Illinois Cybersecurity Compliance: Laws, Requirements & What Businesses Must Do

Illinois has one of the most aggressive data privacy regulatory environments in the United States. While many states are only now beginning to pass comprehensive data privacy legislation, Illinois has been at the forefront for years — most notably through the Biometric Information Privacy Act (BIPA), which has generated billions of dollars in settlements and fundamentally reshaped how companies nationwide handle biometric data. For businesses operating in Illinois, understanding the full scope of the state's privacy and cybersecurity laws is not optional — it is a core operational requirement.

Beyond BIPA, Illinois imposes breach notification obligations under the Personal Information Protection Act (PIIPA), regulates student data through the Student Online Personal Protection Act (SOPPA), and layers additional requirements onto specific industries such as healthcare and financial services. This guide walks through the major laws, what they require, and how Illinois businesses can build a compliance posture that meets current obligations and positions them for future regulatory changes.

Illinois's Primary Data Privacy & Cybersecurity Laws

Biometric Information Privacy Act (BIPA) — 740 ILCS 14

BIPA is Illinois's most consequential privacy law and arguably the most influential biometric privacy statute in the country. Enacted in 2008, BIPA regulates the collection, use, storage, and destruction of biometric identifiers — including fingerprints, retina scans, voiceprints, and facial geometry scans. The law requires private entities to:

• Develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data.

• Inform individuals in writing about the specific purpose and duration of biometric data collection.

• Obtain informed written consent before collecting or storing biometric identifiers.

• Refrain from selling, leasing, trading, or otherwise profiting from biometric data.

• Store and protect biometric data using a reasonable standard of care within the industry.

What makes BIPA uniquely powerful is its private right of action. Individuals can sue for $1,000 per negligent violation and $5,000 per intentional or reckless violation — without needing to prove actual harm. This provision has led to landmark settlements, including Facebook's $650 million settlement in 2021 and BNSF Railway's $228 million jury verdict in 2023. In 2024, the Illinois Supreme Court clarified in Cothron v. White Castle that each individual scan or collection can constitute a separate violation, though the legislature subsequently amended BIPA to treat multiple scans of the same person in the same proceeding as a single violation for damages purposes.

Personal Information Protection Act (PIIPA) — 815 ILCS 530

PIIPA is Illinois's data breach notification law. It requires any entity that collects personal information of Illinois residents to notify affected individuals following a breach of the security of data. Personal information under PIIPA includes a name combined with a Social Security number, driver's license number, financial account information, medical data, health insurance data, or biometric identifiers. PIIPA also requires notification to the Illinois Attorney General when breaches affect more than 500 residents, and to credit reporting agencies when more than 1,000 individuals are affected. For a detailed look at how breaches have played out in practice, see our Illinois data breaches timeline.

Student Online Personal Protection Act (SOPPA) — 105 ILCS 85

SOPPA, strengthened by amendments effective in 2021, regulates how educational technology companies handle student data in Illinois. The law prohibits operators of school-facing applications from selling student data or using it for targeted advertising. Schools must maintain publicly available lists of all digital tools in use and the data they collect. SOPPA is particularly relevant for EdTech vendors serving Illinois's roughly 850 school districts.

Illinois Insurance Data Security Law — 215 ILCS 5/500-1 et seq.

Modeled after the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law, this statute requires insurance companies, agents, and other licensees operating in Illinois to develop comprehensive information security programs. It mandates risk assessments, incident response plans, and notification to the Illinois Department of Insurance within 72 hours of a cybersecurity event.

Data Breach Notification Requirements in Illinois

Under PIIPA, the breach notification process has several key components:

• Timing: Notification must occur in the most expedient time possible and without unreasonable delay. There is no fixed day count, but regulators expect prompt action once an investigation confirms compromised data.

• Individual Notice: Written notice or email notice to affected individuals describing the incident, the type of data involved, and contact information for credit reporting agencies.

• Attorney General Notice: Required when more than 500 Illinois residents are affected. The notice must include details about the breach, the number of affected individuals, and any services being offered such as credit monitoring.

• Credit Bureau Notice: Required when more than 1,000 individuals are affected.

• Substitute Notice: Permitted only when the cost of direct notice exceeds $250,000, the affected class exceeds 500,000 individuals, or the entity lacks sufficient contact information.

Businesses that fail to comply face enforcement action by the Attorney General under the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505), which can result in civil penalties and injunctive relief.

Industry-Specific Compliance in Illinois

Healthcare

Illinois healthcare organizations must comply with both HIPAA at the federal level and state-specific obligations under PIIPA and BIPA. Hospitals and clinics that use biometric authentication systems — such as fingerprint scanners for medication dispensing or employee time tracking — must ensure full BIPA compliance, including written consent and data retention policies. The healthcare sector in Illinois has been heavily targeted by cyber threats, making compliance both a legal and operational priority.

Financial Services

Financial institutions in Illinois are subject to the Gramm-Leach-Bliley Act (GLBA) at the federal level, and many are also regulated under the Illinois Insurance Data Security Law. Banks, credit unions, and fintech companies operating in Chicago's financial corridor must also be aware of BIPA implications if they use biometric authentication for customers or employees. Managed IT services for small businesses can help smaller financial firms meet these overlapping requirements without building a full in-house compliance team.

Manufacturing and Logistics

Illinois manufacturers frequently use biometric time clocks and access control systems, which brings them squarely under BIPA's requirements. The BNSF Railway verdict — where a jury awarded $228 million for BIPA violations related to a fingerprint-based gate entry system — originated from operations in Illinois and serves as a cautionary example for the entire sector. Additionally, manufacturers face growing cybersecurity obligations from supply chain partners and, in some cases, from federal defense contracting requirements like CMMC.

Illinois Compliance Checklist for Businesses

The following checklist covers the core obligations that most Illinois businesses must address:

• Biometric Data Audit: Identify whether your organization collects any biometric identifiers (fingerprints, facial geometry, voiceprints). If so, ensure you have a compliant written policy, informed consent process, and retention schedule under BIPA.

• Breach Response Plan: Develop and test a written incident response plan that includes PIIPA notification timelines, Attorney General reporting procedures, and communication templates.

• Data Inventory: Maintain a comprehensive inventory of all personal information you collect, process, and store, including where it resides and who has access.

• Vendor Management: Review contracts with third-party service providers to ensure they include data protection obligations and breach notification provisions.

• Employee Training: Conduct regular cybersecurity awareness training covering phishing, social engineering, and data handling procedures.

• Insurance Review: Evaluate your cyber insurance policy to confirm it covers BIPA claims, ransomware response costs, and regulatory defense expenses.

• Access Controls: Implement role-based access, multi-factor authentication, and least-privilege principles across all systems containing personal data.

• Documentation: Maintain written records of all compliance activities, risk assessments, and policy updates — regulators and courts expect evidence of ongoing diligence.

How Illinois Businesses Stay Compliant

Compliance in Illinois is not a one-time project — it requires ongoing effort as laws are amended, enforcement trends shift, and new threats emerge. Many businesses find that building an internal team capable of managing all of these obligations simultaneously is cost-prohibitive, especially for small and mid-sized organizations.

This is where managed IT security services play a critical role. A qualified managed services provider can deliver continuous monitoring, vulnerability management, employee training, and incident response support — all calibrated to the specific regulatory requirements that apply to your industry and operations in Illinois. The key is selecting a provider that understands both the technical and legal dimensions of compliance.

For organizations just beginning their compliance journey, understanding what managed IT services include can clarify what to look for in a partner and what to handle internally. The goal is not perfection on day one — it is building a defensible, documented, and continuously improving security posture that meets Illinois's regulatory expectations.

Frequently Asked Questions

Does BIPA apply to all businesses in Illinois?

BIPA applies to any private entity that collects, captures, purchases, receives through trade, or otherwise obtains biometric identifiers or biometric information from individuals in Illinois. Government entities and financial institutions subject to GLBA are exempt. However, the law applies regardless of where the company is headquartered — if you collect biometric data from people in Illinois, BIPA likely applies to you.

What is the penalty for a BIPA violation?

BIPA provides for statutory damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation. The private right of action means individuals can bring class action lawsuits without needing to demonstrate actual harm. Recent legislative amendments clarify that multiple scans of the same biometric identifier for the same person in a single claim constitute a single violation for damages purposes, but liability can still reach significant amounts in class actions.

How does Illinois's breach notification law compare to other states?

Illinois's PIIPA is broadly consistent with other state breach notification laws but has a few notable features. It covers a wide range of personal information types including medical and biometric data. While it does not impose a fixed notification deadline in days, the "most expedient time possible" standard has been interpreted strictly by regulators. The requirement to notify the Attorney General at the 500-resident threshold is more aggressive than some states.

Do Illinois businesses need cyber insurance?

While cyber insurance is not legally mandated in Illinois, it is strongly recommended given the state's active enforcement environment and the scale of potential BIPA liability. Policies should be reviewed carefully to confirm coverage for biometric privacy claims, regulatory defense costs, ransomware payments, and business interruption losses.

Are there upcoming changes to Illinois privacy law that businesses should prepare for?

Illinois's legislature continues to consider amendments to BIPA and broader consumer privacy legislation. Businesses should monitor developments in the General Assembly, particularly any movement toward a comprehensive consumer privacy law similar to those enacted in California, Colorado, and other states. Staying current with regulatory changes is an essential part of any ongoing compliance program.