Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance

Can I avoid having a data breach response plan in Illinois? What are the requirements?

October 18, 2023

Data Breach Response Plan Requirements in Illinois

Illinois law requires that any State agency that collects personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data or written material following discovery or notification of the breach ^[1.1]. Therefore, it is highly recommended that all entities that collect personal information, including private and public entities, have a data breach response plan in place.

Can I avoid having a data breach response plan in Illinois?

No, entities that collect personal information cannot avoid having a data breach response plan in Illinois. Illinois law requires that any State agency that collects personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data or written material following discovery or notification of the breach ^[1.1]^[1.2]. Additionally, any State agency that suffers a single breach of the security of the data concerning the personal information of more than 250 Illinois residents shall provide notice to the Attorney General of the breach ^[1.1]^[1.2].

Furthermore, Illinois law requires that a data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure ^[1.4].

Therefore, it is highly recommended that all entities that collect personal information, including private and public entities, have a data breach response plan in place.

What are the requirements for a data breach response plan in Illinois?

Illinois law does not provide specific requirements for a data breach response plan. However, it is recommended that a data breach response plan should include the following:

A clear definition of what constitutes a data breach
A list of individuals responsible for responding to a data breach
A plan for containing the breach and preventing further unauthorized access
A plan for notifying affected individuals and the Attorney General, if necessary
A plan for providing identity theft prevention and mitigation services to affected individuals, if necessary
A plan for reviewing and updating the response plan on a regular basis ^[1.1]

Additional Information

Illinois law also requires that any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach ^[1.2]. Furthermore, Illinois law requires that a data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure ^[1.4].

Illinois law also requires that State-owned electronic data processing equipment that is to be disposed of by sale, donation, or transfer must have its hard drives overwritten to protect sensitive information relating to the State and its citizens ^[2.1]^[2.2].

Finally, the Data Processing Confidentiality Act provides additional protections for confidential information held by State agencies ^[3.3].

Therefore, it is highly recommended that all entities that collect personal information, including private and public entities, take appropriate measures to protect personal information and comply with all relevant laws and regulations.

Source(s):

Jurisdiction

Illinois

Privacy