On August 21, 2015, Illinois Governor Bruce Rauner vetoed legislation that would have modified the state’s data breach notification law.  Illinois’ Personal Information Protection Act (the “Act”) was enacted in 2005 to protect consumers from the consequences of a data breach.  The legislation, Senate Bill 1833, proposed to amend the Act by expanding the scope of protected information to encompass medical, health insurance, biometric, consumer marketing and geolocation information.  The measure also would have required that notification of a covered breach be provided to the state Attorney General within 30 business days, and that affected entities post their privacy policies online.   

In his veto message to the General Assembly, Governor Rauner expressed concern that the bill as currently written went too far and imposed “duplicative and burdensome requirements that are out-of-step with other states.”  He further contended that the bill’s requirements would hinder the state’s economic competitiveness.  Governor Rauner, a Republican who is serving his first term, also lamented “over-regulation” in the state, indicating that Illinois already suffers from a “hostile economic environment” that impedes efforts to “grow [Illinois’] economy, create new jobs, and generate more tax revenue through economic expansion.”

The Governor proposed removing “consumer marketing information” and “geolocation information” from the types of protected personal information, contending that both represent significant departures from other states’ data protection laws.  Along these lines, he also recommended changing the time period within which notice of security breaches must be made to the Attorney General from 30 business days to within 45 calendar days, and deleting language regarding the posting of privacy policies. 

The Governor indicated that he would sign the legislation once his recommended changes have been adopted.  The Illinois legislature is expected to return from summer recess on September 9 and, upon receiving the Governor’s veto message, will have 15 days to accept the recommended amendments, or override the veto.  A 3/5 vote in both houses is required to override the veto. 

The Illinois business community has engaged in significant lobbying on this legislation since its introduction in February of this year.  While the Governor’s veto is seen as a victory for business, it remains unclear the next steps that the General Assembly will take, particularly with a battle looming in the fall between the Governor and the General Assembly over budget matters. 

In related activity, the National Association of Attorneys General recently sent a letter to Congress criticizing pending federal legislation that would preempt the states’ role in data breach notification and data security matters.  

Reporters, Claudia A. Hrvatin, Washington, DC, + 1 202 661 7950, chrvatin@kslaw.com and Lauren M. Donoghue, Washington, DC, +1 202 626 8999, ldonoghue@kslaw.com.