Personal Information Protection Act Amended

On May 6, 2016, Illinois Governor Bruce Rauner signed legislation (H.B. 1260) amending the state’s Personal Information Privacy Act (PIPA). Among other things, the bill:

  • Adds definitions for “health insurance information” and “medical information.”
  • Expands the definition of “personal information” to include:
    • Health insurance information, medical information, or biometric data when combined with a person’s unencrypted first name or initial and last name; or
    • An unencrypted user name or email address combined with a password or security question and answer that would permit online access to an account.
  • Modifies the PIPA’s encrypted information exception to exclude situations when the keys to unencrypt or otherwise read the encrypted name or data elements were obtained through the security breach.
  • Modifies the breach notification content requirements, depending on the type of personal information exposed.
  • Expands the substitute notice provision to allow notification through prominent local media instead of statewide media if certain conditions are met.
  • Adds a requirement for state agencies to notify the Attorney General if they suffer a personal information security breach affecting more than 250 Illinois residents.
  • Creates a new section on data security which requires data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
  • Establishes an exemption for entities subject to the federal Health Insurance Portability and Accountability Act (HIPAA).

The law goes into effect on January 1, 2017.

Read IL H.B. 1260