DBN Statutes – Illinois

Data Breach Notification Statutes – Illinois

Last Updated: 02/28/2024

  • Applicable Statute: 815 ILCS 530/- Personal Information Protection Act.
  • Attorney General Notice Required Yes if more than 500 Illinois residents are impacted.
    • Timing: Notice must be provided as expediently as possible and without unreasonable delay but in no event later than the date notice is provided to consumers.
    • Method: Email Databreach@ilag.gov
    • Content :
      • A description of the nature of the breach of security or unauthorized acquisition
      • the date of the breach
      • the number of Illinois residents affected by such incident at the time of notification, and
      • any steps the Entity has taken or plans to take relating to the incident.
      • If the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector shall send the Attorney General the date of the breach as soon as possible.
  • Consumer Notice Requirements:
    • Timing: Most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the system.
    • Method: Written notice, or electronic notice if consistent with E-SIGN. If the breach involves usernames or email addresses, notice may be made by electronic or another form.
    • Content: The notice must include the toll-free numbers and addresses for consumer reporting agencies and the FTC, the website address for the FTC, and a statement that the individual can obtain information from these sources about fraud alerts and security freezes.
    • If the breach involves usernames or email addresses, notice should direct the individual to promptly change his or her username or password and security question or answer, or to take other steps appropriate to protect online accounts using the same login information.
Please Note: The information provided on this website does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. This website contains links to other third-party websites. Such links are only for the convenience; Klinedinst PC and its attorneys do not recommend or endorse the contents of the third-party sites. Readers of this website should contact an attorney to obtain advice with respect to any particular legal matter. No reader, user, or browser of this site should act or refrain from acting on the basis of information on this site without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, Klinedinst PC or its attorneys. Content included on this site is subject to change and users should note the date of last update when reviewing such contents. The content is provided "as is;" no representations are made that the content is error-free. Klinedinst PC has offices in several US states but does not practice law where its attorneys are not licensed. While this website refers to the laws of all 50 states, Klinedinst PC does not practice law in a several such states and visitors of this website are put on notice that neither Klinedinst PC, nor its attorneys, are or will provide legal advice for states where its attorneys are not licensed.

Data Breach Notification Statutes

Practice Attorneys


Related Practice Areas



Subscribe to Privacy and Data Security Newsletter

* indicates required