Personal Information Protection Act (“PIPA”): Redefining Cyber-Security & Consumer Protection

Sara Oakes
Associate Editor
Loyola University Chicago School of Law, JD 2019

Illinois’ Personal Information Protection Act (“PIPA”) became effective on January 1, 2017.  Illinois is just one of many states that recently strengthened their data breach notification systems and created data security laws to enhance protection of personal information.  Like other state provisions, Illinois created stronger safeguards for personal information transmitted electronically.  This act requires that all personal information provided electronically must be encrypted or redacted.  The amendments to PIPA (1) broadened the statute’s definition of personal information; (2) clarified the safe harbor for encryption; (3) addressed required notification to residents after a breach; and (4) established limited exemptions.    

New definition of personal information under PIPA

Under this act, personal information includes an individual’s first name or first initial with the last name in combination with the following data elements: (a) social security number; (b) driver’s license or state identification card number; (c) account number or credit or debit card number, or anything that would permit access to an individual’s financial account; (d) medical information; (e) health insurance information; or (f) unique biometric data generated form.  A username or email address in combination with a password or security question and answer that would permit access to an online account also constitutes personal information. Any information that is lawfully made available through federal, state, or local government records is exempt under this act.

Safe harbor for encryption

Prior to the amendments of the Illinois PIPA, businesses suffering a security breach were protected under the safe harbor provision for data collectors when the data disclosed was fully encrypted or redacted.  Under the PIPA, a data collector refers to: government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information.  Any of these data collectors would be protected if they encrypted or redacted the information. Prior to the PIPA amendments, breaching businesses were protected even after data was compromised.

However, the amendments to PIPA clarify that the safe harbor provision no longer applies when the security keys to unencrypt or unsecure the personal information have also been compromised during the security breach.  This ensures that those data collectors are taking substantive measures to ensure that any personal information they hold remains confidential. By limiting the safe harbor exception, individuals are further protected because it requires data collectors to take additional precautions in maintaining security over personal information otherwise they may be liable if the encryption keys are compromised.

Required notification of residents

Under the Illinois PIPA amendments, the act requires that when a data collector is notified of a breach of personal information, they must inform those affected in the quickest time possible without delay. Additionally, a data collector must provide measures to determine the scope of the breach to restore the integrity and confidentiality of the secured data.  The disclosure of a breach to an Illinois resident may include: (1) the toll-free numbers and addresses for consumer reporting agencies; (2) the toll-free number, address, and website address for the Federal Trade Commission; or (3) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.  The Illinois citizens affected should also receive a notice to change information such as a username or password and other steps necessary to secure their accounts.  Requiring the data collectors to notify those affected by a security breach, it will assist those who have had their personal information compromised to take necessary steps to protect themselves and ensure that the information is not used to harm them through identity theft or fraud.

Company restrictions
Per the act, any violation of PIPA constitutes an unlawful business practice under the Consumer Fraud and Deceptive Businesses Act.  Those in violation of PIPA face repercussions as defined in the Consumer Fraud and Deceptive Business Act.  As a company, it is important to consider any personal information that fits within the meaning of the statutory definition to ensure that personal information is protected in accordance with the law or risk qualifying as Consumer Fraud or Deceptive Business.

In proposing the amendments to PIPA, Illinois recognized that the lack of secure data protection endangered Illinois residents if a data breach compromised their personal information.  Under PIPA, the Illinois legislature aims to mitigate potential harm imposed on Illinois residents when their personal information is incorrectly protected by a business.  Specifically, PIPA refers to Illinois residents, and not Illinois businesses.  Therefore, it is important for data collectors to consider this act when protecting the personal information of Illinois residents.