Amended Ill. Breach Notice Raises Compliance Questions

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Michael J. Bologna

May 26 — The recently amended data breach notification law in Illinois raises important questions about the compliance strategies large organizations will have to adopt to steer clear of state scrutiny, a privacy attorney told Bloomberg BNA.

“Illinois has certainly migrated to one of the more complex states with multiple categories and data elements that constitute personal information,” Mary Ellen Callahan, a Jenner & Block partner in Washington and the head of the firm's Privacy and Information Governance Practice, told Bloomberg BNA, commenting on the amended law, which was signed by Gov. Bruce Rauner (R) May 6.

At the same time, marketing and technology companies will have a lighter menu of compliance duties under the law, compared to a version passed by the Illinois General Assembly last year and then vetoed by Rauner. For example, the codified version doesn't treat geolocation and consumer marketing data as personal information.

House Bill 1260 (Public Act 99-0503) represents a significant expansion of Illinois' 2005 data breach notification law, the Personal Information Protection Act (PIPA), according to Callahan, who is the former chief privacy officer at the U.S. Department of Homeland Security. Many of the new statutory requirements are complicated and specific to Illinois, raising compliance questions for large organizations required to safeguard personal data from consumers in multiple states, she said.

“A lot of states are doing this,” she said. “They are expanding the scope of what’s personal information, which is creating more deviations among the 47 state laws, which makes compliance on a nationwide basis harder.”

New Data Categories

Although PIPA established basic protections for certain types of personal and financial information, H.B. 1260 expands that list to include electronic medical information, health insurance information, claims information and unique biometric data, which is defined as information “generated from measurement or technical analysis of human body characteristics” and then used for the purposes of authentication. The law establishes protections for a new category of personal information described as “a user name or e-mail address in combination with a password or security question and answer.”

H.B. 1260 also tightens Illinois' thresholds for disclosures to law enforcement and consumers, leaving data collectors with more rigorous post-breach compliance duties. The law specifically requires state agency data collectors to notify the Illinois Attorney General of breaches involving 250 or more Illinois residents. Data collectors must notify the state within 45 days of the discovery of a breach.

Christopher Oswald, vice president of advocacy for the Direct Marketing Association, said H.B. 1260 marks a huge improvement over Senate Bill 1833, which passed the Illinois General Assembly last Spring. DMA was one of two dozen organizations, including the Consumer Data Industry Association, NetChoice and the Electronic Retailing Association, that lobbied Rauner to veto S.B. 1833 last August (14 PVLR 1628, 9/7/15).

According to Oswald, the main difference between the bills was the removal of geolocation and consumer marketing data from the definition of personal information that must be protected by data collectors.

As Rauner noted in his veto message to the legislature, the inclusion of the two data categories would have been a significant departure from the data protection requirements in other states. Moreover, Oswald said the potential risks associated with an unauthorized distribution of consumer marketing and geolocation information fall far short of the risks posed by the loss of other types of consumer financial and personal information covered by PIPA.

Despite the removal of the two data categories, Oswald insisted H.B. 1260 represents a signification victory for Illinois consumers.

“The bill, as signed by the governor, still creates one of the most stringent data breach notification laws in the country,” Oswald told Bloomberg BNA. “It makes Illinois one of the strictest, particularly the provision that includes unique biometric data. It's in a few states, but obviously Illinois is on the leading edge.”

Opportunities for Harm

State Sen. Dan Biss (D), who drafted both S.B. 1833, expressed disappointment that the geolocation and consumer marketing language had been stripped from his original bill. In particular, he said geolocation information in the wrong hands poses significant risks to consumers, which should be addressed under state law.

In a broader context, Biss told Bloomberg BNA May 25 that the industry's thirst for data about consumers will drive states to continually update their personal information protection statutes. He said states must do more than simply protect consumers from potential “financial harm.”

“More and more of our lives exist online and that just allows new and scary opportunities for people to do bad things through a breach,” Biss said. “People will be put at risk whether that involves a direct loss of money or something else.”

Compliance Confusion

Callahan said her initial review of the new law suggests data collectors could be left with a strong degree of confusion over their compliance obligations. First, Callahan said the definition of electronic medical information is exceedingly broad, extending to a wide number of data groups including “information provided to a website or mobile application.” In this context, even a web search of a specific disease could be considered protected personal information, demanding a compliance response.

“I don’t even know how anyone can comply with that,” she said.

Callahan said a second question involves compliance unevenness between H.B. 1260 and the federal Health Insurance Portability and Accountability Act (HIPAA). Callahan noted that H.B. 1260 carries a strict liability standard in the event of a data breach, but HIPAA features a risk-based analysis before notification duties are triggered. The new law could create confusion for data collectors seeking to respond in the aftermath of a data breach, she said.

Data collectors need to think closely about their biometric data compliance strategy due to an unusual nexus with the Illinois Biometric Information Privacy Act (BIPA). BIPA imposes security requirements on any organization the collects and retains biometric identifiers, but the law is unique among the states because it also authorizes a private right of action and statutory damages when violations occur, Callahan said.

To contact the reporter on this story: Michael J. Bologna in Chicago at

To contact the editor responsible for this story: Jimmy H. Koo at

For More Information

HB 1260, as signed into law, is available at