Illinois Privacy Laws
Mandated Timeframe
Without unreasonable delay
Violations
$100 up to $50,000
REGULATION LEVELS
 Breach Reporting |
 Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
 Minimal |
Basic |
Comprehensive |
 Extensive |
|---|
Mandated Timeframe
Without unreasonable delay
Violations
$100 up to $50,000
REGULATION LEVELS
| Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
Comprehensive |
Extensive |
|---|
Mandated Timeframe
Without unreasonable delay
Violations
$100 up to $50,000
REGULATION LEVELS
| Breach Reporting |
Consumer Notifications |
|---|---|
| Vendor Management |
Vendor Contract Required |
LEVEL DESCRIPTION
| Minimal |
Basic |
Comprehensive |
Extensive |
|---|
Illinois Privacy Law Information
-
Privacy Program
Organizations must contract with Vendors if they disclose personal information including data disposal vendors. Organizations and their contracted vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure and must have measures in place for the secure disposal of personal information making so it cannot be read or reconstructed. Organizations in possession of biometric identifiers must ensure measures are in place for the storage, disclosure and protection of biometric identifiers. In addition, they must have a publicly available written policy that states their retention schedule and disposal guidelines.
-
Consumer Rights
Sector-specific regulations provide for an individual’s right to access their personal information. A private right of action can be brought with fines up to $5,000 or actual damages for violations of the Biometric Information Privacy Act.
-
Breach Reporting
Organizations that experience a breach, internally or through a third party, are responsible for all regulatory reporting and consumer notification for breaches of personal information involving more than 500 Illinois residents. Reporting must be submitted to the Attorney General without delay, but no later than when the breach notification is provided to affected consumers. Reporting must include the nature of the breach, the number of affected residents and any mitigation actions. Vendors must notify Organizations upon discovery of a breach or suspected breach. Vendors must cooperate with Organizations and provide all necessary information relative to the breach or suspected breach.
-
Consumer Notification
If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
-
Industry Specific Laws
Vendors contracted to dispose of an Organization’s records containing personal information must maintain policies and procedures for the protection of the records from unauthorized access, acquisition, or use while in the Vendor’s possession and during disposal.
-
Fines & Penalties
Violations of the Personal Information Protection regulations constitute an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. Violations of the disposal regulations may result in a civil penalty of up to $100 for each affected individual, up to $50,000 for each instance of improper disposal. The Attorney General may publish the names of organizations who experience a data breach, type of information involved, including data range. Organizations may be fined or penalized for Vendor violations.
Illinois
Statutes and Laws
815 ILCS 530/50
Entities subject to the federal Health Insurance Portability and Accountability Act of 1996