Search Knowledge Base by Keyword
Illinois Cybersecurity, Privacy & Data Security Laws
Illinois Cybersecurity & Privacy Laws: A Guide for SMBs & Licensees
Navigate the complex data security and privacy landscape in Illinois. TEKRiSQ helps Small and Medium Businesses and Insurance Licensees understand their compliance obligations to protect data and avoid penalties.
Understanding Data Protection in the Land of Lincoln
Illinois is a leading state in data privacy and cybersecurity legislation, with several significant laws that impact businesses operating within its borders. These laws go beyond general data breach notification, imposing specific requirements on how personal and even biometric information is handled.
For Small and Medium Businesses (SMBs) and entities holding specific licenses (like insurance companies) operating in or serving Illinois residents, adherence to these laws is crucial. Non-compliance can lead to significant financial repercussions, legal challenges, and damage to your business’s reputation. Illinois is known for its strong enforcement, particularly regarding biometric data.
This guide provides a clear overview of Illinois’s key cybersecurity, data security, and privacy laws, summarizing your responsibilities and explaining why proactive compliance is essential for protecting your data and ensuring business continuity.
Illinois Personal Information Protection Act (PIPA) (815 ILCS 530/1 et seq.)
What is This Law?
The Illinois Personal Information Protection Act (PIPA) is Illinois’s primary data breach notification law. It requires “data collectors” (any entity handling personal information) to notify affected Illinois residents in the event of a security breach involving unencrypted or unredacted personal information.
Key SMB Responsibilities:
- Definition of Personal Information: Includes an individual’s name (first name or initial and last name) combined with Social Security number, driver’s license/state ID number, financial account/credit/debit card number (with access code), medical/health insurance information, or unique biometric data.
- Timely Notification: Notify affected residents “in the most expedient time possible and without unreasonable delay,” consistent with investigation needs.
- Attorney General Notification: If a breach affects more than 500 Illinois residents, notify the Illinois Attorney General’s Office (DataBreach@ilag.gov) within 45 days of discovery or consumer notification, whichever is sooner.
- Notification Methods: Written notice, electronic notice (if compliant with E-SIGN Act), or substitute notice (if cost exceeds $250,000, over 500,000 affected, or insufficient contact info). Substitute notice requires email, website posting, and major statewide media notification.
- Third-Party Data Handlers: If you maintain data you don’t own, you must notify the owner/licensor immediately upon discovery of a breach and cooperate.
- Reasonable Security: The Act implicitly requires data collectors to implement and maintain reasonable security measures to protect personal information.
Why it’s Important:
PIPA is critical for protecting Illinois residents from identity theft and fraud by ensuring timely disclosure of security incidents. For SMBs, compliance is essential for managing crisis communication, maintaining transparency, and avoiding enforcement actions by the Illinois Attorney General. Violations of PIPA are considered violations of the Illinois Consumer Fraud and Deceptive Practices Act, which can result in significant civil penalties.
Read the full Illinois Personal Information Protection Act (PIPA) →
Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14/1 et seq.)
What is This Law?
The Illinois Biometric Information Privacy Act (BIPA) is one of the strictest and most litigated privacy laws in the U.S. It regulates how private entities collect, use, store, and disclose “biometric identifiers” (e.g., retina or iris scans, fingerprints, voiceprints, hand scans, facial geometry) and “biometric information.”
Key SMB Responsibilities:
- Written Policy: Develop a publicly available written policy that informs individuals about the collection, storage, use, and destruction schedule of their biometric data.
- Informed Consent: Obtain written informed consent from individuals before collecting their biometric identifiers or information. This consent must specify the purpose and length of time for which the data will be collected, stored, and used.
- Prohibition on Sale/Profit: You cannot sell, lease, trade, or otherwise profit from an individual’s biometric data.
- Reasonable Care for Storage: Store, transmit, and protect biometric data using the same or a higher standard of care than you use for other confidential information, and in a manner that is at least as protective as the way you store other sensitive personal information.
- Retention Schedule: Destroy biometric data when the initial purpose for collecting it has been satisfied or within 3 years of the individual’s last interaction with the entity, whichever occurs first.
Why it’s Important:
BIPA is critical because it grants a private right of action, meaning individuals can sue companies directly for violations, even without demonstrating actual harm. This has led to numerous class-action lawsuits and significant settlements. Penalties can be severe: $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, plus attorney fees and court costs. Any SMB using fingerprint scanners for timekeeping, facial recognition for access control, or other biometric technologies must be acutely aware of BIPA.
Read the full Illinois Biometric Information Privacy Act (BIPA) →
ACLU of Illinois: Biometric Information Privacy Act (BIPA) →
Illinois Insurance Data Security Law (Public Act 101-0559)
What is This Law?
Effective January 1, 2020 (with compliance deadlines extending into 2025 for some provisions), the Illinois Insurance Data Security Law is based on the NAIC Insurance Data Security Model Law. It requires insurance licensees to implement comprehensive information security programs to protect nonpublic information.
Key Licensee Responsibilities:
- Information Security Program (ISP): Develop, implement, and maintain a comprehensive written ISP based on a risk assessment, with administrative, technical, and physical safeguards for nonpublic information.
- Risk Assessment: Conduct ongoing assessments to identify and mitigate reasonably foreseeable threats to information systems and nonpublic information.
- Incident Response Plan (IRP): Establish a written IRP to promptly respond to, and recover from, cybersecurity events.
- Cybersecurity Event Notification: Notify the Illinois Department of Insurance (DOI) as promptly as possible, but no later than 3 business days from a determination that a cybersecurity event has occurred, if it impacts 250 or more Illinois consumers and meets certain criteria (e.g., requires notice to another body, or is likely to materially harm consumers/operations).
- Annual Certification: Illinois-domiciled insurers must annually submit a written certification of compliance to the DOI by April 15th.
- Third-Party Service Provider Oversight: Exercise due diligence in selecting and managing third-party service providers, requiring them to implement appropriate security measures.
- Employee Training: Provide cybersecurity awareness training to personnel.
Why it’s Important:
This law is crucial for protecting the highly sensitive financial and health information handled by insurance entities. Compliance builds trust with policyholders, mitigates the severe financial and reputational damage of data breaches, and ensures regulatory alignment with national standards. The DOI has enforcement powers, including examinations and penalties.
Illinois Enacts Insurance Data Security Law (Practical Law Summary) →
Illinois DOI: Company Bulletin 2024-10 Insurance Data Security Law →
Why Illinois Compliance Matters for All SMBs
Beyond specific industry regulations, a strong compliance posture is essential for every Illinois SMB.
Avoid Costly Penalties
Non-compliance with state laws can lead to significant fines and legal fees that can cripple a small business.
Build & Maintain Customer Trust
Consumers are increasingly aware of their data privacy rights. Demonstrating robust compliance builds trust and enhances your brand’s reputation.
Protect Against Cyber Threats
Compliance often mandates the implementation of strong cybersecurity measures, directly protecting your business from data breaches, ransomware, and other attacks.
Ensure Business Continuity
Proactive compliance and security measures significantly reduce the likelihood and impact of disruptive security incidents, ensuring your operations continue smoothly.
Competitive Advantage
Being recognized as a secure and compliant business can differentiate you from competitors and attract more clients, especially in sensitive industries.
Streamline Operations
Implementing well-defined security and privacy practices leads to more organized and efficient data handling.
TEKRiSQ Solutions for Illinois Compliance
TEKRiSQ offers comprehensive services to help your Illinois SMB or licensed entity achieve and maintain compliance with state cybersecurity and privacy laws.
Cyber Risk Assessments
Identify vulnerabilities and compliance gaps specific to Illinois’s regulations.
Data Governance & Privacy
Implement frameworks for data handling, aligning with Illinois privacy mandates.
Incident Response Planning (IRP)
Develop robust plans to meet Illinois data breach notification requirements.
Employee Cybersecurity Training
Educate your team on their role in protecting data and complying with state laws.
Managed Security Services
Ongoing support to continuously monitor and improve your security posture for sustained compliance.
Endpoint Protection (EDR)
Advanced threat detection and response for your devices, a key component of robust security.
Illinois State Contacts & Resources
For official information and assistance regarding Illinois’s data privacy, security, and insurance laws, you can contact:
Illinois Attorney General’s Office
Consumer Fraud Hotlines:
Chicago: 1-800-386-5438
Springfield: 1-800-243-0618
Ready to Ensure Your Illinois Compliance?
Don’t let complex regulations be a barrier. Partner with TEKRiSQ for expert guidance and practical solutions.
