Illinois Attorney General seeks stronger data breach bill

Attorney General Lisa Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

“The number, scale and scope of data breaches over the past year is alarming. The protections in place for consumers are insufficient and the response from companies collecting and storing our personal information has been unacceptable,” said Abe Scarr, Director of Illinois PIRG. “That is why we are endorsing this much needed legislation.”

SOURCE: Attorney General Lisa Madigan

Related: Improving Data Security in Illinois: Proposed Updates to the Personal Information Protection Act

About the author: Dissent