Illinois has updated its breach notice law to require, effective January 1, 2020, notice to the Illinois Attorney General of a data breach involving more than 500 Illinois residents.

The law contains specific requirements about what content to include in the notice to the AG. The notice must include a description of the breach, the number of Illinois residents affected, and the steps taken related to the incident. Companies must notify the Attorney General at or before the time notice is provided to consumers. Finally, the legislation authorizes the Attorney General to publish information related to the breach. This includes the company name, the information compromised and when the breach occurred.

Putting it Into Practice: Companies who have nationwide breach notice plans should keep in mind not only that the Illinois AG will require notice beginning in January if more than 500 Illinois residents have been impacted, but also that there are timing requirements (at the same time as notice to individuals) content requirements, and the notice may be published by the AG.