In today’s digital world, cybersecurity is no longer an option – it’s essential. Whether you’re a business handling customer data or an individual concerned about your digital footprint, knowing your rights and responsibilities is critical.
Cybersecurity laws serve several crucial purposes. They establish standards for protecting sensitive information, outline consequences for cybercrimes, mandate breach disclosures and empower the government to respond to threats. As cyberattacks have increased in scale and sophistication, impacting everything from critical infrastructure to hospitals, legal frameworks have had to evolve quickly to keep pace with technology.
The sheer scale of the threat is staggering. According to a 2024 report by a noted cybersecurity company, global cybercrime damage is expected to hit $10.5 trillion by the end of this year. These damages include stolen data, destroyed reputations, disrupted services and costly ransom payments. With so much at stake, governments have found it necessary to regulate the digital domain with increasing urgency.
Illinois has one of the more robust sets of cybersecurity laws in the country. While there are plenty of laws at the federal level, Illinois has been at the forefront of enacting a set of enhanced protections for the public which, in turn, has placed increased burdens on the business world.
Here’s a breakdown of the most important Illinois laws protecting your data and what businesses and individuals need to know to stay protected:
Personal Information Protection Act
The Personal Information Protection Act is the backbone of the state’s data breach notification and information security requirements. It applies to any public or private organization that handles the personally identifiable information of the citizens of Illinois.
The Personal Information Protection Act is designed to protect personal information such as Social Security numbers, passport numbers, driver’s license, credit and debit cards, financial account numbers, medical and health insurance account numbers and security codes. Publicly available information that is lawfully made available to the general public from federal, state or local government records is not considered to be personally identifiable information, nor is information that is encrypted or redacted when the keys to provide access have not been obtained.
Under PIPA, all organizations are required to implement administrative, technical and physical protection for personally identifiable information. In the event of a breach the organization must notify the effected individuals “in the most expedient time possible and without unreasonable delay” after discovery of the breach. Notices must include FTC and credit reporting agency contact info, fraud alert guidance and an explanation of steps that individuals should take. Moreover, the attorney general’s office must be notified if the breach affects more than 500 people. If you are in a business that involves storing data for others, notice obligations also apply in instances of breaches.
Violations can lead to fines and damages under the Consumer Fraud and Deceptive Business Practices Act.
Personal Information Protection Act also requires organizations to dispose of personally identifiable information (both paper and electronic) when it’s no longer needed. Paper information can be shredded, burned or pursuant to other similar methods. Electronic personally identifiable information must be made unreadable and unrecoverable.
There’s a lot of detail in PIPA but it doesn’t provide specific guidance for establishing appropriate standards. Federal data protection laws do provide some guidance, but that’s beyond the scope of this article, so it’s best to consult with a professional to make sure you understand your obligations and, in the unfortunate event of a breach, that you take all of the correct steps.
Biometric Information Privacy Act
The Biometric Information Privacy Act was enacted in 2008, making Illinois the first state to enact biometric privacy protections. If Facebook wrote you a check as a result of a class action settlement of $650 million, it was thanks to BIPA.
Biometric data relates to things like retina or iris scans, facial recognition, palm or finger prints or voiceprints – basically, unique markers that cannot be changed.
The Biometric Information Privacy Act requires that written consent must be obtained before collecting biometric data. Moreover, a data deletion/storage policy must be established and published to those affected. Finally, it requires that entities take reasonable care to store and transmit biometric data securely. Biometric data cannot be kept longer than three years after it was last collected.
Violations can rack up significant damages, especially as our courts have held that each violation constitutes a separate cause of action. This means that a plaintiff can sue for each instance where a company collected, stored or disseminated biometric data without proper consent or procedures. Given that negligent violations are $1,000 per, while a willful or reckless violation comes in at $5,000, this can lead to significant penalties, especially in class actions.
Accordingly, any entity that uses biometric data should adopt best practices. Those practices would include:
•Reviewing all technology to determine if biometric data is being captured
•Reviewing insurance policies to determine if there is coverage for a violation
•Updating employee handbooks
•Implementing a process for obtaining written consent every time biometric data is collected
•Making sure that consent is documented and saved
Illinois continues to lead in data protection and privacy law. Businesses operating in or serving residents of Illinois should regularly review cybersecurity policies, conduct risk assessments and monitor legal developments. If you’re a business, compliance isn’t just about avoiding penalties, it’s about building trust. If you’re an individual, these laws offer vital tools to protect your digital life.
This article appears in SBJ August 2025.