The Personal Information Protection Act (815 ILCS 530/) was amended by changing Sections 5, 10, and 12 and adding Sections 45 and 50. Effective January 1, 2017. The highlights follow:
Section 5. Definitions. “Health insurance information” and “medical information” newly defined “Personal information” amended to include:
- An individual’s name that is encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security.
- Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a finger print, retina or iris image or other unique physical representation or digital representation of biometric data.
- User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.
The full definition of “personal information” can be found in Section 5 of the Personal Information Protection Act.
Section 10. Notice of Breach. The required notification elements were amended to include the personal information as defined above. If the personal information was e-mail (bullet 3) the notice must direct the CU member to promptly change his or her user name, password, security question or answer, as applicable. Further, the notice should remind the member to take steps appropriate to protect all online accounts with the same credentials.
Substitute notice (Section 10 c(3)) – this section was amended to include, among the three current substitute notice delivery methods, the option to reach out to prominent local media if the breach impacts residents in one geographic area.
Section 12. Notice of breach; State agency Includes the notice requirement of a state agency breach and its obligation to notify the Attorney General.
Section 45. Data Security If an institution is in compliance with Section 501(b) of the Gramm-Leach-Bliley it shall be deemed in compliance with the provisions of this section. The Guidance in the form of Appendix B to NCUA’s Security Program (Part 748) interprets section 501(b) of the GLBA. Compliance with section 748 is required of all federally-insured credit unions.
Section 50. Applies to entities subject to the federal Health Insurance Portability and Accountability Act of 1996.
By: Joni Senkpeil, VP Compliance Solutions