REAL Law Group

Data Breach & Privacy Litigation

Representing Illinois residents whose personal information was exposed in a data breach. Free, confidential case review — no attorney's fees unless you recover.

Data Breach & Privacy

Received a Data Breach Notification Letter?

If a company sent you a letter saying your personal information was involved in a data breach, that letter exists because Illinois law required it. It also means your Social Security number, medical records, financial accounts, or other private information may now be in criminals' hands. You may have legal rights under Illinois and federal law — and acting promptly protects both your identity and your potential claim.

REAL Law Group represents individuals and families across Chicagoland, Cook County, and DuPage County in data breach and privacy matters, and co-counsels active data breach cases with experienced national data breach litigation firms. You get a local attorney you can actually sit down with in Elmhurst — backed by the resources these cases demand.

Got a “Notice of Data Breach” letter? Keep it.

The letter identifies what was exposed and when — it is the single most important document in your case. Don't throw it away. Then follow our step-by-step Illinois guide on what to do after a data breach letter.

Illinois Has Some of the Strongest Privacy Laws in the Country

Illinois has no single comprehensive privacy statute — instead it has a set of focused laws that, together, give Illinois residents stronger privacy remedies than residents of almost any other state:

Personal Information Protection Act (PIPA)

815 ILCS 530

Illinois's data breach law. Companies that hold your personal information must maintain reasonable security measures to protect it, and must notify you of a breach in the most expedient time possible and without unreasonable delay. Breaches affecting more than 500 Illinois residents must also be reported to the Illinois Attorney General.

Consumer Fraud and Deceptive Business Practices Act

815 ILCS 505

A violation of PIPA is automatically an unlawful practice under the Consumer Fraud Act (815 ILCS 530/20). Illinois consumers who suffered actual economic damages from a breach — fraudulent charges, out-of-pocket costs, money spent protecting themselves — may bring claims, and prevailing plaintiffs can recover attorney's fees.

Biometric Information Privacy Act (BIPA)

740 ILCS 14

The strongest biometric privacy law in the country. If a company collected, stored, or shared your fingerprints, face geometry, or other biometrics without proper written notice and consent, you can sue for the greater of your actual damages or $1,000 per negligent violation ($5,000 if intentional or reckless), plus attorney's fees — no proof of identity theft required. Claims can reach back five years.

Genetic Information Privacy Act (GIPA)

410 ILCS 513

Protects genetic testing data and genetic information — which courts have held includes family medical history collected in pre-employment physicals. Statutory damages are the greater of actual damages or $2,500 per negligent violation ($15,000 if intentional or reckless), plus attorney's fees.

Breaches We Review for Illinois Residents

Hospital, clinic, and healthcare system breaches
Employer and payroll data breaches
Bank, lender, and financial account breaches
School and student data breaches
Insurance company and benefits vendor breaches
Third-party vendor and software breaches
Biometric privacy violations (fingerprint and face scans)
Genetic and family medical history privacy violations

What Makes a Data Breach Claim Stronger?

In 2025, the Illinois Supreme Court held that the increased risk of identity theft after a breach is generally not, by itself, enough to sue for damages in Illinois state court. What turns a notification letter into a viable claim is documentation. Save and bring us:

The notification letter itself — keep the original and the envelope
Fraudulent charges or withdrawals on any account
Credit cards, loans, or accounts opened in your name
A tax return or government benefits filed using your identity
Suspicious logins, password-reset emails, or locked accounts
Receipts for credit monitoring, freezes, or other protection you paid for
A log of the hours you have spent dealing with the breach
Spam, phishing texts, or scam calls that started after the breach

How It Works — and What It Costs

1

Free, Confidential Case Review

Call us or send the contact form. Tell us which company sent your notification letter, what the letter says was exposed, and whether you have noticed any misuse. Keep the letter — it is the single most important document in your case.

2

We Investigate Your Claim

We review the breach, what Illinois and federal law required of the company, and how the exposure has affected you. Where it strengthens a case, we work alongside experienced national data breach litigation firms we co-counsel with on active matters.

3

No Attorney's Fees Unless You Recover

Data breach cases are handled on a contingency-fee basis: you pay no attorney's fees unless there is a recovery. How case costs and expenses are handled is explained clearly in a written fee agreement before we begin.

A Local Firm for an Impersonal Problem

Most data breach victims who look for help online find national intake mills: stock photos, anonymous forms, and a firm they will never meet. REAL Law Group is different. Managing Partner Vincent Anthony Incopero and our team work from a real office in Elmhurst, serve clients in English, Spanish, and Polish, and have represented Chicagoland families since 2016.

When a breach case calls for class action resources, we co-counsel with experienced national data breach litigation firms on active cases — so you get personal, local attention without giving up the firepower these cases require. Prior results do not guarantee a similar outcome; every case depends on its own facts.

Frequently Asked Questions

Possibly. Illinois residents may have claims when a company fails to reasonably protect their personal information or delays telling them about a breach. Under Illinois law, a violation of the Personal Information Protection Act is an unlawful practice under the Consumer Fraud Act, and separate statutes — BIPA for biometric data and GIPA for genetic information — give Illinois residents some of the strongest privacy claims in the country. Whether you have a viable claim depends on what was exposed and how it affected you, which is exactly what a free case review looks at.
It depends on the type of claim. For biometric (BIPA) and genetic information (GIPA) claims, no — Illinois courts allow statutory claims without proof of identity theft or monetary loss. For data breach claims, the Illinois Supreme Court held in 2025 that an increased risk of identity theft, by itself, is generally not enough to sue for damages in Illinois state court. That is why documenting actual misuse — fraudulent charges, new accounts, tax fraud — and every dollar and hour you spend responding matters so much.
Nothing upfront. We handle data breach and privacy cases on a contingency-fee basis: you pay no attorney's fees unless we obtain a recovery for you. Whether you would be responsible for any case costs or expenses — and how they are handled — is explained clearly in a written fee agreement before we begin. The initial case review is free and confidential.
Most data breaches affect thousands of people the same way, so courts allow one or more affected individuals to bring claims on behalf of everyone — a class action. As a class member you generally do not have to appear in court or pay anything; if the case settles, you receive notice and can submit a claim. Some individuals with significant losses, or with BIPA or GIPA claims, may be better served by individual claims — we evaluate both paths in your case review.
Deadlines vary by claim: as a general matter, BIPA claims have a five-year limitations period, Illinois Consumer Fraud Act claims three years, and negligence claims two years — and when the clock starts can depend on when you knew or should have known about the breach. The date on your notification letter matters. Because deadlines vary by claim and circumstance, contacting an attorney promptly is the safest way to protect your rights.
Generally, no. Enrolling in the free credit monitoring offered in a notification letter generally does not prevent you from participating in a lawsuit or class settlement, and you should accept it — it is a sensible protective step. Any actual release of claims would have to come from settlement paperwork you sign, which is something we review with you.
It varies case by case, and no lawyer can honestly promise you a number. In recent data breach class settlements nationally, class members have typically been able to claim reimbursement of documented losses, an alternative cash payment, and extended credit monitoring. Illinois's BIPA and GIPA provide set statutory damages for biometric and genetic privacy violations. What your claim may be worth depends on what was exposed and what harm you can document — no outcome is ever guaranteed.
Yes. Keep the letter, enroll in any free credit monitoring offered, consider a free security freeze with all three credit bureaus, and start a simple log of anything suspicious. Stolen data is often sold or posted months after a breach, so problems can surface long after the letter arrives. A free case review costs nothing and tells you where you stand.

Attorney Advertising. This page provides general information for Illinois residents and is not legal advice about any specific situation. Contacting REAL Law Group, P.C. or submitting a form does not create an attorney-client relationship and does not stop any statute of limitations or other deadline; representation begins only when a written engagement agreement is signed. Our attorneys are licensed in Illinois.

Was your information exposed in a data breach?

Call REAL Law Group at (630) 299-7600 or send us a message for a free, confidential case review. No attorney's fees unless you recover.

Free Case Review(630) 299-7600
Free & ConfidentialNo ObligationResponse Within 24 Hours

Related Resources

What to Do After a Data Breach LetterData Breach Prevention for BusinessesBusiness Law
Call NowFree Consult