The Illinois General Assembly has passed legislation that requires all companies and organizations, regardless of where they are based, to notify Illinois residents in the event of a security breach. The measure is modeled on a California law and follows the theft of more than 100,000 names from ChoicePoint earlier this year.

Gov. Rod Blagojevich proposed the legislation days after public disclosure of a massive security failure in October involving Georgia-based ChoicePoint, which resulted in the theft of personal information, including social security numbers, of approximately 145,000 people in all 50 United States including roughly 5,000 in Illinois.

"When a consumers personal information falls into the wrong hands, it can lead to devastating outcomes," said Gov. Blagojevich. "This legislation will help prevent thieves from gaining access to personal information and will help consumers react quickly to protect their credit when identity thieves succeed. I applaud the General Assembly for passing this legislation, so that Illinoisans are no longer left in the dark when their personal information is at risk."

Too often these days, it seems that security breaches of personal information are the rule rather than the exception. Consumers need the power to fight back, Attorney General Madigan said.

The most effective way to prevent the destructive effects of identity theft is to act quickly to regain control of your personal and financial information, but this can be accomplished only if the consumer is quickly notified when the security of this information has been compromised. This legislation is a clear victory for consumers.

The Personal Information Protection Act requires that any entity that collects and maintains personal consumer information must notify all affected Illinois customers in the event of a security breach. Personal information is defined as a Social Security number, a drivers license number, bank or credit card number and pin codes in combination an individuals first name or first initial and last name.

The bill requires that notifications be made without unreasonable delay. The provisions of the Personal Information Protection Act would be enforced by the Office of the Attorney General through the Illinois Consumer Fraud Act. Current Illinois law does not require companies to notify consumers when their private information may have been hacked into or exposed to unauthorized sources.

The stronger requirement will provide dual benefits: making sure that those whose personal information has been stolen are quickly notified; and motivating organizations to improve their security systems to better protect personal information.

The number of reported identity theft cases in Illinois rose 49 percent in the past year, from 7,474 reported identity theft victims in 2003 to 11,138 reported victims in 2004. A 2004 FBI Cybercrime study found that only 20% of companies report computer hackings to the police and half do not report them to anyone.

Identity theft and consumer fraud are rapidly growing problems, costing Americans nearly $550 million last year, up from $430 million in 2003, according to the Federal Trade Commission. The FTC received 635,000 consumer complaints in 2004 about identity theft and consumer fraud.

After the ChoicePoint breach in late February, the company initially notified only residents of California who might have been affected because of a California state law requiring the company to do so. However, in response to a letter initiated by Madigan and signed by 38 other state attorneys general, ChoicePoint agreed to notify more than 140,000 consumers nationwide whose personal and financial information might have been compromised, including those in Illinois.

In addition to the legislation, the Governor and the Attorney General reminded consumers of practical steps they can take to protect their personal information from thieves:

(1) never provide any personal information in response to an unsolicited request;
(2) review your account statements regularly to ensure that your transactions are in order;
(3) check your credit report to make sure no new credit accounts have been opened in your name;
(4) do not use information that can be used to steal your identity (birthdays, names, social security numbers, account numbers) as passwords or account numbers; (5) limit the amount of personal information you divulge over the phone or to web-sites.