IL SB0707

State agencies collecting personal information on Illinois residents must notify affected residents without unreasonable delay upon discovery of a security breach, including toll-free numbers for consumer reporting agencies and Federal Trade Commission contact information.

Notification may be delayed if law enforcement determines it would interfere with a criminal investigation, but residents must be notified as soon as the investigation permits.

State agencies must notify the Illinois Attorney General within 45 days if a breach affects more than 250 residents, including the types of information compromised, number of affected residents, notification steps taken, and breach date/timeframe if known.

State agencies directly responsible to the Governor must notify the Chief Information Security Officer of the Illinois Department of Innovation and Technology within 72 hours of discovering a breach affecting 250+ residents or instances of aggravated computer tampering.

The Attorney General may publicly disclose the name of the breached agency, types of compromised information, and breach date range.