← All US breach laws·IL

Illinois data breach notification law

Illinois's data breach notification requirements under 815 ILCS 530/1 et seq. (Personal Information Protection Act). Below: the resident-notification deadline, AG/regulator filing threshold, the encryption safe harbor, private right of action exposure, penalty schedule, and the common pitfalls that turn an avoidable incident into a regulator enforcement action.

Statute
815 ILCS 530/1 et seq.
Enforcer
Illinois Attorney General
AG notification
Required
Private right of action
No (AG-only enforcement)

Notification deadlines

Notify affected residents
In the most expedient time possible and without unreasonable delay
Notify the state regulator
Yes — if more than 500 Illinois residents are affected, written notice to the AG within 45 days
Notify consumer reporting agencies
Yes — if more than 1,000 residents, notify nationwide CRAs

When is notification required?

Trigger / harm threshold
Notification required on unauthorized acquisition — Illinois is largely a no-harm-threshold state; the encryption safe harbor is the primary exception
Encryption safe harbor
Yes — properly encrypted personal information is generally exempt from notification, provided the encryption key was not also compromised.

What counts as "personal information" under Illinois law

First name/initial + last name with SSN, DL/state ID, financial account + access code, medical info, health-insurance info, biometric data, OR username/email + password/security Q&A; ALSO standalone medical info that 'compromises the security, confidentiality, or integrity' of an Illinois resident

Penalties and enforcement

Under PIPA and the Consumer Fraud Act — civil penalties up to $50,000 per violation; BIPA private right of action for biometric data ($1,000–$5,000 per violation)
Enforced by: Illinois Attorney General. Official regulator page →

Common pitfalls

Illinois BIPA private right of action for biometric data has produced 9-figure class actions — biometric breaches carry separate litigation risk
Illinois treats medical info as PI on its own — separate health-data inventories needed

Frequently asked questions

How long do I have to notify Illinois residents after a data breach?
In the most expedient time possible and without unreasonable delay
Do I have to notify the Illinois Attorney General?
Yes — if more than 500 Illinois residents are affected, written notice to the AG within 45 days
Does Illinois require notification to nationwide consumer reporting agencies?
Yes — if more than 1,000 residents, notify nationwide CRAs
Is encrypted data exempt from Illinois's breach notification requirement?
Yes — Illinois has an encryption safe harbor. Breaches of properly encrypted personal information generally do not trigger notification, provided the encryption key was not also compromised.
Can Illinois residents sue me directly for a data breach?
No — Illinois's breach statute does not provide a direct private right of action. Residents typically must rely on the AG to enforce, or pursue common-law negligence claims.
What counts as 'personal information' under Illinois law?
First name/initial + last name with SSN, DL/state ID, financial account + access code, medical info, health-insurance info, biometric data, OR username/email + password/security Q&A; ALSO standalone medical info that 'compromises the security, confidentiality, or integrity' of an Illinois resident
What are the penalties for failing to comply with Illinois's breach notification law?
Under PIPA and the Consumer Fraud Act — civil penalties up to $50,000 per violation; BIPA private right of action for biometric data ($1,000–$5,000 per violation)

Related state breach laws

Hawaii (HI)
Haw. Rev. Stat. §§487N-1 to 487N-7
Idaho (ID)
Idaho Code §§28-51-104 to 28-51-107
Indiana (IN)
Ind. Code §§24-4.9-1 to 24-4.9-5
Iowa (IA)
Iowa Code §§715C.1

Pre-empt the Illinois breach notice — audit your policy now

ComplianceIQ runs a free audit of your privacy policy and incident-response language against Illinois's statutory requirements. You'll see every gap before you have to use it for real.

Run free policy audit