Illinois Data Break Notice Law Renewed

Illinois data break notice rule has been updated, widening the meaning of private information and modifying the timescale for alerting the Attorney General of data breaks.

A break notice will have to be released if an individual’s complete name or last name, as well as signature, is revealed in association with any of the below-mentioned data elements:


  • Health insurance information
  • Medical information
  • Email addresses and Usernames (together with PINs or other data which would let contact to accounts to be obtained)
  • Biometric data
  • Credit or debit card number
  • Social Security number
  • Driver’s license number

Notices won’t be needed if revealed data are freely available or if a breach happens as well as data are encrypted.

The latest rule particularly cites health insurance info that contains a policy number of health insurance, subscriber ID number, or any other exclusive identifier utilized to find a person. Any medicinal data offered to a health underwriter in an application, claims history, or appeals records, is also incorporated in the latest meaning.

The revelation of information pertaining to a person’s physical or mental condition, medicinal history, or analysis and cure info is also now stated. The rule applies not only to businesses that stock these data, but also data presented through mobile apps as well as websites.

The meaning of private info has been extended to contain usernames if merged with a password or replies to security queries, as has happened in Florida, California, and Nebraska. Nevertheless, rather than needing a written notice to be dispatched to affected persons, notices of breaks of “online information” may be delivered electronically. Break victims will have to be directed how they can modify their passwords, login names, or security queries as appropriate, and must be directed to do so quickly.

Companies that are needed to abide by the HIPAA – including BAs of HIPAA-covered bodies – will be considered to be in accordance with the latest state rules, even though only if a break notice is needed to be delivered to the HHS’ Office for Civil Rights.

HIPAA-covered bodies will be needed to issue a break notice to the state attorney general in 5 days of the notification being delivered to the Office for Civil Rights.

Bruce Rauner, state governor initialed the latest rule earlier this month and the updates will come into operation on January 1, 2017.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.