In the Digital Age, the safekeeping of personal confidential information has become a priority for public and private organizations alike. Congress has passed laws limiting who can possess confidential information, limiting the purposes for which it can be used, and requiring that custodians notify the individual if a breach of their data occurs. For example, the Graham-Leach Bliley Act prevents banks and financial institutions from disclosing customers’ financial information unless it is necessary to render services to the customer. The Health in Portability and Accountability Act regulates health care providers and their vendors in the use and exchange of individuals’ personal healthcare information. The Family Educational Rights and Privacy Act, protects the privacy of public school students’ education information.
The Illinois legislature has also passed a law designed to protect Illinois consumers’ confidential information and it affects many Illinois businesses and employers. The Personal Information Protection Act, 815 ILCS 530/1, prohibits government agencies, public and private universities, corporations, financial institutions, retail operators, and any other entity that handles Illinois residents’ personal information (these entities are called “data collectors”) from disclosing the information or allowing it to be accessed by anyone who is not the data collector’s agent or who does not have the individual’s authorization. 815 ILCS 530/1, 10. Protected personal information includes an individual’s first name or initial and last name in combination with the individual’s social security number, driver’s license or state identification number, or account or debit card number with security code or password. 815 530/1. Any organization that handles this information is subject to PIPA’s requirements and penalties.
If an unauthorized disclosure of personal information occurs, it is imperative that action is taken immediately. Under PIPA, the data collector must notify each individual whose information was compromised “in the most expedient time possible and without unreasonable delay,” given the measures necessary to determine the scope of the breach and to restore the security of the data system. 815 ILCS 530/10(a). Notice may be provided in writing, by electronic notice after the individual has given their informed consent to electronic recordkeeping in accordance with 15 U.S.C. 7001, or by substitute notice if the cost of providing notice would exceed $250,000, if the affected class of people exceeds 500,000 or if the data collector does not have the individual’s contact information. 815 ILCS 530/10(c). “Substitute notice” means email notice if the email address of the individual is known, conspicuous posting of the notice on the data collector’s web site; and notification to major statewide media. 815 ILCS 530/10(c). The notice must include the toll-free numbers and street and website addresses for the major consumer reporting agencies and the Federal Trade Commission, along with a statement that the individual can obtain information from these sources about fraud alerts and security freezes. 815 ILCS 530/10(a). The notice may not contain information concerning the number of individuals affected by the breach. 815 ILCS 530/10(a). Data collectors who follow their own notification procedure as part of an information security policy and follow the timing requirements of PIPA will be deemed compliant with PIPA’s notice requirements. 815 ILCS 530/10(d).
If a PIPA violation occurs, an unlawful practice is deemed to have occurred under the Illinois Consumer Fraud and Deceptive Businesses Act. 815 ILCS 530/20; 505/7. Accordingly, the Illinois Attorney General may seek remedies including an injunction, a revocation of right to do business in Illinois, restitution, and a fine up to $50,000 for each violation if a court finds the violator intended to defraud. 815 ILCS 530/20; 505/7. Additionally, the individual whose information was breached has a private cause of action if they suffered actual damages. 815 ILCS 505/10(a).
Any organization subject to PIPA would be wise to examine its data protection policies and enhance its data breach prevention initiatives. It is wise to establish a strong data protection practice now in order to save your organization from significant costs in the future associated with data breach remediation under PIPA.