Illinois Revises Data Breach Law to Require Notification to State Attorney General

Illinois recently signed into law Senate Bill 1624 (SB 1624), effective January 1, 2020, which adds a requirement to notify the Illinois Attorney General of a data breach involving more than 500 Illinois residents.

Currently, under the Illinois Personal Information Protection Act, a data collector (i.e., an entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information) that owns or licenses personal information concerning an Illinois resident must notify the resident at no charge following discovery or notification of a breach of that data.  SB 1624 adds a requirement for data collectors who are required to issue such notice to more than 500 Illinois residents as a result of a single breach to also provide notice to the Illinois Attorney General.  The notice to the Attorney General must include: (1) a description of the nature of the breach of security or unauthorized acquisition or use; (2) the number of Illinois residents affected by the incident at the time of notification; and (3) any steps the data collector has taken or plans to take relating to the incident.  Under SB 1624, this notice must be made “in the most expedient time possible and without unreasonable delay,” and in any event must be no later than when the data collector provides notice to consumers.  SB 1624 also provides that the Attorney General may publish the impacted data collector’s name, as well as the types of compromised personal information and the date range of the breach.