Illinois recently amended its data breach notification law, joining a number of states that have also amended their own breach notification statutes this year. States appear to be looking to strengthen their breach notification laws by expanding the definition of “personal information” covered by the laws, clarifying the role of encryption in providing a safe harbor, and redefining content and timing requirements for notifications provided to affected persons.
Effective January 1, 2017, the amendments to Illinois’ Personal Information Protection Act (“PIPA”) broaden the definition of protected “personal information” to now include an individual’s first name or first initial and last name in combination with medical information, health insurance information, or unique biometric data (such as a “fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data”). As currently written, PIPA limits “personal information” to an individual’s first name or first initial and last name in combination with any of the following: Social Security number, driver’s license number or state identification card, or account number or credit or debit card number. Additionally, the new definition of “personal information” now includes an individual’s user name or email address in combination with a password or security question and answer that would permit access to an online account.
Like the changes made this year to Tennessee and Nebraska’s data breach laws, PIPA’s amendment similarly clarifies the encryption safe harbor. Under the existing version of PIPA, notification was not required if the breached data was encrypted. However, the newly amended PIPA requires notice even for encrypted information, if the decryption key was also acquired.
Depending on the type of information breached, the required notification procedure has also changed. For breaches of security involving individual user names or email addresses, the notice now must direct the individual “to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.”
It might seem that expanding the definition of personal information to include medical, health insurance, and biometric information would also expand PIPA’s reach to cover many additional companies. However, the new amendments provide certain carveouts for companies subject to other privacy and security laws. Specifically, entities “subject to and in compliance with” Section 501(b) of the Gramm-Leach-Bliley Act, which relates to the security and confidentiality of financial institution customers’ nonpublic personal information, will be deemed PIPA compliant. Entities subject to and adhering to requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act will also be considered in compliance with PIPA, except that if, under HITECH, the entity is required to notify the U.S. Department of Health and Human Services of a breach, it must also notify the Illinois Attorney General within five business days.
These recent changes, as well as amendments in Tennessee and Nebraska, indicate a renewed focus by states on strengthening data breach notification laws, and similar amendments in other states may follow. While no company likes to think about the possibility that it might become the target of a data breach, there are preventative steps companies can take to minimize the impact of a breach.