Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Third Party: Specific Obligations
  • Third Party: Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws go from $100 per person up to $50,000 per incident

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Third Party Management
  • Data Protection
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are requirements for information to be included in notifications.
  • There are specific security measures to be taken when disposing of personal information in order to prevent a breach.
  • A violation of disposing of materials containing personal information may result in a civil penalty of not more than $100 for each individual, up to $50,000 for each instance of improper disposal.
  • Notice to the Attorney General, is required within 5 days in certain circumstances, for businesses subject to Health Insurance Portability and Accountability Act (HIPAA).
  • Data owners and vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
  • State agencies must notify the Attorney General within 45 days (or sooner) if more than 250 Illinois residents affected and credit reporting agencies if more than 1,000 persons affected.
  • Violating the Personal Information Protection statutes constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification; vendors do have specified responsibilities.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • 815 ILCS 530 Personal Information Protection Act
  • 815 ILCS 530/40 Disposal of material containing personal information; Attorney General
  • 815 ILCS 530/45 Data security
  • 815 ILCS 505 Consumer Fraud and Deceptive Business Practices Act
BAck to map