What to Do After a Cyberattack in Illinois (2026)

If your business has been hacked, the first few hours are critical. The actions you take immediately after discovering a cyber incident influence how far attackers spread, how much data is lost, how quickly operations recover, and whether legal notification requirements under Illinois law apply.

This guide explains what to do after a cyberattack in Illinois, including immediate containment steps, reporting options, recovery planning, and Illinois’s data breach notification expectations for organizations.

What to Do After a Cyberattack in Illinois

Whether your organization is facing ransomware, unauthorized access, business email compromise, or suspected data theft, knowing what to do after a cyberattack in Illinois can reduce downtime, protect sensitive information, and limit regulatory exposure.

Follow the structured steps below to regain control quickly and responsibly.

Step 1: Confirm the Incident and Start an Incident Log Immediately

Cyberattacks commonly appear through:

• Ransomware notes, encrypted files, or locked systems
• Unauthorized password resets or suspicious login alerts
• Unexpected multi-factor authentication prompts
• Fraudulent invoices or payment change requests
• Disabled security tools or new administrator accounts
• Unusual outbound network activity

Begin documenting right away:

• Time of discovery
• Systems and users impacted
• Screenshots of alerts or ransom notes
• Employee reports of suspicious activity
• All response actions taken

Accurate documentation supports investigations, cyber insurance claims, and compliance obligations under Illinois’s Personal Information Protection Act (PIPA, 815 ILCS 530) and the Illinois Biometric Information Privacy Act (BIPA).

Step 2: Contain the Threat While Preserving Evidence

When people search what to do after a cyberattack in Illinois, many rush to shut everything down. Containment is essential, but preserving evidence is equally important.

Recommended actions:

• Disconnect compromised machines from the network
• Disable affected user and administrator accounts
• Block malicious IP addresses and domains
• Preserve logs, suspicious emails, and ransom notes

The ransomware response guidance from the Cybersecurity and Infrastructure Security Agency (CISA) emphasizes isolating systems while keeping forensic artifacts for investigation and recovery.

Avoid wiping systems until the full scope of compromise is confirmed.

Step 3: Secure Backups Before Attackers Reach Them

Many ransomware groups attempt to encrypt or delete backups to prevent recovery.

Immediately:

• Verify backups are isolated or offline
• Pause backup jobs if compromise is suspected
• Rotate backup administrator credentials
• Confirm clean restore points exist

If your organization carries cyber insurance, notify the provider promptly. PivIT Strategy’s Advanced Cybersecurity Services team can help assess backup integrity and ensure recovery options remain protected.

Step 4: Lock Down Email, Identity, and Financial Systems

Email compromise remains one of the most common entry points for cyber incidents.

Email security priorities

• Reset global and delegated administrator accounts
• Enforce multi-factor authentication across all users
• Review forwarding rules and third-party app access
• Remove suspicious sessions and devices

Identity and endpoint protection

• Force password resets organization wide
• Confirm endpoint security tools are active
• Patch exposed systems and remote access services

Financial controls

• Freeze payment instruction changes temporarily
• Verify vendor requests by phone
• Review recent wire and ACH activity

These steps help prevent secondary financial losses, which are especially common following business email compromise incidents.

Step 5: Report the Incident and Seek Professional Support

Reporting supports investigations and may help recover stolen funds.

Federal reporting

The FBI encourages cybercrime victims to submit reports through IC3 and advises against paying ransomware demands because payment does not guarantee recovery and often leads to repeat attacks.

Illinois Attorney General

Illinois requires notification to the Illinois Attorney General when more than 500 Illinois residents are affected. The AG’s Office enforces both PIPA and BIPA and can pursue civil penalties for violations.

Ransomware guidance

CISA’s StopRansomware resources provide structured containment and recovery checklists for organizations of all sizes.

At this stage, many Illinois organizations engage PivIT Strategy’s Managed IT Services team to manage response, investigation, and restoration.

Step 6: Understand Illinois Data Breach Notification Requirements

One of the main reasons businesses search what to do after a cyberattack in Illinois is concern about compliance. Illinois has two major statutes that may be triggered by a cyberattack: the Personal Information Protection Act (PIPA) and the Biometric Information Privacy Act (BIPA).

Illinois Personal Information Protection Act (PIPA)

• 45-day notification deadline — Organizations must notify affected Illinois residents within 45 days of determining that a breach has occurred. There is no harm threshold — Illinois does not limit notification to breaches likely to cause harm. Any unauthorized acquisition of covered personal information triggers notification.
• Attorney General notification — If more than 500 Illinois residents are affected, the organization must also notify the Illinois Attorney General.
• No harm threshold — Unlike many states, Illinois does not require a determination that the breach is likely to cause harm. Notification is required for any qualifying unauthorized acquisition of personal information.
• What counts as personal information — An Illinois resident’s first name or initial and last name combined with Social Security numbers, driver’s license numbers, financial account numbers, medical information, health insurance information, biometric identifiers, or online account credentials. Illinois has one of the broader definitions of personal information in the country.
• Reasonable security measures required — PIPA also requires organizations to implement and maintain reasonable security measures to protect personal information — an ongoing obligation independent of any breach.

Illinois Biometric Information Privacy Act (BIPA)

Illinois is the first and most enforcement-active state in the country for biometric privacy. If your organization collects, uses, or stores biometric data — including fingerprints, facial recognition data, voiceprints, or retina scans — BIPA imposes strict requirements:

• Written, publicly available retention and destruction policies
• Informed written consent before collecting biometric data
• Prohibition on selling or profiting from biometric data
• Private right of action — Unlike most data privacy statutes, BIPA allows individuals to sue directly and recover $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus attorneys’ fees. If a breach exposes biometric data, BIPA exposure can be substantial.

Organizations should:

• Notify affected individuals within 45 days of determining a breach occurred
• Notify the Illinois AG if 500+ residents are affected
• Assess BIPA exposure immediately if biometric data was involved
• Document reasonable security measures

For more on your ongoing compliance obligations, see our guide to Illinois Cybersecurity Laws You Should Know (2026).

Step 7: Communicate Clearly and Carefully

Poor communication often increases reputational and financial damage — and in Illinois, it can directly increase exposure under BIPA if biometric data is involved.

Internal communication

• Share verified information only
• Provide official password reset instructions
• Warn employees about attacker outreach attempts
• Centralize incident communications

External communication

• Use alternate channels if email is compromised
• Alert vendors of possible fraud risk
• Coordinate customer communications with legal guidance

Electronic notice is permitted for online account credential breaches to allow individuals to promptly change passwords and other at-risk information.

Step 8: Recover Systems and Strengthen Defenses

Recovery is not just restoring files. It involves removing the attacker and closing the security gaps that allowed them in.

Typical recovery efforts include:

• Forensic timeline analysis
• Rebuilding compromised systems
• Organization-wide credential resets
• Multi-factor authentication implementation
• Network segmentation improvements
• Backup isolation enhancements
• Advanced endpoint and email monitoring

Without hardening, businesses remain vulnerable to repeat attacks. Illinois’s PIPA requires organizations to implement and maintain reasonable security measures as an ongoing obligation. BIPA compliance requires its own set of policy, consent, and data governance controls that must be in place before a breach, not after.

PivIT Strategy’s IT Consulting Services can help Illinois organizations build a post-incident security roadmap. For executive-level IT leadership and long-term security strategy, our Fractional CIO Services provide ongoing guidance without the cost of a full-time hire.

How PivIT Strategy Helps Illinois Businesses After a Cyberattack

When an Illinois business contacts PivIT Strategy, the focus is fast containment, secure recovery, and long-term protection.

Support typically includes:

• Immediate threat isolation
• Email and identity security lock down
• Forensic investigation coordination
• Secure system restoration
• Compliance documentation assistance
• Ongoing cybersecurity improvements

Contact us to speak with our team.

Final Checklist: What to Do After a Cyberattack in Illinois

• Start an incident log
• Isolate affected systems
• Disable compromised accounts
• Secure backups
• Lock down email and identity access
• Report to FBI IC3 for ransomware or fraud
• Notify affected individuals within 45 days of determining a breach occurred
• Notify the Illinois AG if 500+ residents are affected
• Assess BIPA exposure immediately if any biometric data was involved
• Recover systems and strengthen security

Frequently Asked Questions: What to Do After a Cyberattack in Illinois

How quickly should a business respond? Immediately. The first few hours determine how much damage spreads and whether backups remain usable.

What is Illinois’s notification deadline under PIPA? 45 days from determining that a breach has occurred.

Does Illinois require notification for every breach? Yes, Illinois has no harm threshold under PIPA. Any qualifying unauthorized acquisition of personal information triggers notification, regardless of whether harm is likely.

What makes Illinois unique in cybersecurity regulation? Illinois is the first and most enforcement-active state for biometric privacy under BIPA. BIPA allows individuals to sue directly for $1,000 per negligent violation or $5,000 per intentional or reckless violation, making biometric data breaches especially costly.

Should a ransom be paid? Law enforcement discourages paying ransoms because recovery is not guaranteed and attackers often target paying victims again.

What mistakes make breaches worse?

• Missing the 45-day PIPA notification deadline
• Underestimating BIPA exposure when biometric data is involved
• Failing to notify the AG when 500+ residents are affected
• Not having BIPA consent and retention policies in place before a breach occurs

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Readers should consult qualified legal counsel for advice specific to their organization or situation.