[BreachExchange] Illinois data breach law amended and includes new twists
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Jul 5 19:22:26 EDT 2016
http://www.jdsupra.com/legalnews/illinois-data-breach-law-amended-and-33861/
Governor Bruce Rauner signed several new provisions into law amending
Illinois’ Personal Information Privacy Act, including health insurance and
medical information into the definition of personal information that
triggers notification in the event of a breach.
Health insurance information under the law includes an individual’s health
insurance policy number or subscriber identification number as well as the
content of an individual’s application and information provided to a health
insurer through a website or mobile application.
The law also includes biometric information as personal information that
requires notification, including a fingerprint, retina, and iris images, as
well as user names or email addresses in combinations with passwords or
answers to security questions.
Interestingly, the new law also requires health care providers to notify
the Illinois Attorney General within 5 days of notifying the Office for
Civil Rights of a data breach pursuant to the HIPAA breach notification
regulations. This is a first of its kind and is significant since the
definition of a breach of security is not the same in the two statutes.
The new law does not recognize a safe harbor if the information was
encrypted if the key was or is reasonably believed to have been acquired in
the data breach.
Finally, following Massachusetts, Rhode Island and Connecticut, the
Illinois law requires all businesses to “implement and maintain reasonable
security measures” including adding data security provisions in all
contracts when personal information is disclosed to a third party.
This provision emphasizes the continued interest in regulators that
companies are requiring downstream vendors to protect the data in the same
manner as the company and the importance of vendor management and
contractual provisions.
The new law goes into effect on January 1, 2017.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160705/7e54b1b6/attachment.html>
More information about the BreachExchange
mailing list