Illinois Attorney General Logo

Office of the
Illinois Attorney General
Kwame Raoul

Illinois Attorney General Logo

Consumer Protection

Jump To:

File a Complaint

Quick Links:

For Businesses

Data Breach Reporting for Businesses and State Government Agencies

''

Illinois law requires certain businesses and state government agencies that experience a data security breach to provide notice to the Illinois Attorney General’s Office in addition to providing breach notification to affected Illinois residents. To assist them in complying with this requirement, the Illinois Attorney General’s Office has created a dedicated email address for breach reporting.

To report a data security breach, please email Databreach@ilag.gov

To discuss a data security breach or security event that has or may trigger breach notification to Illinois residents, or to submit a consumer breach notification template or information about an offer of credit monitoring or fraud detection services, please email Datasecurity@ilag.gov or contact the Attorney General’s Office at 1-800-243-0618 or for individuals with communication disabilities, simply dial 7-1-1.

  • Pursuant to the Illinois Personal Information Protection Act, 815 ILCS 530/1 et seq., any entity that conducts business in the State of Illinois, and for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information, is required to disclose, in the most expedient time possible and without unreasonable delay, a data security breach of personal information concerning Illinois residents.

Additionally, those data collectors covered under §12(e) and §50 of this Act must notify the Illinois Attorney General’s Office as follows:

Sec. 12(e) Notice to the Attorney General by State Agencies

Any State agency that suffers a single breach of the security of the data concerning the personal information of more than 250 Illinois residents shall provide notice to the Attorney General of the breach, including:

  • The types of personal information compromised in the breach.
  • The number of Illinois residents affected by such incident at the time of notification.
  • Any steps the State agency has taken or plans to take relating to notification of the breach to consumers.
  • The date and timeframe of the breach, if known at the time notification is provided.

Such notification must be made within 45 days of the State agency’s discovery of the security breach or when the State agency provides any notice to consumers required by this Section, whichever is sooner, unless the State agency has good cause for reasonable delay to determine the scope of the breach and restore the integrity, security, and confidentiality of the data system, or when law enforcement requests in writing to withhold disclosure of some or all of the information required in the notification under this Section. If the date or timeframe of the breach is unknown at the time the notice is sent to the Attorney General, the State agency shall send the Attorney General the date or timeframe of the breach as soon as possible.

Sec. 50. Entities subject to the federal Health Insurance Portability and Accountability Act of 1996

Any covered entity or business associate that is subject to and in compliance with the privacy and security standards for the protection of electronic health information established pursuant to the federal Health Insurance Portability and Accountability Act of 1996, and the Health Information Technology for Economic and Clinical Health Act, shall be deemed to be in compliance with the provisions of this Act, provided that any covered entity, or business associated required to provide notification of a breach to the Secretary of Health and Human Services pursuant to the Health Information Technology for Economic and Clinical Health Act, also provides such notification to the Attorney General within five business days of notifying the Secretary.

Please include the following in any OAG breach notification to simplify the process and minimize the need for the Illinois Attorney General’s Office to request additional information:

  • The name of the person reporting, name of the business/entity/State agency and contact information.
  • The types of personal information that were compromised or are reasonably believed to have been compromised as a result of the breach.
  • A general description of the breach.
  • The date and timeframe of the breach, if known at the time notification is provided.
  • Whether the notification was delayed because of a law enforcement investigation (if applicable) and contact information for the applicable law enforcement representative.
  • The number of Illinois residents affected by the breach at the time of notification.
  • Any steps the business/entity/State agency has taken or plans to take regarding notification of the breach to consumers.
  • The date and types of any consumer data security breach notification that has or will be sent to consumers (follow-up correspondence may be necessary, please include consumer notification template(s) if applicable).
  • The types, if being offered, of consumer credit monitoring/fraud prevention and detection services/identity theft monitoring (follow-up correspondence may be necessary, please include information about any monitoring service(s) if applicable).