Attorney General issues Annual Information Security Prevention Guide
CHICAGO, IL â€” In advance of Data Privacy Day Jan. 28, Illinois Attorney General Lisa Madigan released a 2012 guide for Illinois businesses to better protect consumersâ€™ personal information and help prevent identity theft.
â€œIllinoisans are vulnerable to identity theft and fraud when security breaches occur,â€ Madigan said. Thatâ€™s why businesses that collect personal information have an obligation to comply with Illinois law to avoid breaches and take action to inform consumers when breaches occur. Today, Iâ€™m providing guidance to Illinois businesses and government agencies on how to prevent, prepare for and respond to security breaches appropriately.â€
More than 550 breaches involving more than 30 million records occurred in 2011, according to the Privacy Rights Clearinghouse. Many of the breaches involved sophisticated computer hackers who accessed networks through highly technical means. While protecting against network intrusions and hacking is important, Madigan said businesses and government agencies should also focus efforts to protect against low-tech breaches. When documents containing personal information are discarded in public, identity thieves have easy access to the information they need to commit fraud.
In releasing her Information Security & Security Breach Response Guide, Madigan encouraged businesses and government agencies to establish an Information Security Program to understand the scope of the personal information they collect and to train employees how to properly maintain and handle information to prevent security breaches, which in turn can help prevent identity theft.Â The guide can be found on the Attorney Generalâ€™s website at: http://www.illinoisattorneygeneral.gov/consumers/Security_Breach_Notification_Guidance.pdf
Madigan also noted that a new state law aims to reduce the threat of low-tech identity theft. As of Jan. 1, the Illinois Personal Information Protection Act requires entities to dispose of materials containing personal information in a manner that renders the information unreadable, unusable and indecipherable. This includes redacting, burning, pulverizing or shredding paper documents, and destroying or erasing electronic media so that personal information cannot be read or reconstructed.
While entities that suffer security breaches have been obligated under Illinois law to notify affected individuals since 2006, the law now requires specific information to be included in the breach notification letter. Under the recent amendments to the Personal Information Protection Act, the notification must now include:
- Toll-free numbers and addresses for consumer reporting agencies,
- Toll-free number, address and website for the Federal Trade Commission, and
- Statement that the individual can obtain information from these sources about fraud alerts and security freezes.
By developing a comprehensive data security policy, businesses will be better suited to respond to the discovery of a security breach. Madigan encouraged businesses and consumers to contact her officeâ€™s Identity Theft Hotline at 1-866-999-5630 to learn how to better protect personal information.
Data Privacy Day aims to unite businesses, individuals, government agencies, nonprofit groups and academics in a dialogue about how personal data should be collected, used and stored.