Governor Bruce Rauner signed several new provisions into law amending Illinois’ Personal Information Privacy Act, including health insurance and medical information into the definition of personal information that triggers notification in the event of a breach.

Health insurance information under the law includes an individual’s health insurance policy number or subscriber identification number as well as the content of an individual’s application and information provided to a health insurer through a website or mobile application.

The law also includes biometric information as personal information that requires notification, including a fingerprint, retina, and iris images, as well as user names or email addresses in combinations with passwords or answers to security questions.

Interestingly, the new law also requires health care providers to notify the Illinois Attorney General within 5 days of notifying the Office for Civil Rights of a data breach pursuant to the HIPAA breach notification regulations. This is a first of its kind and is significant since the definition of a breach of security is not the same in the two statutes.

The new law does not recognize a safe harbor if the information was encrypted if the key was or is reasonably believed to have been acquired in the data breach.

Finally, following Massachusetts, Rhode Island and Connecticut, the Illinois law requires all businesses to “implement and maintain reasonable security measures” including adding data security provisions in all contracts when personal information is disclosed to a third party.

This provision emphasizes the continued interest in regulators that companies are requiring downstream vendors to protect the data in the same manner as the company and the importance of vendor management and contractual provisions.

The new law goes into effect on January 1, 2017.