What Illinois Law Requires Every Chicago Business to Do After a Data Breach

Most small business owners assume that data breach laws are written for large corporations. The kind of organizations with legal departments, compliance teams, and resources dedicated to regulatory monitoring. Not for a twelve-person accounting firm in Wicker Park or a property management company in Lincoln Park or a contractor working out of a Bridgeport office.

That assumption is wrong, and operating under it creates legal exposure that most Chicago business owners do not realize they carry.

The Illinois Personal Information Protection Act applies to every business that collects, stores, or handles the personal information of Illinois residents, regardless of how large or small that business is. If you have employees, you hold personal information. If you have clients whose data you process, you hold personal information. If you store customer records, financial data, or any identifying information about people who live in Illinois, this law applies to your business today.

This post explains exactly what Illinois law requires, what the consequences of non-compliance look like, and what you need to have in place before you ever need to use this knowledge.

What the Illinois Personal Information Protection Act Actually Is

The Illinois Personal Information Protection Act, commonly referred to as PIPA, is the state law governing how businesses must protect the personal information of Illinois residents and what they must do when that information is compromised in a data breach.

PIPA was originally enacted in 2005 and has been updated several times since, most significantly in 2016 when Illinois substantially expanded both the definition of personal information and the security obligations it imposes. The current version of the law reflects the reality that personal information today extends well beyond Social Security numbers and financial account details.

The law creates two primary obligations for covered businesses. The first is an ongoing obligation to implement and maintain reasonable security measures to protect personal information from unauthorized access, disclosure, or acquisition. The second is a notification obligation that activates the moment a business determines that a breach of personal information has occurred.

Both obligations apply to your business if you handle personal information of Illinois residents. There is no revenue threshold. There is no employee count minimum. The law covers a one-person consulting practice with the same legal authority it applies to a regional financial firm.

What Personal Information Means Under Illinois Law

PIPA defines personal information as any combination of an individual's first name or first initial and last name, combined with one or more of the following data elements when that combination is not encrypted, redacted, or otherwise protected.

Social Security numbers fall within this definition. So do Illinois driver's license numbers and state identification card numbers. Financial account numbers, including credit card and debit card numbers combined with any required security codes or passwords, are covered. Medical information and health insurance information are included. Username or email address combined with a password or security question answer that would permit access to an online account is covered. Biometric data, including fingerprints and retina scans, is also specifically addressed.

For most small businesses, the relevant categories are straightforward. Every employee whose Social Security number you hold for payroll purposes is a person whose personal information you are obligated to protect under PIPA. Every client whose financial records you maintain, every tenant whose rental application you processed, every customer whose payment information you stored, each of those individuals is covered by this law and by your obligation to them.

The breadth of this definition means that almost no small business operating in Chicago is outside the law's reach. If you have payroll, you are covered. If you have clients, you are almost certainly covered.

The Reasonable Security Measures Requirement

Before addressing what happens after a breach, it is worth spending time on what PIPA requires before a breach occurs.

The law requires businesses to implement and maintain reasonable security measures appropriate to the nature and scope of their operations, the type of data they handle, and the potential harm that could result from unauthorized access. This is not a specific checklist of controls. It is a standard of reasonableness that is evaluated based on what a business of your type and size, handling your category of data, should have had in place given what was known about the threat environment at the time.

In practice, what counts as reasonable has evolved as the threat environment has changed. Controls that might have satisfied the standard five years ago may not satisfy it today given the documented acceleration of cyberattacks against small businesses. Regulators and courts evaluate reasonableness in hindsight, looking at what was available to you and what a similarly situated business exercising ordinary care would have implemented.

The controls that consistently satisfy the reasonable security standard include multi-factor authentication on all systems that access personal information, encryption of personal information both when it is stored and when it is transmitted, access controls that limit who can access specific categories of personal information within your organization, active monitoring of systems that hold personal information for signs of unauthorized access, and a documented incident response plan that defines what your business will do when a breach is detected.

If your current security program does not include these elements, you are operating below the standard the law expects of you, which is relevant not only to your regulatory exposure but to your civil liability if a breach does occur and someone whose information was compromised brings a claim against your business.

When a Breach Occurs: The 45-Day Clock

If your business experiences a breach of personal information covered by PIPA, the notification clock begins the moment you determine that a breach has occurred. Not the moment the breach started. Not the moment you become aware something might have happened. The moment you have determined that a breach of covered personal information has actually taken place.

Illinois law requires you to notify every affected individual in the most expedient time possible and without unreasonable delay. The law specifies a maximum of 45 days from the date of determination for that notification to be sent. Missing this deadline without a legitimate reason constitutes a violation of the law.

The 45-day window is tighter than many business owners realize. Forty-five days sounds like ample time until you are dealing with a forensic investigation, legal counsel review, notification drafting, and the operational disruption of a security incident simultaneously. Businesses that have a plan in place before a breach occurs use those 45 days effectively. Businesses that are building the response from scratch often find the deadline more challenging than anticipated.

Who You Must Notify and What That Notification Must Include

PIPA requires notification to two categories of recipients depending on the scale of the breach.

Every individual whose personal information was compromised must receive direct notification. The notification must include a description of the type of personal information that was compromised, the date or approximate date of the breach, the date or approximate date of the breach's discovery, a description of the steps the business is taking to investigate and address the breach, and information about what affected individuals can do to protect themselves, including any credit monitoring or identity protection services being offered.

If the breach affects more than 500 Illinois residents, the business must also notify the Illinois Attorney General's Office. This notification requirement exists in addition to, not instead of, the individual notifications. The Attorney General notification must occur in the same 45-day window.

The method of notification to individuals can be written notice sent to the last known address, electronic notice if the individual has agreed to receive communications electronically, or substitute notice in the form of a conspicuous website posting and notification to major media outlets if the cost of direct notification would exceed $250,000 or if more than 500,000 individuals are affected. For most small businesses, direct written or electronic notice to each affected individual is the applicable standard.

If your business has a current relationship with affected individuals through a service agreement or ongoing business relationship, you may also notify them by telephone, though that notification must include the same substantive information as a written notice.

The Penalties for Non-Compliance

Violations of PIPA are treated as unlawful practices under the Illinois Consumer Fraud and Deceptive Business Practices Act. The Illinois Attorney General is authorized to bring civil actions against businesses that fail to comply.

Civil penalties for PIPA violations can reach $100 per affected individual per violation, with a maximum of $50,000 per breach incident in penalty exposure through the Attorney General's civil action authority. The Attorney General may also seek injunctive relief requiring your business to implement specific security measures.

Beyond the statutory penalties, PIPA violations create civil liability exposure to the individuals whose information was compromised. Affected individuals can bring private actions against businesses that failed to maintain reasonable security or failed to provide timely notification. These private actions are separate from any Attorney General enforcement and are not subject to the $50,000 cap.

The regulatory and civil liability exposure from a PIPA violation compounds the direct financial costs of the breach itself. A business that experiences a breach, fails to notify within 45 days, and faces both an Attorney General enforcement action and private claims from affected individuals is managing a financial situation that grows significantly more serious than the breach cost alone.

What This Means for Your Business Right Now

There are three immediate practical implications of PIPA for every Chicago small business.

The first is that your current security program needs to be evaluated against the reasonable security standard the law requires. If you are uncertain whether your current controls satisfy that standard, the honest answer is that you should find out before you have to find out the hard way.

The second is that you need a documented incident response plan that includes the specific PIPA notification requirements. Forty-five days is a firm deadline. Meeting it requires knowing what you will do before you need to do it, including who drafts the notifications, who reviews them, who sends them, and how you will reach the individuals whose information was affected.

The third is that you need to know what personal information your business actually holds. You cannot notify affected individuals if you do not know who they are and what data was involved. A basic data inventory, identifying what personal information you collect, where it is stored, and who has access to it, is the foundation of both a reasonable security program and an effective breach response.

The KIT Framework at Red Door Shield addresses all three of these requirements as part of a standard client engagement. The Keep layer implements the security controls that satisfy the reasonable security standard. The Inspect layer monitors your environment continuously so that breaches are detected quickly and the 45-day clock starts from the earliest possible moment. And your incident response documentation includes your PIPA notification obligations so that when an incident occurs, the response is organized and the deadline is met.