Illinois recently passed House Bill 3025, which amends its breach notification law, entitled the Personal Information Protection Act, 815 ILCS 530/1. The amemdments – which go into effect on January 1, 2012 – are significant because they specify both the types of information that are required in a breach notice as well as the obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.
Content. Illinois’ breach notification law provides for different things for data collectors that “own or licensepersonal information concerning an Illinois resident” as compared to data collectors that do not own or license, but do maintain or store PI. With respect to the former category, the revised law requires that any disclosure to an Illinois resident of a data security incident must include (but need not be limited to): (i) any toll-free numbers and addresses for consumer reporting agencies; (ii) the toll-free number, address and website address for the Federal Trade Commission; (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes. Similar content requirements were added to section 12 for breach notices to state agencies (with the additional proviso that such notifications may be delayed if notification will interfere with a criminal investigation).
Cooperation. For those who maintain or store (but do not own or license), they are required to, in addition to providing such notification to the owner or licensee, cooperate with data owners or licensees “in matters relating to the breach,” including: (i) informing the owner or licensee of the breach including providing notice of the approximate date of the breach and the nature of the incident and (ii) informing the owner or licensee of any steps taken or planned relating to the breach. However, such service providers are not required to disclose confidential business information or trade secrets or to notify Illinois residents of the breach as that particular obligation remains with the data collectors (those that own or license the PI).
Disposal. Finally, HB3025 establishes standards for disposing of materials containing PI. It provides that a “person must dispose of [any] materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.” Thus, paper documents containing PI must either be redacted, burned, pulverized (sounds fun!) or shredded and electronic media containing PI must be either destroyed or erased so that the PI cannot practicably be read or reconstructed. Notably, the revised law does allow “persons” (defined therein) to contract with a third party to handle disposal obligations provided that appropriate monitoring policies and procedures are implemented to ensure the protection and security of the PI. Violators of the Disposal Rule are subject to a civil penalty of “not more than $100” for each affected individual and such penalties may not exceed $50,000. The Attorney General is vested with authority to impose fines (after notice and an opportunity to be heard has been afforded) as well as to commence a civil action in the circuit court to recover any penalties imposed, if necessary.