Attorney General Madigan applauds House committee passage of data security bill

Attorney General Lisa Madigan today said the Illinois House of Representatives’ Judiciary Committee passed a measure that will strengthen the state’s data breach notification law. Senate Bill 1833 sponsored by Sen. Dan Biss (D-Evanston) and Rep. Ann Williams (D-Chicago) passed the committee by a vote of 7-4.

“In the last several years, data breaches have become far too frequent,” Madigan said. “It is imperative that we strengthen the state’s data breach notification laws to ensure that people are informed of breaches so they can take steps to minimize the risk of identity theft.”

“Large-scale data breaches are occurring at an alarming rate, and we need to make sure Illinois’ laws will help protect consumers from falling victim to identity theft and other scams,” Williams said. “I thank the Attorney General for her leadership on this issue, and I will continue to work with my colleagues in the House to send this bill to the governor’s desk.”

Madigan drafted SB 1833 to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, Social Security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded, and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which has been endorsed by Illinois PIRG, Citizen Action Illinois, the Heartland Alliance and more, will expand the type of information that triggers a breach notification to consumers, including medical information outside of federal privacy laws, biometric data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information, to post a privacy policy describing their data collection practices, and to notify the Attorney General’s office when breaches occur. Entities will also have to notify the Attorney General’s Office in the event of a breach of geolocation information or consumer marketing information. Madigan has said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

SB 1833 now heads to the full House for consideration.