The cosmetics industry, unknown to many, is essentially not regulated by a federal regulatory agency. Cosmetics technically fall under the purview of the Food and Drug Administration (“FDA”), but there are few requirements that manufacturers must comply with. The FDA only requires that manufacturers comply with several labeling regulations so companies can avoid listing a product’s total ingredients, and the FDA does not require manufacturers to report health complaints. The FDA instead relies on direct reports of adverse events from consumers, which has the potential to delay remedying a potentially dangerous situation. A study published in JAMA Internal Medicine found that between 2015 and 2016, the number of complaints of adverse health results related to cosmetic products more than doubled from the previous years. Additionally, the FDA only has the equivalent of six full-time inspectors to monitor three million shipments of cosmetics that come into the United States each year. Last year, inspectors only conducted tests on about 364 of those shipments, and 20 % of those shipment that were inspected led to adverse findings.
On September 7, 2017, the credit bureau Equifax announced a giant security breach affecting the personal information of approximately 143 million US consumers, as well as thousands of consumers overseas. With numerous lawsuits piling up against the company and almost half of our nation’s population at a significant increased risk of identity theft, Americans are left wondering why this happened, how it could have been prevented, and what will become of Equifax and our credit reporting systems.
Illinois’ Personal Information Protection Act (“PIPA”) became effective on January 1, 2017. Illinois is just one of many states that recently strengthened their data breach notification systems and created data security laws to enhance protection of personal information. Like other state provisions, Illinois created stronger safeguards for personal information transmitted electronically. This act requires that all personal information provided electronically must be encrypted or redacted. The amendments to PIPA (1) broadened the statute’s definition of personal information; (2) clarified the safe harbor for encryption; (3) addressed required notification to residents after a breach; and (4) established limited exemptions.