Illinois: Proposed Privacy Legislation Expands Protected Personal Information, Clarifies Notice Obligations to Include Theft of Encryption Keys, and Adds Notice Requirements To Attorney General
By A. Louis Dorny on March 20, 2015
Leave a comment
On March 25, the State of Illinois Legislature will hold a hearing and consider changes to an existing statute known as “The Personal Information Protection Act.” (815 ILCS 530/5)
The proposed legislation expands the scope of information to be protected in Illinois to expressly include and define medical, health insurance, biometric, consumer marketing and geolocation information as protected personal information. The proposed legislation also requires breaches of security to be provided to the Illinois Attorney General.
The legislation is remarkable in that it obligates breach disclosure in the event that defined personal information is acquired by unauthorized person in its encrypted form, where encryption keys are also acquired during a breach. This makes sense, and represents an acknowledgment that where encrypted information is stolen with the associated encryption keys, the effective result is quite likely unencrypted personal information, warranting notice to Illinois consumers. From a planning perspective, the retention of protected personal information should be separate and apart from the encryption keys, to reduce the likelihood of unauthorized disclosure to unauthorized third-parties. Where there is doubt as to whether both protected personal information and encrypted keys have been wrongfully acquired, the proposed language suggests that disclosure is required to the Attorney General where a single breach affects more than 100 Illinois residents.
Bringing Illinois in line with other jurisdictions, the statute would impose an obligation to post privacy policies conspicuously on commercial internet sites or sites that collect personal information, with specific instructions as to font size and spacing. Notably, an online service who receives notice of noncompliance has 30 days to cure, to avoid violation of the proposed statute.
For a copy of the proposed changes to Illinois’ Personal Information Protection Act, please contact our Privacy & Data Security Group.