A data breach is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.” (815 ILCS 530/5) The important word here is unauthorized. If information is gathered in good faith for legitimate reasons and the information is used for the purpose it was collected, then there is no issue.
The information in question includes first name or first initial and last name accompanied by any of the following:
Again, if the data is collected and used for appropriate purposes, then there is no issue.
If a breach of information does occur, then the individual will be notified in a timely fashion. The exception to the timing rule is if law enforcement feels that notification will interfere with an ongoing investigation. Then the notification will happen when they deem it appropriate. Law enforcement will provide a request in writing, where the data breach occurred, and state that they require a delay in notification.
Method of Notice
There are several different types of notice than an individual can receive:
Who Is Considered A Data Collector?
Data collectors are “public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.” (815 ILCS 530/5)
*The Governor in August 2015 placed an amendatory veto on the bill stating that consumer marketing information and geolocation should not be included in personal information.