Attorney General Lisa Madigan Unveils New Plan to Beef Up Illinois Data Breach Law

Attorney General Lisa Madigan unveiled a new plan to beef up Illinois’ data breach law, after 67 million personal records were hit last year.

Consumers here are already protected by a state law requiring companies to notify customers of a data breach. But that 2005 law has not changed, while so much in the world of hackers has – especially the volume of sensitive information available via smartphones, geo-tagging and biometrics.

"If an entity were to have a breach, and that would include your email address. your log in, your password, health insurance information, biometric information," Madigan explained at a news conference today.

Madigan’s bill, which is sponsored by Senator Daniel Biss and Representative Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts.

The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

"The consumer protections in place are insufficient and the response from companies that are collecting our data and storing our information has been unacceptable," according to Illinois PIRG Director Abe Scarr.

The proposed law doesn’t spell out how quickly companies must notify affected customers, but will recommend a sooner than later guidance.

"That's the whole reason for notification in the first place,” Madigan says. “If you're put on alert, if you're likely to be a victim of some fraud or some identity theft, you are much more likely to monitor your accounts better."

Only four states do not have a notification law. Madigan’s proposed changes will soon head to Springfield.

Contact Us