All Employers with Illinois Employees
January 1, 2017
Contact HR On-Call
Governor Bruce Rauner recently signed a number of amendments to Illinois’s Personal Information Protection Act (“PIPA”), expanding the definition of personal information and increasing data breach notification requirements as of January 1, 2017. The amendments are highlighted below.
Under the current version of PIPA, “personal information” includes: an individual’s first name/first initial plus last name and Social Security Number; driver’s license number; state identification card number; account number or credit/debit card number; account number or credit card number plus any associated security code, access code, or password that together allow access into an individual’s financial account.
The amendment adds the following items to the definition of “personal information”: medical or health insurance information; unique biometric data; username/e-mail address plus a password, or security question and answer, which together allow access to an online account.
Any entity dealing with records containing personal information are required to “implement and maintain reasonable security measures” to protect those records.
Data Breach Notification Requirements
The amendment to PIPA requires entities to inform Illinois residents of the security breach even if the personal information is redacted or encrypted, if the password or authentication keys that would allow the information to be unencrypted are also exposed through the breach.
Further, if the breach involves a username and e-mail address, entities must send notice to affected individuals directing them to promptly change their username or password/security question and answer, as applicable, and take any other steps appropriate to protect the online account that may have been exposed.
PIPA contains a safe harbor provision for entities that are subject to and in compliance with certain federal laws (e.g., the Gramm-Leach-Bliley Act and HIPAA/HITECH). However, entities that are required to notify the U.S. Department of Health and Human Services (“HHS”) of a breach under HITECH must now also provide notification to the Illinois Attorney General within 5 days of their notification to the HHS.
- Review the text of HB 1260 here.
- Provide training to all employees who handle personal information on appropriate physical, administrative and technical controls for information security.
- Provide training to staff in charge of reporting on the enhanced breach notification requirements.
- Contact ManagEase at (888) 230-3231 to engage our services in HIPAA Compliance Training and update your handbook or other policy documents.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser.
© 2016 ManagEase, Incorporated.