Search form

Illinois Amends Data Breach Notification Law, Adding Data Disposal Mandate

  • October 6, 2011

Illinois Governor Pat Quinn has approved a measure amending his state's data breach notification law to increase protections for Illinois residents. The changes will become effective January 1, 2012.

Information Required and Forbidden

Under the amendment, the following new information must be included in breach notifications:

  • the toll-free numbers and addresses for consumer reporting agencies,
  • the toll-free number, address, and website address for the Federal Trade Commission, and
  • a statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Information concerning the number of Illinois residents affected by the breach shall not be included in breach notifications.

“Data Collectors” or Third Parties

The amendment provides new requirements for "data collectors" that maintain or store, but do not own or license, computerized data. 

As is the case with the breach notification statutes in other states, entities in Illinois that maintain or store certain personal information on behalf of the owner or licensee of that data also have obligations in the event of a breach of security of that data. Generally, they must notify the owner of the breach. For example, imagine a third-party claims administrator or an accounting firm performs services for ABC Corp. (the owner) that requires the administrator or accounting firm to maintain or store the personal information. If an employee of the administrator or accounting firm loses a laptop containing ABC Corp.'s personal information, or the employee or a third party impermissibly accesses or acquires the information, the administrator or accounting firm would be required to notify ABC Corp., which, in turn, would need to notify the affected individuals.
Illinois' amended breach notification law requires companies that maintain or store personal information to cooperate with the owner or licensee in matters relating to the breach, by notifying the owner or licensee of:

  • the date or approximate date of the breach and the nature of the breach, and
  • any steps the entity has taken or plans to take relating to the breach.

However, this cooperation shall not require either (i) the disclosure of confidential business information or trade secrets of the company that maintains or stores the information, or (ii) the notification of an Illinois resident who may have been affected by the breach.

New Mandate for Disposing Materials Containing Personal Information

The amended law requires "persons" (including natural persons, corporations, partnerships, associations, or other legal entities, including governmental entities) to dispose of the materials containing personal information "in a manner that renders the personal information unreadable, unusable, and undecipherable." The law provides examples of proper disposal methods:

  • Paper documents containing personal information may be redacted, burned, pulverized, or shredded so that personal information cannot practicably be read or reconstructed.
  • Electronic media and other non-paper media containing personal information may be destroyed or erased so that personal information cannot practicably be read or reconstructed.

Companies may engage third parties to carry out the disposal of personal information, provided that the third parties implement and monitor compliance with policies and procedures that prohibit unauthorized access to, acquisition of, or use of personal information during the collection, transportation, and disposal of materials containing personal information. It is recommended that service contracts be carefully drafted to address these issues and appropriate steps be taken to monitor compliance.

Penalties for violations of the disposal requirements can be up to $100 for each individual whose personal information is disposed, subject to a maximum of $50,000 for each instance of improper disposal.

Jackson Lewis attorneys are available to assist you in complying with the new law.

©2011 Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.

Focused on labor and employment law since 1958, Jackson Lewis P.C.'s 950+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients' goals to emphasize inclusivity and respect for the contribution of every employee. For more information, visit