Public and private sector organizations from universities to for-profit businesses and non-profit organizations collect sensitive personal data from their customers and students. It has always been considered the responsibility of businesses and organizations to take the necessary security measures to protect sensitive personal data from unauthorized access, disclosure, destruction, and misuse. To ensure that businesses and organizations protect personal data, the State of Illinois passed the Personal Information Protection Act (PIPA) that took effect January 1, 2006. It has been amended several times over the years to accommodate new methods of data collection and expand requirements. Amendments have also addressed issues such as health information technology, the Clinical Health Act, and the management of local government records.
PIPA lays out requirements for businesses and organizations when it comes to notifying people when their information has been breached, disposing of sensitive information that is no longer needed, and putting forth reasonable security measures to protect personal data. The requirements laid out in PIPA affect all entities that collect personal data, including those handling local government records, therefore, businesses and organizations that fall under this designation must be aware of how PIPA affects them and what they need to do to be in compliance. Organizations must also ensure they have the proper authority or licenses to process personal information, especially when handling licenses personal information.
In this guide, we will discuss PIPA and its requirements as well as how businesses and organizations are affected by this legislation. Under Section 45, businesses and organizations are allowed to designate a “qualified individual,” which includes IT service providers, to implement and oversee cybersecurity measures to protect sensitive data. Our IT professionals at PSM can help your business or organization to be better prepared to comply with the cybersecurity aspects of PIPA requirements. When referencing compliance with PIPA, it is important to note that organizations with their own notification procedures may be considered compliant if those procedures meet or exceed PIPA standards. Additionally, PIPA’s legal framework intersects with federal health insurance portability, insurance portability and accountability, and human services pursuant statutes, ensuring comprehensive coverage for data protection and breach notification.
What is PIPA?
The Personal Information Protection Act (PIPA) is legislation that helps ensure that personal data collected from Illinois residents is protected from mishandling, misuse, and abuse. This legislation includes requirements for the proper storage, handling, disposal, and protection of personal data as well as steps businesses and organizations must take if they experience a data breach. Under PIPA, personal information includes the following data elements: driver’s license number, individual’s financial account information, required security code, access code, unique physical representation (such as biometric data), digital representation of biometric identifiers, data in electronic or other form, information regarding an individual’s mental or physical condition, and details from an individual’s health insurance application. Section 45 specifically requires businesses and organizations to implement reasonable security safeguards to protect non-public or personally identifiable information from “unauthorized access, acquisition, destruction, use, modification, or disclosure.”
Who Does PIPA Affect?
Under PIPA, any public or private business or organization, regardless of industry, who “handles, collects, disseminates, or otherwise deals with nonpublic personal information,” is considered a data collector that must comply with the requirements of this legislation. This includes for-profit businesses, non-profits, universities, government agencies, and any other entity that collects and handles non-public personal information maintained from Illinois citizens, which may include electronic records. PIPA does not apply to healthcare organizations that are subject to the Health Information Portability and Accountability Act (HIPAA), a federal law, because they already follow strict rules protecting personal data and health information under this act.
The law was passed by the State of Illinois to protect the personal data of Illinois citizens, so it applies to all applicable businesses and organizations that operate in Illinois. PIPA also applies to businesses that operate outside of Illinois but collect personal data from Illinois citizens. This means that every business, organization, and entity that collects the personal data of Illinois citizens must be aware of PIPA and comply with its guidelines. Subject persons, whose personal information maintained by organizations is covered by PIPA, are entitled to protection and notification in the event of a data breach.
What are the Main Components of PIPA?
PIPA contains three main elements that outline the responsibilities of businesses and organizations that collect the non-public personal data of Illinois citizens:
Notification is required when personal information is compromised due to unauthorized acquisition by an unauthorized person. In the event of such incident, entities must provide actual notice to affected individuals and authorities, ensuring such notification is prompt and complies with legal requirements. Substitute notice may be used if direct notification is not feasible, such as when the cost of direct notification is excessive or contact information is insufficient. Entities must notify data immediately after a breach is discovered to minimize harm and comply with statutory obligations.
If there is a breach or other event that compromises personal data, it is the responsibility of the business or organization to adequately inform those who are or may be affected “in the most expedient time possible, without reasonable delay.” Those affected can be notified via a written or electronic notice.
When disposing of records containing personal information, organizations must ensure that paper documents are shredded or otherwise destroyed, and electronic records must be rendered unreadable.
When personal data is no longer needed by a business or organization, they must safely dispose of the information, whether it is paper documents or electronic data. Paper records must be destroyed by being burned or shredded and electronic data must be made to be unreadable and unrecoverable.
Organizations are required to implement reasonable security measures to protect the data system from unauthorized access. In major security breach cases, they must respond to law enforcement requests and notify the appropriate law enforcement agency to coordinate response efforts and ensure compliance with legal requirements.
Under PIPA, businesses and organizations must put security safeguards in place to protect personal data from “unauthorized access, acquisition, destruction, use, modification, or disclosure.” A comprehensive security program should be implemented and the legislation points to the FTC Safeguards Rule as the standard to meet to be in compliance. Businesses and entities can also work with an IT service provider that can implement cybersecurity measures to protect personal data and help meet the technical aspects of PIPA requirements.
According to PIPA, business and organizations can designate a “Qualified Individual” to implement and maintain security measures to protect sensitive personal data. An IT service provider like PSM can be considered a qualified individual. It is the responsibility of the qualified individual to conduct a risk assessment and implement safeguards and controls including endpoint protection, password management, multi-factor authentication, encryption, firewalls, security patches, vulnerability assessments, and penetration testing. They should also create a written incident response plan, security policies and procedures, and an annual report of the status of the security measures.
Why Businesses and Organizations Must Comply with PIPA
Businesses and organizations that collect personal data from Illinois residents can face consequences for violating PIPA. The enforcement of PIPA is overseen by the Illinois State Attorney General who has the power to initiate complaints and fine businesses and organizations up to $50,000 for each violation. Violations of PIPA may also constitute violations of the Deceptive Business Practices Act, which can result in additional legal penalties for deceptive or unfair conduct. PIPA also grants private right of action to individuals whose personal data is compromised due to a business or organization’s failure to comply which allows them to seek damages through civil action lawsuits.
Businesses and organizations have an ethical obligation to protect the personal data they collect by implementing reasonable security measures. All entities that collect personal data should ensure that they are in compliance with PIPA standards, including providing timely and accurate such notification to authorities and affected individuals in the event of a data breach, to fulfill their obligations and avoid penalties such as fines and civil lawsuits.
PIPA Data Security with PSM
In order to protect personal data, businesses and organizations are required to implement and maintain a comprehensive security program, whether they manage this in-house or work with a third-party qualified individual. PSM is a cybersecurity expert that is considered a qualified individual under PIPA. Our professionals provide complete cybersecurity services to protect your most sensitive data. We will assess your IT infrastructure to identify and address vulnerabilities and implement security measures to improve protection against data breaches and unauthorized access, use, modification, disclosure, or destruction of personal data. PSM can also assist with responding to or preparing a written request for breach notification or compliance documentation as part of formal procedures.
With our expertise in PIPA guidelines, we can help your business or organization to be better prepared to comply with the technical aspects of PIPA and FTC Safeguards requirements. Our professionals can help you identify and understand gaps in your security as well as solutions to close these gaps. We can also help implement an overall Information Security program including policies, procedures, standards, and controls that align to industry security frameworks.
Submit a contact form or call PSM at (312) 940-7830 to learn more about how our cybersecurity services can help keep your business or organization in compliance with PIPA requirements.
Related Insights
M365 Business Premium vs. O365 Business Premium: What’s Right for Your Business?
Key Takeaways What’s Included in Microsoft 365 Business Premium? Microsoft...
Read More
Microsoft Intune: How This Powerful MDM Tool Can Transform Your Business Security
The COVID-19 pandemic has reshaped the landscape of numerous industries,...
Read More
Comparing COM/VSTO Add-ins vs. Office Add-ins for Law Firms: Microsoft Office 365 Integrations
The utilization of Microsoft products spans across various industries, with...
Read More
Upgrade to Microsoft 365 for Peak Productivity & Efficiency
In today’s rapidly evolving business landscape, staying competitive requires more...
Read MoreAbout the Author
Marisa Maiella
I'm a dynamic Marketing Coordinator with a passion for crafting compelling marketing campaigns and engaging content. Known for my creativity and strategic approach, I am committed to fostering brand growth and enhancing engagement through innovative marketing strategies.