Kwame Raoul was elected to the office of the Illinois Attorney General in November 2018 and took office in January 2019. Raoul, a Democrat, previously spent 14 years serving as an Illinois state senator. In this interview with The Privacy Advisor, Raoul discusses changes to his state's data breach law, whether his state could implement a privacy law similar to that of California's, and how businesses should take reasonable steps to protect consumer privacy.
The Privacy Advisor: Data breaches continue to dominate the news, and recently Illinois amended its data breach law (Senate Bill 1624) to add a requirement that your office be notified about any breach affecting more than 500 Illinois residents. The law also permits your office to publish the name of the data collector that suffered the breach, the types of personal information compromised and its date range. How do you think this law assists Illinois constituents? Are there additional changes you hope would be made to your state’s data breach notification laws?
Attorney General Kwame Raoul: SB 1624, which was signed into law as Public Act 101-343, is a change to our Illinois Protection Personal Information Act that is intended to ensure that Illinois consumers are informed about data breaches that potentially affect them. Prior to this update, (PPIA) required data breaches involving Illinois residents’ personal information to be reported to the attorney general’s office if the information was subject to the federal Health Insurance Portability and Accountability Act of 1996, the information was subject to the federal Health Information Technology for Economic and Clinical Health Act, and in certain circumstances, the data breach involved Illinois state government agencies.
The legislative sponsors of SB 1624 changed the notice requirements in current law to improve transparency about data breaches affecting Illinois consumers and help ensure that my office has timely access to information to better protect residents and provide individual assistance if needed. For instance, individualized assistance includes support from my office’s Identity Theft Unit, which is staffed with consumer advocates who can help consumers take steps to avoid identity theft or assist people who need to clean up their credit if they do become the victim of identity theft.
Despite Illinois’ strong data breach law, my office continues to monitor changes to other states’ laws and proposed federal legislation to determine whether Illinois’ requirements could be further strengthened.
The Privacy Advisor: In the same vein, businesses — and even governmental entities — are increasingly subject to coordinated, sophisticated cybersecurity threats. Are there any specific data security practices you recommend that businesses take that demonstrate they have taken reasonable efforts to protect the privacy of the data they hold? How can working with your office in the event of a breach help an affected business demonstrate good faith efforts toward compliance and potentially avoid a regulatory enforcement action?
Raoul: First of all, businesses can take the steps to more effectively protect consumers’ data: take stock of information collected, do not collect more information than needed, and develop an appropriate system to protect the data that is consistent with the entity’s size, financial capabilities and sensitivity of the information collected.
It may also be necessary for entities to consult with a professional in the data security industry. While doing so may require an initial financial investment, it can provide peace of mind by helping avoid potential disasters later.
It is important to note that a one-size-fits-all approach does not apply given the vast differences in data collectors’ size, scope and complexity. However, an information security program should contain security fundamentals such as segmentation, network access controls and account management, encryption, software patch management, and logging and monitoring. These fundamentals are crucial to ensuring that reasonable data security measures and privacy controls are in place.
My office has led and entered into many data breach multi-state settlements that can be used as guidance toward maintaining reasonable data handling practices. I have also developed guidance for small businesses that is posted on my website.
Like attorneys general around the country, my office enforces laws requiring data collectors to maintain reasonable data security measures to protect consumers’ personal information, provide notice to affected consumers in the event of a breach, and comply with other additional statutory requirements throughout the data collection lifecycle.
When an entity works with my office after experiencing a data breach, that entity is not only complying with Illinois law. It is also supporting efforts by my legal staff to help ensure we’re receiving information necessary to conduct a full investigation. This cooperation provides my office with a bigger picture of the privacy landscape across the marketplace and can inform my legislative and regulatory priorities.
The Privacy Advisor: Illinois is well known as a leader in the field of data privacy, especially regarding biometric data with Illinois' Biometrics Information Privacy Act. You have publicly noted your ongoing support of BIPA and noted you will oppose any efforts to weaken it. Other states, such as Washington and New York, are considering following Illinois’ lead. What do you think Illinois got right with BIPA, and what do you think other states should bear in mind as they consider their own laws governing biometric information?
Raoul: Biometric identifiers and information are the ultimate forms of sensitive information because they are unique to each person and should rightly be afforded heightened protection under the law. The law requires specific protections before collecting, capturing, purchasing or receiving biometric data through trade. Illinois’ law requires entities to develop a plan to protect biometric information, determine how long it will be retained, and importantly, disclose those details to individuals whose information is being collected.
Other states should also take into consideration, particularly as we face a pandemic, advanced infection detection screening software that utilizes facial and/or fingerprint biometrics to scan and monitor individuals entering group environments. Unlike mobile device contact-tracing applications that can send rapid automated notifications to exposed individuals and public health authorities simply by utilizing the spatial proximity Bluetooth sensors on a device, infection detection software developers are developing ways to input biometric tracking software into entry-door temperature scanning devices. Such scanning would allow establishments to actively track an individual’s whereabouts while that person is inside the establishment, which raises serious privacy concerns regarding consent and unlawful tracking, along with constitutional concerns regarding personal rights and freedoms.
Certainly, we must prioritize the health and wellness of our residents, which means taking steps to prevent the spread of COVID-19. However, we must also be cognizant of states’ statutory requirements for biometric data collection. As new laws are considered, consumers’ privacy and the secure handling of any sensitive data must also be prioritized. It is possible to make progress on the technological front and protect consumers’ privacy at the same time. Sacrificing strong statutory consumer protections will only harm the very consumers who stand to benefit from the development of new technology.
The Privacy Advisor: Other than biometric laws, the hottest topic in privacy may be the California Consumer Privacy Act, which went into effect Jan. 1. The CCPA, like the EU General Data Protection Regulation, greatly expands consumer rights regarding their right to access, delete and control their personal information. Do you foresee Illinois passing a comprehensive CCPA-type privacy law? And if so, how do you think Illinois might borrow — or depart — from the CCPA in crafting its own law?
Raoul: The Illinois General Assembly has evaluated numerous proposals similar to the CCPA. Illinoisans want to know that their personal information is protected, and they have a right to know who is collecting their data, for what purpose, and within reason, a right to request that data to be deleted if it is not needed. I will continue to work with the industries that collect this data to develop policies that afford consumers basic data protection rights that are also feasible for the entities collecting data.
Illinois consumers should receive just as much protection as California consumers have under the CCPA, if not more. Therefore, any similar Illinois legislation should be consistent with California’s law.
The Privacy Advisor: After the passage of the CCPA and GDPR, the federal government has also began considering a potential federal privacy law, holding hearings and announcing proposed legislation that cannot seem to gain bipartisan support on key issues such as preemption, enforcement and the existence of a private right of action. Do you believe that a federal law will be an effective way to protect consumer privacy? What type of privacy law, if any, would you like to see come out of Congress?
Raoul: The team of privacy experts in my office also lead the National Association of Attorneys General Privacy Working Group. Part of this group’s work includes following proposed federal legislation and, when appropriate, contacting legislators to express concerns or to urge support for measures being considered by Congress. As the states’ chief law enforcement officials, state attorneys general understand the importance of privacy to our residents, and we have firsthand experience assisting our residents through the fallout of data breaches and identity theft.
It is important for any federal privacy law passed to contain the same strong data rights and protections for consumers that I have advocated for in Illinois law, without preempting more protective state laws. It is also important for state attorneys general to have the authority to enforce federal law to protect Illinois consumers.
The Privacy Advisor: As we noted before, Illinois continues to be a leader on legislative topics related to privacy. What can people in the privacy field expect from Illinois and your office in general in the next year?
Raoul: I am committed to working with Illinois lawmakers and consumer advocates to advance policies that will improve protections of our residents’ personal data.
Illinois, like many states, continues to evolve government operations to balance serving the public and developing good public policy with implementing technology that will help us stop the spread of COVID-19. As I evaluate measures that will expand on my office’s historic leadership in the areas of protecting consumers’ data, I am cognizant that our legislative arena will look very different when the Illinois General Assembly next convenes.
As we navigate a reality that includes COVID-19, I look forward to working with my counterparts across the country, industry experts and other stakeholders to advance and enforce Illinois’ privacy laws.
Photo by Tucker Good on Unsplash
