IL
Illinois House Bill HB4081

Illinois 2023-2024 Regular Session

Illinois House Bill HB4081 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED: New Act Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program. LRB103 32146 BMS 61211 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED: New Act New Act Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program. LRB103 32146 BMS 61211 b LRB103 32146 BMS 61211 b A BILL FOR
22 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED:
33 New Act New Act
44 New Act
55 Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.
66 LRB103 32146 BMS 61211 b LRB103 32146 BMS 61211 b
77 LRB103 32146 BMS 61211 b
88 A BILL FOR
99 HB4081LRB103 32146 BMS 61211 b HB4081 LRB103 32146 BMS 61211 b
1010 HB4081 LRB103 32146 BMS 61211 b
1111 1 AN ACT concerning business.
1212 2 Be it enacted by the People of the State of Illinois,
1313 3 represented in the General Assembly:
1414 4 Section 1. Short title. This Act may be cited as the
1515 5 Cybersecurity Compliance Act.
1616 6 Section 5. Definitions. As used in this Act:
1717 7 "Business" means any limited liability company, limited
1818 8 liability partnership, corporation, sole proprietorship,
1919 9 association, State institution of higher education, private
2020 10 college, or other group, however organized and whether
2121 11 operating for profit or not for profit, or the parent or
2222 12 subsidiary of any of the foregoing. "Business" includes a
2323 13 financial institution organized, chartered, or holding a
2424 14 license authorizing operation under the laws of this State,
2525 15 any other state, the United States, or any other country.
2626 16 "Covered entity" means a business that accesses,
2727 17 maintains, communicates, or processes personal information or
2828 18 restricted information in or through one or more systems,
2929 19 networks, or services located in or outside of this State.
3030 20 "Data breach" means unauthorized access to and acquisition
3131 21 of computerized data that compromises the security or
3232 22 confidentiality of personal information or restricted
3333 23 information owned by or licensed to a covered entity and that
3434
3535
3636
3737 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED:
3838 New Act New Act
3939 New Act
4040 Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.
4141 LRB103 32146 BMS 61211 b LRB103 32146 BMS 61211 b
4242 LRB103 32146 BMS 61211 b
4343 A BILL FOR
4444
4545
4646
4747
4848
4949 New Act
5050
5151
5252
5353 LRB103 32146 BMS 61211 b
5454
5555
5656
5757
5858
5959
6060
6161
6262
6363 HB4081 LRB103 32146 BMS 61211 b
6464
6565
6666 HB4081- 2 -LRB103 32146 BMS 61211 b HB4081 - 2 - LRB103 32146 BMS 61211 b
6767 HB4081 - 2 - LRB103 32146 BMS 61211 b
6868 1 causes, reasonably is believed to have caused, or reasonably
6969 2 is believed will cause a material risk of identity theft or
7070 3 other fraud to person or property. "Data breach" does not
7171 4 include:
7272 5 (1) the good faith acquisition of personal information
7373 6 or restricted information by the covered entity's employee
7474 7 or agent for the purposes of the covered entity so long as
7575 8 the personal information or restricted information is not
7676 9 used for an unlawful purpose or subject to further
7777 10 unauthorized disclosure; or
7878 11 (2) the acquisition of personal information or
7979 12 restricted information pursuant to a search warrant,
8080 13 subpoena, or other court order, or pursuant to a subpoena,
8181 14 order, or duty of a regulatory State agency.
8282 15 "Personal information" has the same meaning as provided in
8383 16 the Personal Information Protection Act.
8484 17 "Restricted information" means any information about an
8585 18 individual, other than personal information, that, alone or in
8686 19 combination with other information, including personal
8787 20 information, can be used to distinguish or trace the
8888 21 individual's identity or that is linked or linkable to an
8989 22 individual, if the information is not encrypted, redacted, or
9090 23 altered by any method or technology in such a manner that the
9191 24 information is unreadable, and the breach of which is likely
9292 25 to result in a material risk of identity theft or other fraud
9393 26 to a person or property.
9494
9595
9696
9797
9898
9999 HB4081 - 2 - LRB103 32146 BMS 61211 b
100100
101101
102102 HB4081- 3 -LRB103 32146 BMS 61211 b HB4081 - 3 - LRB103 32146 BMS 61211 b
103103 HB4081 - 3 - LRB103 32146 BMS 61211 b
104104 1 Section 10. Safe harbor requirements.
105105 2 (a) A covered entity seeking an affirmative defense under
106106 3 this Act shall:
107107 4 (1) create, maintain, and comply with a written
108108 5 cybersecurity program that contains administrative,
109109 6 technical, and physical safeguards for the protection of
110110 7 personal information and that reasonably conforms to an
111111 8 industry-recognized cybersecurity framework, as described
112112 9 in Section 15; or
113113 10 (2) create, maintain, and comply with a written
114114 11 cybersecurity program that contains administrative,
115115 12 technical, and physical safeguards for the protection of
116116 13 both personal information and restricted information and
117117 14 that reasonably conforms to an industry-recognized
118118 15 cybersecurity framework, as described in Section 15.
119119 16 (b) A covered entity's cybersecurity program shall be
120120 17 designed to do all of the following:
121121 18 (1) protect the security and confidentiality of
122122 19 information;
123123 20 (2) protect against any anticipated threats or hazards
124124 21 to the security or integrity of information; and
125125 22 (3) protect against unauthorized access to and
126126 23 acquisition of the information that is likely to result in
127127 24 a material risk of identity theft or other fraud to the
128128 25 individual to whom the information relates.
129129
130130
131131
132132
133133
134134 HB4081 - 3 - LRB103 32146 BMS 61211 b
135135
136136
137137 HB4081- 4 -LRB103 32146 BMS 61211 b HB4081 - 4 - LRB103 32146 BMS 61211 b
138138 HB4081 - 4 - LRB103 32146 BMS 61211 b
139139 1 (c) The scale and scope of a covered entity's
140140 2 cybersecurity program under subsection (a), as applicable, is
141141 3 appropriate if it is based on all of the following factors:
142142 4 (1) the size and complexity of the covered entity;
143143 5 (2) the nature and scope of the activities of the
144144 6 covered entity;
145145 7 (3) the sensitivity of the information to be
146146 8 protected;
147147 9 (4) the cost and availability of tools to improve
148148 10 information security and reduce vulnerabilities; and
149149 11 (5) the resources available to the covered entity.
150150 12 (d) A covered entity under this Section is entitled to an
151151 13 affirmative defense as follows:
152152 14 (1) A covered entity that satisfies paragraph (1) of
153153 15 subsection (a) and also subsections (b) and (c) is
154154 16 entitled to an affirmative defense to any cause of action
155155 17 sounding in tort that is brought under the laws of this
156156 18 State or in the courts of this State and that alleges that
157157 19 the failure to implement reasonable information security
158158 20 controls resulted in a data breach concerning personal
159159 21 information.
160160 22 (2) A covered entity that satisfies paragraph (2) of
161161 23 subsection (a) and also subsections (b) and (c) is
162162 24 entitled to an affirmative defense to any cause of action
163163 25 sounding in tort that is brought under the laws of this
164164 26 State or in the courts of this State and that alleges that
165165
166166
167167
168168
169169
170170 HB4081 - 4 - LRB103 32146 BMS 61211 b
171171
172172
173173 HB4081- 5 -LRB103 32146 BMS 61211 b HB4081 - 5 - LRB103 32146 BMS 61211 b
174174 HB4081 - 5 - LRB103 32146 BMS 61211 b
175175 1 the failure to implement reasonable information security
176176 2 controls resulted in a data breach concerning personal
177177 3 information or restricted information.
178178 4 Section 15. Reasonable conformance.
179179 5 (a) A covered entity's cybersecurity program reasonably
180180 6 conforms to an industry-recognized cybersecurity framework for
181181 7 purposes of this Act if the requirements of subsection (b),
182182 8 (c), or (d) are satisfied.
183183 9 (b)(1) The cybersecurity program reasonably conforms to an
184184 10 industry-recognized cybersecurity framework for purposes of
185185 11 this Act if the cybersecurity program reasonably conforms to
186186 12 the current version of any of the following or any combination
187187 13 of the following, subject to paragraph (2) and subsection (e):
188188 14 (A) The "framework for improving critical
189189 15 infrastructure cyber security" developed by the National
190190 16 Institute of Standards and Technology (NIST);
191191 17 (B) NIST special publication 800-171;
192192 18 (C) NIST special publications 800-53 and 800-53a;
193193 19 (D) The Federal Risk And Authorization Management
194194 20 Program (FedRAMP) Security Assessment Framework;
195195 21 (E) The Center for Internet Security Critical Security
196196 22 Controls for Effective Cyber Defense; or
197197 23 (F) The International Organization for
198198 24 Standardization/International Electrotechnical Commission
199199 25 27000 Family - Information Security Management Systems.
200200
201201
202202
203203
204204
205205 HB4081 - 5 - LRB103 32146 BMS 61211 b
206206
207207
208208 HB4081- 6 -LRB103 32146 BMS 61211 b HB4081 - 6 - LRB103 32146 BMS 61211 b
209209 HB4081 - 6 - LRB103 32146 BMS 61211 b
210210 1 (2) When a final revision to a framework listed in
211211 2 paragraph (1) is published, a covered entity whose
212212 3 cybersecurity program reasonably conforms to that framework
213213 4 shall reasonably conform to the revised framework not later
214214 5 than one year after the publication date stated in the
215215 6 revision.
216216 7 (c)(1) The covered entity's cybersecurity program
217217 8 reasonably conforms to an industry-recognized cybersecurity
218218 9 framework for purposes of this Act if the covered entity is
219219 10 regulated by the State, by the federal government, or both, or
220220 11 is otherwise subject to the requirements of any of the laws or
221221 12 regulations listed below, and the cybersecurity program
222222 13 reasonably conforms to the entirety of the current version of
223223 14 any of the following, subject to paragraph (2):
224224 15 (A) The security requirements of the Health Insurance
225225 16 Portability and Accountability Act of 1996, as set forth
226226 17 in 45 CFR Part 164, Subpart C;
227227 18 (B) Title V of the Gramm-Leach-Bliley Act of 1999,
228228 19 Public Law 106-102, as amended;
229229 20 (C) The Federal Information Security Modernization Act
230230 21 of 2014, Public Law 113-283;
231231 22 (D) The Health Information Technology for Economic and
232232 23 Clinical Health Act, as set forth in 45 CFR Part 162.
233233 24 (2) When a framework listed in paragraph (1) is amended, a
234234 25 covered entity whose cybersecurity program reasonably conforms
235235 26 to that framework shall reasonably conform to the amended
236236
237237
238238
239239
240240
241241 HB4081 - 6 - LRB103 32146 BMS 61211 b
242242
243243
244244 HB4081- 7 -LRB103 32146 BMS 61211 b HB4081 - 7 - LRB103 32146 BMS 61211 b
245245 HB4081 - 7 - LRB103 32146 BMS 61211 b
246246 1 framework not later than one year after the effective date of
247247 2 the amended framework.
248248 3 (d)(1) The cybersecurity program reasonably conforms to an
249249 4 industry-recognized cybersecurity framework for purposes of
250250 5 this Act if the cybersecurity program reasonably complies with
251251 6 both the current version of the payment card industry (PCI)
252252 7 data security standard and conforms to the current version of
253253 8 another applicable industry-recognized cybersecurity
254254 9 framework listed in subsection (b), subject to paragraph (2)
255255 10 of subsection (b) and subsection (e).
256256 11 (2) When a final revision to the PCI data security
257257 12 standard is published, a covered entity whose cybersecurity
258258 13 program reasonably complies with that standard shall
259259 14 reasonably comply with the revised standard not later than one
260260 15 year after the publication date stated in the revision.
261261 16 (e) If a covered entity's cybersecurity program reasonably
262262 17 conforms to a combination of industry-recognized cybersecurity
263263 18 frameworks, or complies with a standard, as in the case of the
264264 19 PCI data security standard, as described in subsection (b) or
265265 20 (d), and 2 or more of those frameworks are revised, the covered
266266 21 entity whose cybersecurity program reasonably conforms to or
267267 22 complies with, as applicable, those frameworks shall
268268 23 reasonably conform to or comply with, as applicable, all of
269269 24 the revised frameworks not later than one year after the
270270 25 latest publication date stated in the revisions.
271271
272272
273273
274274
275275
276276 HB4081 - 7 - LRB103 32146 BMS 61211 b
277277
278278
279279 HB4081- 8 -LRB103 32146 BMS 61211 b HB4081 - 8 - LRB103 32146 BMS 61211 b
280280 HB4081 - 8 - LRB103 32146 BMS 61211 b
281281 1 Section 20. No private right of action. This Act shall not
282282 2 be construed to provide a private right of action, including a
283283 3 class action, with respect to any act or practice regulated
284284 4 under it.
285285 5 Section 97. Severability. The provisions of this Act are
286286 6 severable under Section 1.31 of the Statute on Statutes.
287287
288288
289289
290290
291291
292292 HB4081 - 8 - LRB103 32146 BMS 61211 b