Are You Familiar With The Illinois Data Breach Law?

A data breach is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.” (815 ILCS 530/5) The important word here is unauthorized. If information is gathered in good faith for legitimate reasons and the information is used for the purpose it was collected, then there is no issue.

Information Description

The information in question includes first name or first initial and last name accompanied by any of the following:

  • social security number
  • account number
  • credit card number
  • driver’s license number
  • medical information
  • biometric data (fingerprint/iris scan)
  • health insurance information
  • (consumer marketing information*)
  • (geolocation information*)
  • username/email address
  • and password/security question

Again, if the data is collected and used for appropriate purposes, then there is no issue.

Notice Requirements

If a breach of information does occur, then the individual will be notified in a timely fashion. The exception to the timing rule is if law enforcement feels that notification will interfere with an ongoing investigation. Then the notification will happen when they deem it appropriate. Law enforcement will provide a request in writing, where the data breach occurred, and state that they require a delay in notification.

Method of Notice

There are several different types of notice than an individual can receive:

  • number/address consumer reporting agency
  • number/address FTC
  • written notice obtained from consumer reporting agency or FTC
  • electronic notice
  • substitute if unnecessary burden places on data collector (great cost, large number affected)
  • Attorney General notification (250+ resident notification within 30 days)
    • Type of information
    • Number affected
    • Steps taken for notification
    • Date/time frame breach

Who Is Considered A Data Collector?

Data collectors are “public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.” (815 ILCS 530/5)


With the addition of SB 1833, Illinois became the first state to identify geolocation and third-party consumer marketing information under the umbrella of personal information. Additionally, Illinois became the second state to require an online privacy policy. This bill is still working its way through the adoption process, though.

*The Governor in August 2015 placed an amendatory veto on the bill stating that consumer marketing information and geolocation should not be included in personal information.

Contact info

Connect With Clearpath