— Changes to Illinois’ Personal Information Protection Act went into effect at the beginning of this year, adding new protections for Illinois residents, and more clearly defining what actions could trigger public notification following a data breach.
The changes, enacted when Gov. Bruce Rauner signed HB 1260 in May, expand the definition of “personal information” to include usernames and email address when they are combined with information that would allow access to an individual’s online account.
Illinois now requires companies to notify individuals if some combination of their username, password or security has been breached by a third party.
Companies are required to notify those affected by email or postal mail to change their username, password or other identifiers such as a security question. The companies also are required to take reasonable security measures to protect records from unauthorized breach, destruction or disclosure. The law requires certain entities to provide notifications to the Illinois Attorney General, as well.
Mark L. Krotoski, a privacy and cybersecurity attorney for the firm of Morgan Lewis in Washington, D.C., told the Cook County Record that actions taken by Illinois appear to be part of a trend. Several states have moved to expand the definition of personal information subject to a data breach notification.
“California was the first state to do so in 2014, followed by Florida and Wyoming, then Nebraska and Nevada passed similar statutes last year," Krotoski said. “We likely will see additional states make similar amendments to their data breach notification statutes."
According to Krotoski, the law would not trigger just because a third party acquired a username, such as a Twitter handle, which is easy for anyone to see. Instead, the law requires a combination of identifiers breached to cause a warning notification.
“While a username or email address may be publicly used in online forums, the statutes apply to the acquisition of a username or email address in combination with a password or security question and answer that would permit access to an online account,” Krotoski said. “The statutes protect against the possible use of this information to gain unauthorized account access.”
Krotoski said Illinois and other states are looking at other forms of personal information to determine if their release should be covered under privacy protection measures.
“This year, Illinois also added medical information, health insurance information and unique biometric data to the definition of 'personal information' under the Personal Information Protection Act,” he explained. “The states continue to expand the data elements that qualify as personal information. Under the California data breach notification statute, personal information is defined to include Social Security numbers, driver’s license number and California identification card number."
Krotoski said he would advise clients who own or license computerized personal information to periodically review whether the data is reasonably secure from unauthorized access. He said companies should also consider the life cycle of stored data and whether some personal information may no longer be needed or serve a business purpose.
“Generally, access to data should be limited on a need-to-know basis," Krotoski said. "We also recommend that companies test their incident response plan for a variety of scenarios that could lead to a data breach. Once a data breach occurs, there are many steps that will be required to determine the scope and nature of the breach, implement remediation steps and consider legal obligations and issues.”