(Biss, D-Skokie; Williams, D-Chicago) makes the following changes to the Act.
(1) Expands the definition of protected “personal information” to include a person’s first name or first initial and the last name that is encrypted or redacted but the unlocking keys have been breached if one of several “data elements” have also been unlawfully acquired. (2) Expands “data elements” to include medical information, health insurance information, unique biometric data. (3) Expands protected “personal information” to include user name or email address and password or security question information that permits a person’s online accounts to be breached. (4) Requires a data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information of Illinois resident to implement and maintain reasonable security measures to protect those records from unauthorized access or use. (5) Compliance with the federal HIPAA complies with this Act as long as the covered entity provides notice of a breach to the Illinois Attorney General within notifying the Secretary of Health and Human Services. Effective January 1, 2017.