SUBSCRIBE TO PRM TODAY

Personal Information Protection Act Amended

On May 6, 2016, Illinois Governor Bruce Rauner signed legislation (H.B. 1260) amending the state’s Personal Information Privacy Act (PIPA). Among other things, the bill:

  • Adds definitions for “health insurance information” and “medical information.”
  • Expands the definition of “personal information” to include:
    • Health insurance information, medical information, or biometric data when combined with a person’s unencrypted first name or initial and last name; or
    • An unencrypted user name or email address combined with a password or security question and answer that would permit online access to an account.
  • Modifies the PIPA’s encrypted information exception to exclude situations when the keys to unencrypt or otherwise read the encrypted name or data elements were obtained through the security breach.
  • Modifies the breach notification content requirements, depending on the type of personal information exposed.
  • Expands the substitute notice provision to allow notification through prominent local media instead of statewide media if certain conditions are met.
  • Adds a requirement for state agencies to notify the Attorney General if they suffer a personal information security breach affecting more than 250 Illinois residents.
  • Creates a new section on data security which requires data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
  • Establishes an exemption for entities subject to the federal Health Insurance Portability and Accountability Act (HIPAA).

The law goes into effect on January 1, 2017.

Read IL H.B. 1260