top of page

Illinois Compiled Statutes 815 § 530 et seq

Enacted:  1.1.2006

Type of Data Covered: Computerized or electronic data and written material. 

​

Is Breach Defined?

“Breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. See § 530/5.

​

​

When is notice required?

​

Illinois has bifurcated reporting requirements for private entities and state agencies. There is significant overlap in the requirements but state agencies have to report to the Attorney General  and consumer reporting agencies if certain thresholds are met.

  • Notice to residents by other entities 

    • All residents affected by the breach​.

    • "most expedient time possible...consistent with law enforcement needs..."

    • Specific requirements for the content of the notice.

    • Written, electronic, and substitute notice are acceptable, depending on circumstance.

  • Notice to residents by state agencies

    • All residents affected by the breach.​

    • "most expedient time possible..." unless there is a legitimate law enforcement agency delay.

    • Specific requirements for the content of the notice.

    • Written, electronic, and substitute notice are acceptable, depending on circumstance.

    • Notice to consumer reporting agencies for breaches affecting over 1,000 residents and notice to the AG for breaches affecting over 250 residents.

​

What are the penalties for non-compliance?

​

Violations have their own section of the law, §530/20, which reads as follows: 

​

"A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505)." 

​

​

bottom of page