Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach and notification laws:
- $100 per person, up to $50,000 per incident

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • There are requirements for information to be included in notifications.
  • There are specific security measures to be taken when disposing of personal information in order to prevent a breach.
  • A violation of disposing of materials containing personal information may result in a civil penalty of not more than $100 for each individual, up to $50,000 for each instance of improper disposal.
  • Notice to the Attorney General, is required within 5 days in certain circumstances, for businesses subject to Health Insurance Portability and Accountability Act (HIPAA).
  • Data owners and vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
  • Violating the Personal Information Protection statutes constitutes an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notification; vendors do have specified responsibilities.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • 740 ILCS 14 Biometric Information Privacy Act
  • 815 ILCS 530 Personal Information Protection Act
  • 815 ILCS 530/40 Disposal of material containing personal information; Attorney General
  • 815 ILCS 530/45 Data security
  • 815 ILCS 505 Consumer Fraud and Deceptive Business Practices Act
BAck to map