On May 27, Illinois and Texas voted to amend their respective data breach notification laws. Illinois amendment SB 1624 requires notice to the state’s Attorney General for data breaches involving a certain threshold of individuals. Texas amendment HB 4390 also requires notice to the state’s Attorney General for data breaches above a threshold, changes the amount of time in which notice must be provided to individuals, and creates a council to study privacy legislation.
Illinois state law requires notice of a security breach to be provided to the state’s Attorney General when (1) state agencies provide notice to 250 or more Illinois residents under state law and (2) entities provide notice to the Secretary of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). SB 1624 amends state law to also require notice to be provided to the Attorney General when a business must disclose a security breach to more than 500 Illinois residents.
Notification to the state’s Attorney General must include a description of the breach, the number of Illinois residents affected, and the steps taken or planned to be taken relating to the incident. A business must provide notice to the Attorney General no later than when it provides notice to Illinois residents. If the business does not know the date of the breach during the time notice is provided, it is required to send the date to the Attorney General as soon as possible. Upon receiving notification, the amendment allows the Attorney General to publish the name of the business that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.
The amendment is effective January 1, 2020.
The Texas amendment changes the amount of time in which notification of a security breach must be provided to individuals from “as quickly as possible” to not later than 60 days after discovery. Within the same time frame, the amendment requires a business to provide notification to the state’s Attorney General when 250 or more residents have been affected by the security breach. The notice to the Attorney General must include a “detailed description” of the security breach, the number of Texas residents affected by the breach, the measures taken and planned to be taken by the business regarding the breach, and whether law enforcement is involved.
The amendment also creates the Texas Privacy Protection Advisory Council to study data privacy laws in Texas, other states, and relevant foreign jurisdictions. The council is to “make recommendations to the members of the legislature on specific statutory changes regarding the privacy and protection of that information….”
The privacy council amendment is effective September 1, 2019. The disclosure amendment is effective January 1, 2020.