Personal Information Protection Act Amended
On May 6, 2016, Illinois Governor Bruce Rauner signed legislation (H.B. 1260) amending the state’s Personal Information Privacy Act (PIPA). Among other things, the bill:
- Adds definitions for “health insurance information” and “medical information.”
- Expands the definition of “personal information” to include:
- Health insurance information, medical information, or biometric data when combined with a person’s unencrypted first name or initial and last name; or
- An unencrypted user name or email address combined with a password or security question and answer that would permit online access to an account.
- Modifies the PIPA’s encrypted information exception to exclude situations when the keys to unencrypt or otherwise read the encrypted name or data elements were obtained through the security breach.
- Modifies the breach notification content requirements, depending on the type of personal information exposed.
- Expands the substitute notice provision to allow notification through prominent local media instead of statewide media if certain conditions are met.
- Adds a requirement for state agencies to notify the Attorney General if they suffer a personal information security breach affecting more than 250 Illinois residents.
- Creates a new section on data security which requires data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
- Establishes an exemption for entities subject to the federal Health Insurance Portability and Accountability Act (HIPAA).
The law goes into effect on January 1, 2017.
Read IL H.B. 1260