Illinois Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal data belonging to Illinois residents, a security breach triggers mandatory notification obligations under state law. The Personal Information Protection Act (815 ILCS 530), often called PIPA, requires prompt notice to affected individuals and, in many cases, to the Illinois Attorney General. Illinois stands out among states because its broad definition of personal information includes biometric data, and a separate law, the Biometric Information Privacy Act (BIPA), adds additional obligations for biometric-related incidents.

This guide explains who must comply, what triggers notification, how to report, and what penalties apply under current [Illinois data privacy law](/us-laws/data-privacy-laws/illinois-data-privacy-laws).

Who Must Comply With Illinois Breach Notification Law

The law applies to any "data collector" that owns or licenses computerized data containing personal information of Illinois residents. Section 5 of 815 ILCS 530 defines data collector broadly. It includes state and local government agencies, universities, corporations, financial institutions, retail operators, and any other entity that handles, collects, disseminates, or otherwise deals with nonpublic personal information.

Third-party service providers that maintain data on behalf of another entity must notify the data owner or licensee immediately after discovering a breach. The data owner then carries the direct obligation to notify affected residents.

Entities With Separate Compliance Frameworks

Section 50 of 815 ILCS 530 provides that entities subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) are deemed in compliance with the Act if they follow their federal breach notification procedures. These entities must still notify the Illinois Attorney General within five business days of notifying the U.S. Secretary of Health and Human Services.

Financial institutions regulated under the Gramm-Leach-Bliley Act that maintain their own breach notification procedures also satisfy Illinois requirements when following their federal regulator's standards.

What Qualifies as a Breach of Security

Under Section 5 of 815 ILCS 530, a "breach of the security of the system data" means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.

The statute focuses on unauthorized acquisition rather than mere unauthorized access. An employee who encounters personal information during normal job duties has not triggered a breach, provided the information is not used for an unauthorized purpose or shared without authorization.

The Encryption Safe Harbor

Illinois provides an encryption safe harbor. If the compromised personal information was encrypted and the encryption key was not acquired by the unauthorized party, the data collector is not required to send breach notifications.

This means organizations that encrypt personal data both at rest and in transit can avoid notification obligations, but only if the encryption keys remain secure. If an attacker obtains both the encrypted data and the decryption key, the full notification requirements apply.

Personal Information That Triggers Notification

Illinois defines personal information in two categories under Section 5 of 815 ILCS 530.

Category 1 requires the individual's first name or first initial and last name combined with any one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number, combined with any required security code, access code, or password that permits account access
• Medical information, including any data regarding an individual's medical history, mental or physical condition, or diagnosis or treatment by a healthcare professional
• Health insurance information, including policy or subscriber numbers, unique identifiers, and any medical information in applications, claims histories, or appeals records
• Unique biometric data generated from measurements or analysis of human body characteristics used for authentication, including fingerprints, retina or iris images, and other unique physical or digital representations of biometric data

Category 2 covers a resident's username or email address combined with a password or security question and answer that would permit access to an online account. This category does not require the individual's name.

Personal information does not include publicly available data lawfully obtained from federal, state, or local government records.

Biometric Data and BIPA Overlap

Illinois is one of only a few states that includes biometric data in its breach notification trigger. This creates dual obligations when biometric information is compromised. A breach involving fingerprints, facial scans, or iris images triggers notification under 815 ILCS 530, and may also expose the organization to a private right of action under BIPA (740 ILCS 14) if the data was collected without proper consent.

In August 2024, Governor Pritzker signed SB 2979 amending BIPA to clarify that multiple violations involving the same person's biometric data constitute a single violation, limiting per-person damages. This narrowed exposure under BIPA but did not change the breach notification requirements under 815 ILCS 530.

Notification Timeline and Requirements

When to Notify

Section 10 of 815 ILCS 530 requires notification "in the most expedient time possible and without unreasonable delay." Unlike many states that set a specific day count (such as 30 or 60 days), Illinois uses a reasonableness standard.

The clock starts after the data collector discovers or is notified of the breach. The statute permits delay only to determine the scope of the breach and restore system integrity, or when law enforcement provides a written request that notification would interfere with a criminal investigation.

Who Receives Notification

Affected residents must receive individual notice at no charge. Notification must include:

• A description of the breach
• Toll-free numbers for consumer reporting agencies
• FTC contact information
• Guidance on placing fraud alerts and security freezes

For breaches involving usernames and passwords, the notice may direct residents to change their credentials promptly and take steps to protect linked accounts.

Illinois Attorney General: Private data collectors must notify the AG when a breach affects 500 or more Illinois residents. State agencies must notify the AG when 250 or more residents are affected. The AG notification must include the nature of the breach, the number of Illinois residents affected, and the steps taken or planned in response.

Credit reporting agencies: State agencies must notify all nationwide consumer reporting agencies when 1,000 or more individuals are affected.

How to Notify

The law permits three methods of individual notice under Section 10(c):

1. Written notice sent to the resident's last known address
2. Electronic notice that complies with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN)
3. Substitute notice when the cost of direct notification exceeds $250,000, more than 500,000 Illinois residents are affected, or the data collector lacks sufficient contact information. Substitute notice requires email (if available), conspicuous posting on the data collector's website, and notification to statewide media

To report a breach to the Attorney General, businesses use the OAG Data Breach Notice System or email Datasecurity@ilag.gov.

State Agency Requirements

Section 12 of 815 ILCS 530 imposes additional requirements on Illinois state agencies. Beyond the lower AG notification threshold of 250 residents, state agencies must:

• Report breaches to the General Assembly within 5 business days of discovery
• Submit annual reports detailing all breaches and corrective measures taken
• Notify the AG within 45 days of discovering a breach

State agencies must also identify the threat actor, if known, when reporting to the General Assembly. These additional reporting layers reflect the heightened accountability expected of government data custodians.

Enforcement and Penalties

Consumer Fraud Act Enforcement

Section 20 of 815 ILCS 530 declares that any violation of the Personal Information Protection Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505). This gives the Illinois Attorney General broad enforcement authority.

Under Section 7 of 815 ILCS 505, the AG can seek:

• Injunctive relief to stop ongoing violations
• Civil penalties up to $50,000 per violation
• Additional penalties up to $50,000 per violation when the defendant acted with intent to defraud
• Extra penalties up to $10,000 per violation when the victim is 65 years or older
• Restitution for affected consumers, which takes priority over civil penalties

Private Right of Action

The Personal Information Protection Act does not create a direct private right of action. Individuals cannot sue a data collector solely for failing to notify them of a breach. However, consumers can bring claims under the Consumer Fraud and Deceptive Business Practices Act if they can demonstrate actual damages resulting from the violation.

When a breach involves biometric data, affected individuals may have a separate cause of action under BIPA (740 ILCS 14), which does provide a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation.

Data Disposal Penalties

Section 40 of 815 ILCS 530 requires that personal information be rendered unreadable and undecipherable when disposed of, through shredding, burning, pulverizing, or electronic destruction. Violations carry civil penalties of up to $100 per individual affected, capped at $50,000 per disposal instance.

Notable Illinois Breach Enforcement Actions

The Illinois Attorney General's office has actively enforced data breach requirements through multistate and state-level actions.

In a notable settlement, Attorney General Kwame Raoul joined a 50-state coalition that reached a $52 million agreement with Marriott International over the Starwood reservation database breach. From 2014 to 2018, intruders accessed approximately 131.5 million guest records. Illinois received $2.1 million from the settlement. Marriott agreed to implement a comprehensive information security program with zero-trust principles, mandatory third-party audits every two years for 20 years, and consumer protections including data deletion options.

Data Security Requirements

Beyond breach notification, Section 45 of 815 ILCS 530 requires all data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure. While the statute does not prescribe specific technical standards, failing to maintain reasonable security and subsequently suffering a breach strengthens the AG's enforcement position.

More Illinois Laws

• Illinois Data Privacy Laws
• Illinois Recording Laws
• Illinois Recording Laws
• Illinois Recording Laws
• Illinois Recording Laws
• Illinois Recording Laws
• Illinois Recording Laws
• Illinois Hit and Run Laws

This article provides general legal information about Illinois data breach notification requirements. It does not constitute legal advice. Consult a qualified attorney licensed in Illinois for guidance on specific situations.