#DataInsecurity Digest Interview with Attorney General Lisa Madigan
NCL: Illinois is considered by many to have some of the strongest data breach notification and data security laws in the country. How would you describe the state of data security in Illinois? How have Illinois’ actions on data security affected the debate about data security nationally?
AG Madigan: Data security is one of the biggest challenges we face as a nation and Illinois is no exception. It’s an ongoing struggle for all Americans and the companies, non-profits and government agencies that hold our personal information. For more than a decade, my office has helped consumers clean up from identity theft damage and has investigated dozens of major breaches. In fact, we’ve helped more than 41,000 consumers remove more than $28 million worth of fraudulent charges.
At this point, Americans realize it’s not a matter of if, but when, they will be a victim of some form of identity theft. In this environment, Americans need and expect more transparency of data breaches. Not less.
NCL: Many data breach notification and data security laws were introduced in Washington, DC during the 114th Congress, but none of them was enacted into law. In the next Congress, what steps should policymakers at the federal level take to reduce incidences of data breaches and help consumers avoid the fallout?
AG Madigan: I’ve testified in support of federal data security legislation in both the U.S. House and Senate and to share the concerns of Illinois consumers. They have told me they are concerned by the increasing number of breaches. They demand notification when their information is stolen. They want to know what they can do to protect themselves from identity theft. And they want to know whether companies are doing enough to prevent breaches and protect their information.
So a weak, national law that restricts what most state laws have long provided will not meet consumers’ increasing expectation that they be told when their information has been stolen. Instead, Congress should seek to pass legislation that ensures notification of breaches of information that can harm Americans. Therefore, the definition of “protected personal information” should be broad and include the growing amount of sensitive information that companies are collecting from consumers. I also think it’s vital that federal law not preempt state data breach laws.
NCL: Illinois has one of the nation’s strongest privacy laws in the country regarding biometric data — the Biometric Information Privacy Act. That law has been under scrutiny by the legislature and the courts this year. From your point of view, what is the benefit of this law to consumers, and what do you think the future holds for biometric privacy laws in Illinois and beyond?
AG Madigan: The Illinois Biometric Information Privacy Act (BIPA) offers enormous protections to consumers over biometric information and significantly reduces the risk of identity theft. At its core, BIPA requires companies to provide notice to and consent by consumers to use their biometric data, limits the scope of how the data can be used, requires companies to use reasonable security measures to protect the data and requires permanent destruction of biometric data within a set period of time. Importantly, BIPA prohibits the sale, lease or trade of biometric data.
NCL: From your point of view, what role should states play in protecting consumers from data breaches and also assisting them in the aftermath of a breach?
AG Madigan: The states have been inundated with consumers who need help understanding and recovering from breaches and identity theft damage. As a result, I created an Identity Theft Unit and Hotline back in 2006.The hotline, the first of its kind in the country, operates with real people who help consumers restore their credit when their information was obtained and used without their authorization.
In addition to direct consumer assistance, my office has conducted dozens of data breach investigations to confirm companies complied with state law by notifying customers of breaches within a reasonable time and to ensure entities suffering breaches took reasonable steps to protect consumers’ sensitive data from disclosure.
My office’s investigations have revealed that organizations too often fail to take basic data security precautions. We have found numerous instances where companies:
- Allowed sensitive personal data to be maintained unencrypted;
- Failed to install security patches for known software vulnerabilities;
- Collected sensitive data that was not needed;
- Retained data longer than necessary; and
- Failed to protect against compromised credentials.
The states’ role in consumer education is critical. My office has held about 30 roundtables on data breaches throughout Illinois, with more than 1,000 consumers, including local government officials, chambers of commerce, law enforcement, small business owners, banks, religious leaders, senior citizens, hospitals and heads of social service agencies.
NCL: In 2005, you successfully shepherded the Personal Information Protection Act (PIPA), which included a data breach notification requirement, into law. This year, you advocated for a new bill, House Bill 1260, which significantly strengthens PIPA. How will the new bill affect Illinois consumers?
AG Madigan: My office spearheaded significant updates to the Illinois Personal Information Protection Act (PIPA) that provide some of the most significant enhancements today in protecting consumers’ data security. With the passage and enactment of House Bill 1260, Illinois maintains its status as having one of the strongest breach notification and data security laws in the country.
Key changes to PIPA include:
- Expanding the definition of Personal Information to include the following new triggering elements, when combined with an individual’s first name or first initial and last name:
- Medical information;
- Health insurance information;
- Unique biometric data generated from measurements of technical analysis of human body characteristics (e.g., fingerprint, retina/iris scan, etc.);
- Username or email address plus a password or security question and answer that would permit access to an online account;
- Specifying that a breach of encrypted Personal Information requires breach notification IF the encryption key is access without authorization;
- Requiring data collectors to implement and maintain reasonable data security measures to protect records from unauthorized access, acquisition, destruction, use, modification, or disclosure;
- Notifying my office of State Agency breaches involving more than 250 residents; and
- Implementing a modification to the Substitute Breach Notice by non-state agencies to allow for notification to local media vs. statewide media if impacted consumers are within a limited geographic area and are likely to be notified.
NCL: In recent months, we’ve also learned of possibly state-sponsored hacks of a number of states’ voting systems. The state of Illinois won one of those targets, suffering a cyber attack that allowed hackers to access up to 200,000 voter registration files and forcing Illinois’ voter registration database to shut down for two weeks. Recognizing that it’s still early in the process, what lessons have you learned from this attack and what advice would you give to other state leaders on this issue?
AG Madigan: There is currently an ongoing federal investigation into that data breach. I think this breach is yet another example of why we need to ensure that we are taking all the steps we can to protect consumers’ personal information.
NCL: Your office has taken a leading role in promoting good cyber citizenship by promoting “Secure It Days” where students identify and fix vulnerabilities in their online presence by taking steps such as updating their antivirus protections or strengthening their passwords. What other steps is your office taking to help educate consumers and businesses on the importance of good cyber hygiene?
AG Madigan: My office holds “Secure It Days” to provide students advice and real-life scenarios on the safest ways to use the Internet, apps and online games.
We also train students and their parents through the work of my office’s Internet Safety Specialists. Through a grant from the U.S. Department of Justice, my office runs the Internet Crimes Against Children (ICAC) Task Force. So far, we have provided Internet safety trainings and education to more than 530,000 parents, teachers and students and more than 20,000 law enforcement professionals. During these safety trainings and discussions students, parents, and teachers alike are able to work together to learn best practices in staying safe online.
Published by National Consumers League’s #DataInsecurity Digest
September 14, 2016