On January 27, 2012, the Illinois Attorney General released guidance for businesses to prevent, prepare for, and respond to data security breaches. Information Security and Security Breach Notification Guidance reminds businesses and government agencies of their obligation to comply with Illinois law to guard against security breaches and provide notice in the event of an incident. The guidance identifies five (5) key principles for safeguarding information: (1) take stock; (2) scale down; (3) lock it; (4) pitch it; and (5) plan ahead.
The guidance also provides recommendations on how to prepare for a security breach including the creation of an information security program and an incident response plan. In addition, the guidance provides recommended steps for responding to a security breach, a list of requirements under the Illinois Personal Information Protection Act, and practical considerations for security breach notification. Notably, the Illinois statute was amended effective January 2012 to require security breach notifications to include: (1) toll-free numbers and addresses for credit reporting agencies; (2) the toll-free number, address, and website for the Federal Trade Commission; and (3) a statement than an individual can obtain information from these sources about fraud alerts and security freezes.