FINES & PENALTIES
$100 up to $50,000
Without unreasonable delay
Organizations that experience a breach, internally or through a third party, are responsible for all regulatory reporting and consumer notification for breaches of personal information involving more than 500 Illinois residents. Reporting must be submitted to the Attorney General without delay, but no later than when the breach notification is provided to affected consumers. Reporting must include the nature of the breach, the number of affected residents and any mitigation actions. Vendors must notify Organizations upon discovery of a breach or suspected breach. Vendors must cooperate with Organizations and provide all necessary information relative to the breach or suspected breach.
If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Sector-specific regulations provide for an individual’s right to access their personal information. A private right of action can be brought with fines up to $5,000 or actual damages for violations of the Biometric Information Privacy Act.
FINES & PENALTIES
Violations of the Personal Information Protection regulations constitute an unlawful practice under the Illinois Consumer Fraud and Deceptive Business Practices Act. Violations of the disposal regulations may result in a civil penalty of up to $100 for each affected individual, up to $50,000 for each instance of improper disposal. The Attorney General may publish the names of organizations who experience a data breach, type of information involved, including data range. Organizations may be fined or penalized for Vendor violations.
INDUSTRY SPECIFIC LAWS
Vendors contracted to dispose of an Organization’s records containing personal information must maintain policies and procedures for the protection of the records from unauthorized access, acquisition, or use while in the Vendor’s possession and during disposal.
Organizations must contract with Vendors if they disclose personal information including data disposal vendors. Organizations and their contracted vendors must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure and must have measures in place for the secure disposal of personal information making so it cannot be read or reconstructed. Organizations in possession of biometric identifiers must ensure measures are in place for the storage, disclosure and protection of biometric identifiers. In addition, they must have a publicly available written policy that states their retention schedule and disposal guidelines.