Illinois law requires certain businesses and state government agencies that experience a data security breach to provide notice to the Illinois Attorney General’s Office in addition to providing breach notification to affected Illinois residents. To assist them in complying with this requirement, the Illinois Attorney General’s Office has created a dedicated email address for breach reporting.
To report a data security breach, please email Databreach@ilag.gov
To discuss a data security breach or security event that has or may trigger breach notification to Illinois residents, or to submit a consumer breach notification template or information about an offer of credit monitoring or fraud detection services, please email Datasecurity@ilag.gov or contact the Attorney General’s Office at 1-800-243-0618 or for individuals with communication disabilities, simply dial 7-1-1.
Additionally, those data collectors covered under §12(e) and §50 of this Act must notify the Illinois Attorney General’s Office as follows:
Any State agency that suffers a single breach of the security of the data concerning the personal information of more than 250 Illinois residents shall provide notice to the Attorney General of the breach, including:
Such notification must be made within 45 days of the State agency’s discovery of the security breach or when the State agency provides any notice to consumers required by this Section, whichever is sooner, unless the State agency has good cause for reasonable delay to determine the scope of the breach and restore the integrity, security, and confidentiality of the data system, or when law enforcement requests in writing to withhold disclosure of some or all of the information required in the notification under this Section. If the date or timeframe of the breach is unknown at the time the notice is sent to the Attorney General, the State agency shall send the Attorney General the date or timeframe of the breach as soon as possible.
Any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to the federal Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act, shall be deemed to be in compliance with the provisions of this Act, provided that any covered entity, or business associated required to provide notification of a breach to the Secretary of Health and Human Services pursuant to the Health Information Technology for Economic and Clinical Health Act, also provides such notification to the Attorney General within five business days of notifying the Secretary.
Please include the following in any OAG breach notification to simplify the process and minimize the need for the Illinois Attorney General’s Office to request additional information: