How Illinois’ PIPA Legislation Affects Illinois Businesses

Public and private sector organizations from universities to for-profit businesses and non-profit organizations collect sensitive personal data from their customers and students.  It has always been considered the responsibility of businesses and organizations to take the necessary security measures to protect sensitive personal data from unauthorized access, disclosure, destruction, and misuse.  To ensure that businesses and organizations protect personal data, the State of Illinois passed the Personal Information Protection Act (PIPA) that took effect January 1, 2006.  It has been amended several times over the years to accommodate new methods of data collection and expand requirements.

PIPA lays out requirements for businesses and organization when it comes to notifying people when their information has been breached, disposing of sensitive information that is no longer needed, and putting forth reasonable security measures to protect personal data.  The requirements laid out in PIPA affect all entities that collect personal data, therefore, businesses and organizations that fall under this designation must be aware of how PIPA affects them and what they need to do to be in compliance.

In this guide, we will discuss PIPA and its requirements as well as how businesses and organizations are affected by this legislation.  Under Section 45, businesses and organizations are allowed to designate a “qualified individual,” which includes IT service providers, to implement and oversee cybersecurity measures to protect sensitive data.  Our IT professionals at PSM can help your business or organization to be better prepared to comply with the cybersecurity aspects of PIPA requirements.

What is PIPA?

The Personal Information Protection Act (PIPA) is legislation that helps ensure that personal data collected from Illinois residents is protected from mishandling, misuse, and abuse.  This legislation includes requirements for the proper storage, handling, disposal, and protection of personal data as well as steps businesses and organizations must take if they experience a data breach.  Section 45 specifically requires businesses and organizations to implement reasonable security safeguards to protect non-public or personally identifiable information from “unauthorized access, acquisition, destruction, use, modification, or disclosure.”

Who Does PIPA Affect?

Under PIPA, any public or private business or organization, regardless of industry, who “handles, collects, disseminates, or otherwise deals with nonpublic personal information,” is considered a data collector that must comply with the requirements of this legislation.  This includes for-profit businesses, non-profits, universities, government agencies, and any other entity that collects and handles non-public personal information from Illinois citizens.  PIPA does not apply to healthcare organizations that are subject to the Health Information Privacy and Accountability Act (HIPAA) because they already follow strict rules protecting personal data and health information under this act.

The law was passed by the State of Illinois to protect the personal data of Illinois citizens, so it applies to all applicable businesses and organizations that operate in Illinois.  PIPA also applies to businesses that operate outside of Illinois but collect personal data from Illinois citizens.  This means that every business, organization, and entity that collects the personal data of Illinois citizens must be aware of PIPA and comply with its guidelines.

What are the Main Components of PIPA?

PIPA contains three main elements that outline the responsibilities of businesses and organizations that collect the non-public personal data of Illinois citizens:

1.Breach Notification

If there is a breach or other event that compromises personal data, it is the responsibility of the business or organization to adequately inform those who are or may be affected “in the most expedient time possible, without reasonable delay.”  Those affected can be notified via a written or electronic notice.

2.Data Disposal

When personal data is no longer needed by a business or organization, they must safely dispose of the information, whether it is paper documents or electronic data.  Paper records must be destroyed by being burned or shredded and electronic data must be made to be unreadable and unrecoverable.

3.Security Requirements

Under PIPA, businesses and organizations must put security safeguards in place to protect personal data from “unauthorized access, acquisition, destruction, use, modification, or disclosure.”  A comprehensive security program should be implemented and the legislation points to the FTC Safeguards Rule as the standard to meet to be in compliance.  Businesses and entities can also work with an IT service provider that can implement cybersecurity measures to protect personal data and help meet the technical aspects of PIPA requirements.

According to PIPA, business and organizations can designate a “Qualified Individual” to implement and maintain security measures to protect sensitive personal data.  An IT service provider like PSM can be considered a qualified individual.  It is the responsibility of the qualified individual to conduct a risk assessment and implement safeguards and controls including endpoint protection, password management, multi-factor authentication, encryption, firewalls, security patches, vulnerability assessments, and penetration testing.  They should also create a written incident response plan, security policies and procedures, and an annual report of the status of the security measures.

Why Businesses and Organizations Must Comply with PIPA

Businesses and organizations that collect personal data from Illinois residents can face consequences for violating PIPA.  The enforcement of PIPA is overseen by the Illinois State Attorney General who has the power to initiate complaints and fine businesses and organizations up to $50,000 for each violation.  PIPA also grants private right of action to individuals whose personal data is compromised due to a business or organization’s failure to comply which allows them to seek damages through civil action lawsuits.

Businesses and organizations have an ethical obligation to protect the personal data they collect by implementing reasonable security measures.  All entities that collect personal data should ensure that they are in compliance with PIPA standards to fulfill their obligations and avoid penalties such as fines and civil lawsuits.

PIPA Data Security with PSM

In order to protect personal data, businesses and organizations are required to implement and maintain a comprehensive security program, whether they manage this in-house or work with a third-party qualified individual.  PSM is a cybersecurity expert that is considered a qualified individual under PIPA.  Our professionals provide complete cybersecurity services to protect your most sensitive data.  We will assess your IT infrastructure to identify and address vulnerabilities and implement security measures to improve protection against data breaches and unauthorized access, use, modification, disclosure, or destruction of personal data.

With our expertise in PIPA guidelines, we can help your business or organization to be better prepared to comply with the technical aspects of PIPA and FTC Safeguards requirements.  Our professionals can help you identify and understand gaps in your security as well as solutions to close these gaps.  We can also help implement an overall Information Security program including policies, procedures, standards, and controls that align to industry security frameworks.

Submit a contact form or call PSM at (312) 940-7830 to learn more about how our cybersecurity services can help keep your business or organization in compliance with PIPA requirements.