual’s full first name or first initial and last name in combination with their social security number, driver’s license or state ID number, credit or debit card number, health insurance information, medical information, or biometric information. An alternative definition of personal information includes specified user account login credentials. Neither definition includes publicly available information.
There are two data breach notification provisions. One provision governs state agencies that collect personal information concerning an Illinois resident, and the other governs all other data collectors. Both are required to notify the resident upon discovery, or notification by a third party, of the breach, in the most expedient time possible and without unreasonable delay consistent with determining the scope of the breach and restoring the system’s confidentiality, integrity, and availability. Notification may be delayed if law enforcement determines that notification will interfere with a criminal investigation. The general data collector provisions further specify that data collectors that maintain and store, but do not own or license the personal information, must instead notify the owner or licensee, and cooperate in matters of the breach.
Notification to the state attorney general is required for breaches that involve more than 500 residents by general data collectors, and more than 250 residents by a state agency. A state agency must also notify national credit reporting agencies for a breach of more than 1,000 residents, and the Chief Information Security Officer of the Illinois Department of Innovation and Technology for a breach of 250 residents or aggravated computer tampering. The method and content of all notifications vary by the notifying entity and the entity receiving notification.
The data security provision requires data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure. Where the data collector enters into a contract, with a third party, that governs disclosure of the personal information, the contract must include a provision requiring the same of the third party. Entities subject to and compliant with GLBA, HIPAA, or other state or federal law requiring greater protection, are deemed to be compliant with the provision.
A state agency that collects “personal data” is required to dispose of it in such a manner as to ensure the security and confidentiality of the material. However, any “person” must dispose of the personal information in a manner that renders it unreadable, unusable, and undecipherable. If a third party contracts to dispose of the personal information, then the third party must implement and monitor its compliance with policies and procedures that prohibit unauthorized access to or acquisition of the personal information during the collection, transportation, and disposal. Violations of this provision are subject to civil penalties not to exceed $100 per resident and not to exceed $50,000 for each instance of disposal.