On August 22, Illinois Governor Pat Quinn signed House Bill 3025 into law. In doing so, he aligned Illinois with a small group of states responding to increased concern about privacy and information security by retooling their existing information security breach notification frameworks. HB3025, in particular, amends the state’s breach notification law to specify both the types of information that should be provided to notice recipients and the breach notice obligations of service providers that maintain or store, but don’t own or license, personal information about Illinois residents.
A handful of U.S. states currently dictate what content, at a minimum, must be included in notices to individuals regarding a compromise of their personal information. In many instances, such information is included in order to help recipients evaluate what actions to take in response to a breach of personal information. At present, Illinois is not one of these “select” states. It soon will be. As of January 1, 2012, security breach notices to Illinois residents must include contact information for credit reporting agencies and the Federal Trade Commission, along with a “statement that the individual can obtain information from these sources about fraud alerts and security freezes.”
HB3025 also expands the reach of the state’s breach notice law to include service providers who maintain or store, but don’t own or license personal information. It then requires such service providers to cooperate with the data owner or licensor with respect to breaches of personal information in the service provider’s care. Such cooperation must include “(i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach.” But the service provider is not required to disclose its own confidential business information or trade secrets or notify Illinois residents of the breach (that obligation remains with the data owner or licensor). With these amendments, Illinois joins seven other states in mandating cooperation between data owners and service providers.
In addition to amending the state’s breach notice law, HB3025 also establishes standards for disposing of materials containing personal information. Under the new law, a “person must dispose of [any] materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable.” Appropriate methods of disposal include, for example, redacting, burning, pulverizing, or shredding hard copy records and destroying or erasing electronic media so that personal information cannot practicably be read or reconstructed. If you don’t want to, or can’t, do these things yourself, the law allows you to contract with a third party who will do them for you so long as appropriate monitoring policies and procedures are implemented to ensure that the third party will properly carry out its duties and protect the security of personal information. Once again, Illinois is not alone in requiring proper disposal of records containing personal information. In fact, Illinois’ new records disposal provisions closely track those already in existence in several other states.
If you operate nationwide, HB3025 won’t add much to your breach response plan, since other state breach notification laws have already included similar requirements. If not, HB3025 and the wave of recent amendments to state information security breach notice laws only further complicates an already difficult compliance landscape. So exactly when, you ask, will we get some federal relief from the burden of tracking and complying with almost fifty different breach notification laws? Good question.