The threat of the theft or accidental disclosure of electronic personal information is on the rise. On January 1, 2017, new legislation went in effect amending the Illinois Personal Information Protection Act (the “Act”) to expand the definition of protected personal information and increase certain security and notification requirements for data breaches. Important amendments to the Act include:

  1. Expanded definition of “Personal Information” for which notice of a breach is required to include certain medical and online account information. The definition of “Personal Information” includes an individual’s first name or first initial and last name and any of the following:
  1. social security number;
  2. driver’s license or State identification card number;
  3. account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  4. medical information (including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a healthcare professional, including such information provided to a website or mobile application);
  5. health insurance information (including an individual’s health insurance policy number or subscriber identification number or any other unique identifier); and
  6. unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.

The definition of “Personal Information” also includes an individual’s user name or email address in combination with a password or security question and answer that would permit access to an online account.

  1. Expanded Notification Requirements. If a security breach involves an individual’s user name or email address, in addition to a password or security question answer that can allow access to an online account, notice is required to inform the individual that his account information has been breached and that he should promptly change his user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the individual uses the same user name or email address and password or security question and answer.
  2. Expanded Data Security Requirements for Data Collectors.  Any data collector that owns, maintains, stores, or licenses records that contain Personal Information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
  3. Compliance with HIPPA. The Act also provides that any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (“HIPPA”) and the Health Information Technology for Economic and Clinical Health Act shall be deemed to be in compliance with the provisions of the Act, provided that notification of a breach is provided to the Illinois Attorney General within five business days of notifying the Secretary of Health and Human Services.

If you have any questions regarding the Personal Information Protection Act’s application to your business or your obligations under the Act, please contact:

Kristen E. O’Neill at: or 312-368-0100.