- Illinois Governor Bruce Rauner issued an amendatory veto on a data breach notification bill that would have extended the type of information to be protected to include medical, health insurance, biometric, consumer marketing, and geolocation information.
Illinois Senate Bill 1833 “goes too far,” Rauner explained in a letter to Senate and General Assembly members. The proposed legislation includes “duplicative and burdensome requirements” that other states do not have, he added, and such requirements will hurt the state economy. Specifically, Rauner said that including geolocation information and consumer marketing data in the types of protected information is unnecessary.
“Compared to other types of personal information, the unauthorized release of consumer marketing and geolocation information does not pose the same risk of identity theft that justifies the extraordinary and costly security and notice requirements imposed by the Personal Information Protection Act,” Rauner wrote.
The bill also proposed changing the data breach notification timeline to 30 days, while Rauner said that a 45-day timeline was more in line with what other states required and that this would “ease the burden of compliance across multiple states.”
Rauner added that while consumers do need to have certain protections, the current version of SB 1833 has too many regulations.
“We need to break the cycle of taxation and regulation that has created a hostile economic environment in order to grow our economy, create new jobs, and generate more tax revenue through economic expansion,” he explained.
For health information specifically, Rauner requested that one section of SB 1833 be altered to specify that “medical information” in an individual’s health insurance application and claims history be considered part of the protected “health insurance information.” The current version of the amendment instead says that “information” in an application and claims history be included.
The definition of medical information also needs to be slightly altered, according to Rauner. Specifically, instead of it just being “health information provided to a website or mobile application” to “such information provided to a website or mobile application.”
When Rauner’s proposed changes have been made to SB 1833, he concluded that he would approve the legislation.
Some organizations have come out in support of Rauner’s decision. Carl Szabo, policy counsel for NetChoice, explained in an opinion piece for the Journal Gazette & Times-Courier that the bill treats a health data breach the same way as a breach that shows when pizza was last ordered.
“The bill levies excessive and burdensome requirements on Illinois small businesses, uniquely forcing them to spend thousands of unnecessary dollars on legal fees to write privacy policies that are customized for Illinois just for the privilege of doing business over the Internet,” Szabo wrote. “Perplexingly, the law would treat an order collected through a website differently from an order taken in person or over the phone and then stored in the same database.”
Szabo added that such policies will not make consumers safer. Instead, data breaches need to be proactively prevented and small business should not be penalized in the process.
“Governor Rauner now has an opportunity before him to correct the overreaching aspects of this bill by keeping its focus upon actual threats to the consumer public rather than concocting nationally unprecedented barriers,” he explained. “He has a chance to provide clarity and focus so that law enforcement has the ability to protect victims and find and apprehend criminals.”