We believe that the situation you described would constitute a data breach that would necessitate disclosure under the Personal Information Protection Act, which would have to include “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.” 815 ILCS 530/10(a).
Once an unauthorized individual gained access to a customer’s personal information, that should be considered an “acquisition” of the data. Our law dictionary defines “acquisition” as “gaining of possession of control over something.” Black’s Law Dictionary 24 (7th ed. 1999). With online access to a customer’s account history, the unauthorized individual would automatically gain possession of the data, which would be copied into the memory of the computer used to sign into the account. Note that the statute does not require that the unauthorized user intend to acquire the data in order for the acquisition to be considered a breach.