Bill looks to secure personal data

Kevin Beese
Illinois Attorney General Lisa Madigan has made revamping the state's Personal Information Protection Act a major priority. Photo by John D. (Jay) Rockefeller IV

Illinois Attorney General Lisa Madigan has made revamping the state’s Personal Information Protection Act a major priority. Photo by John D. (Jay) Rockefeller IV

Target. Citibank. Sony. T.J. Maxx. Home Depot. Living Social. All major players in consumer financial transactions. All hit with data breaches in the past decade.

“Look at the history of the last year and the last 10 years,” said Abe Scarr, director of Illinois PIRG, a consumer group that touts its standing up to powerful interests. “We have had an alarming number of breaches which demonstrates not enough is being done to protect consumers.

“There are bad guys out there doing sophisticated work to get past the security systems of merchants and banks. Merchants and banks are not doing enough to keep consumer data safe. These breaches do real harm, not just financially, but psychologically too. They have a negative impact on people’s lives.”

Attorney General Lisa Madigan has made revamping the state’s Personal Information Protection Act a major priority.

Illinois was a leader in 2006 when it passed the Protection Act. However, nine years later, data collection has changed significantly while the Illinois law has not been updated.

“There is more information out there (other than what was covered in the initial act) that in the wrong hands could do harm to consumers,” Scarr said, noting that Illinois PIRG supports the proposed changes to the act.

The proposed changes in Senate Bill 1833, recommended by Madigan and championed by state Sen. Daniel Biss (D-Evanston), call for all entities that collect and store consumer data to meet a “reasonable standard” of data protection compared with other states in the region.

The revisions to the act also would now include biometric data, health insurance information and apps on phone, such as Facebook and Google Maps, which rely on a user’s location.

Biss’ legislation has made it out of the Senate and will now be considered in the state House.

“As more and more corporations hold more and more information about all aspects of our lives, protecting online data is more critical than ever,” Biss said. “Senate Bill 1833 breaks new ground by triggering consumer protections whenever breaches of location, marketing and medical data occur.

“It requires companies that have experienced a data breach to notify consumers, and also to tell the attorney general so the company can be listed on a website notifying customers of the breach. Finally, the bill requires companies to put reasonable security measures in place to avoid breaches when possible.”

Madigan noted that in the wake of widespread data breaches last year, identity theft ranks as a top concern with Illinois residents. Recognizing the need for great consumer protections amid increased threats of cyberattacks, Madigan said strengthening the data breach notification law must be done.

“Identity theft has long been a top concern for Illinois residents,” Madigan said. “But in light of last year’s massive data breaches, it is clearer than ever that much more must be done to protect sensitive data while ensuring that people know when their information has been compromised and what they should do to minimize the damage.”

Madigan noted her office received a total of 21,791 complaints in 2014. Of that number, 2,671 complaints were involving identity theft, second only to consumer debt complaints (mortgage lending, abusive debt-collection practices and predatory payday loans).

Scarr noted the Privacy Rights Clearinghouse has estimated that at least 815 million records have been breached in 4,495 cases made public since 2005. He noted one of the latest exploits, against Anthem, a health insurance company, not only affected up to 80 million consumers, but comprised among the richest troves of personal information seen by Illinois PIRG’s consumer program director in his 25 years of privacy research.

“It is impossible for consumers to participate in the modern economy without vast amounts of their personal information being collected, stored, transferred and sold,” Scarr said. “Data collectors collect and save too much information on consumers, keep it too long and often use it without consumer knowledge, let alone permission.”