103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED: New Act Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program. LRB103 32146 BMS 61211 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED: New Act New Act Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program. LRB103 32146 BMS 61211 b LRB103 32146 BMS 61211 b A BILL FOR
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.
LRB103 32146 BMS 61211 b LRB103 32146 BMS 61211 b
LRB103 32146 BMS 61211 b
A BILL FOR
HB4081LRB103 32146 BMS 61211 b HB4081 LRB103 32146 BMS 61211 b
HB4081 LRB103 32146 BMS 61211 b
1 AN ACT concerning business.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the
5 Cybersecurity Compliance Act.
6 Section 5. Definitions. As used in this Act:
7 "Business" means any limited liability company, limited
8 liability partnership, corporation, sole proprietorship,
9 association, State institution of higher education, private
10 college, or other group, however organized and whether
11 operating for profit or not for profit, or the parent or
12 subsidiary of any of the foregoing. "Business" includes a
13 financial institution organized, chartered, or holding a
14 license authorizing operation under the laws of this State,
15 any other state, the United States, or any other country.
16 "Covered entity" means a business that accesses,
17 maintains, communicates, or processes personal information or
18 restricted information in or through one or more systems,
19 networks, or services located in or outside of this State.
20 "Data breach" means unauthorized access to and acquisition
21 of computerized data that compromises the security or
22 confidentiality of personal information or restricted
23 information owned by or licensed to a covered entity and that
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4081 Introduced , by Rep. Brad Stephens SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.
LRB103 32146 BMS 61211 b LRB103 32146 BMS 61211 b
LRB103 32146 BMS 61211 b
A BILL FOR
New Act
LRB103 32146 BMS 61211 b
HB4081 LRB103 32146 BMS 61211 b
HB4081- 2 -LRB103 32146 BMS 61211 b HB4081 - 2 - LRB103 32146 BMS 61211 b
HB4081 - 2 - LRB103 32146 BMS 61211 b
1 causes, reasonably is believed to have caused, or reasonably
2 is believed will cause a material risk of identity theft or
3 other fraud to person or property. "Data breach" does not
4 include:
5 (1) the good faith acquisition of personal information
6 or restricted information by the covered entity's employee
7 or agent for the purposes of the covered entity so long as
8 the personal information or restricted information is not
9 used for an unlawful purpose or subject to further
10 unauthorized disclosure; or
11 (2) the acquisition of personal information or
12 restricted information pursuant to a search warrant,
13 subpoena, or other court order, or pursuant to a subpoena,
14 order, or duty of a regulatory State agency.
15 "Personal information" has the same meaning as provided in
16 the Personal Information Protection Act.
17 "Restricted information" means any information about an
18 individual, other than personal information, that, alone or in
19 combination with other information, including personal
20 information, can be used to distinguish or trace the
21 individual's identity or that is linked or linkable to an
22 individual, if the information is not encrypted, redacted, or
23 altered by any method or technology in such a manner that the
24 information is unreadable, and the breach of which is likely
25 to result in a material risk of identity theft or other fraud
26 to a person or property.
HB4081 - 2 - LRB103 32146 BMS 61211 b
HB4081- 3 -LRB103 32146 BMS 61211 b HB4081 - 3 - LRB103 32146 BMS 61211 b
HB4081 - 3 - LRB103 32146 BMS 61211 b
1 Section 10. Safe harbor requirements.
2 (a) A covered entity seeking an affirmative defense under
3 this Act shall:
4 (1) create, maintain, and comply with a written
5 cybersecurity program that contains administrative,
6 technical, and physical safeguards for the protection of
7 personal information and that reasonably conforms to an
8 industry-recognized cybersecurity framework, as described
9 in Section 15; or
10 (2) create, maintain, and comply with a written
11 cybersecurity program that contains administrative,
12 technical, and physical safeguards for the protection of
13 both personal information and restricted information and
14 that reasonably conforms to an industry-recognized
15 cybersecurity framework, as described in Section 15.
16 (b) A covered entity's cybersecurity program shall be
17 designed to do all of the following:
18 (1) protect the security and confidentiality of
19 information;
20 (2) protect against any anticipated threats or hazards
21 to the security or integrity of information; and
22 (3) protect against unauthorized access to and
23 acquisition of the information that is likely to result in
24 a material risk of identity theft or other fraud to the
25 individual to whom the information relates.
HB4081 - 3 - LRB103 32146 BMS 61211 b
HB4081- 4 -LRB103 32146 BMS 61211 b HB4081 - 4 - LRB103 32146 BMS 61211 b
HB4081 - 4 - LRB103 32146 BMS 61211 b
1 (c) The scale and scope of a covered entity's
2 cybersecurity program under subsection (a), as applicable, is
3 appropriate if it is based on all of the following factors:
4 (1) the size and complexity of the covered entity;
5 (2) the nature and scope of the activities of the
6 covered entity;
7 (3) the sensitivity of the information to be
8 protected;
9 (4) the cost and availability of tools to improve
10 information security and reduce vulnerabilities; and
11 (5) the resources available to the covered entity.
12 (d) A covered entity under this Section is entitled to an
13 affirmative defense as follows:
14 (1) A covered entity that satisfies paragraph (1) of
15 subsection (a) and also subsections (b) and (c) is
16 entitled to an affirmative defense to any cause of action
17 sounding in tort that is brought under the laws of this
18 State or in the courts of this State and that alleges that
19 the failure to implement reasonable information security
20 controls resulted in a data breach concerning personal
21 information.
22 (2) A covered entity that satisfies paragraph (2) of
23 subsection (a) and also subsections (b) and (c) is
24 entitled to an affirmative defense to any cause of action
25 sounding in tort that is brought under the laws of this
26 State or in the courts of this State and that alleges that
HB4081 - 4 - LRB103 32146 BMS 61211 b
HB4081- 5 -LRB103 32146 BMS 61211 b HB4081 - 5 - LRB103 32146 BMS 61211 b
HB4081 - 5 - LRB103 32146 BMS 61211 b
1 the failure to implement reasonable information security
2 controls resulted in a data breach concerning personal
3 information or restricted information.
4 Section 15. Reasonable conformance.
5 (a) A covered entity's cybersecurity program reasonably
6 conforms to an industry-recognized cybersecurity framework for
7 purposes of this Act if the requirements of subsection (b),
8 (c), or (d) are satisfied.
9 (b)(1) The cybersecurity program reasonably conforms to an
10 industry-recognized cybersecurity framework for purposes of
11 this Act if the cybersecurity program reasonably conforms to
12 the current version of any of the following or any combination
13 of the following, subject to paragraph (2) and subsection (e):
14 (A) The "framework for improving critical
15 infrastructure cyber security" developed by the National
16 Institute of Standards and Technology (NIST);
17 (B) NIST special publication 800-171;
18 (C) NIST special publications 800-53 and 800-53a;
19 (D) The Federal Risk And Authorization Management
20 Program (FedRAMP) Security Assessment Framework;
21 (E) The Center for Internet Security Critical Security
22 Controls for Effective Cyber Defense; or
23 (F) The International Organization for
24 Standardization/International Electrotechnical Commission
25 27000 Family - Information Security Management Systems.
HB4081 - 5 - LRB103 32146 BMS 61211 b
HB4081- 6 -LRB103 32146 BMS 61211 b HB4081 - 6 - LRB103 32146 BMS 61211 b
HB4081 - 6 - LRB103 32146 BMS 61211 b
1 (2) When a final revision to a framework listed in
2 paragraph (1) is published, a covered entity whose
3 cybersecurity program reasonably conforms to that framework
4 shall reasonably conform to the revised framework not later
5 than one year after the publication date stated in the
6 revision.
7 (c)(1) The covered entity's cybersecurity program
8 reasonably conforms to an industry-recognized cybersecurity
9 framework for purposes of this Act if the covered entity is
10 regulated by the State, by the federal government, or both, or
11 is otherwise subject to the requirements of any of the laws or
12 regulations listed below, and the cybersecurity program
13 reasonably conforms to the entirety of the current version of
14 any of the following, subject to paragraph (2):
15 (A) The security requirements of the Health Insurance
16 Portability and Accountability Act of 1996, as set forth
17 in 45 CFR Part 164, Subpart C;
18 (B) Title V of the Gramm-Leach-Bliley Act of 1999,
19 Public Law 106-102, as amended;
20 (C) The Federal Information Security Modernization Act
21 of 2014, Public Law 113-283;
22 (D) The Health Information Technology for Economic and
23 Clinical Health Act, as set forth in 45 CFR Part 162.
24 (2) When a framework listed in paragraph (1) is amended, a
25 covered entity whose cybersecurity program reasonably conforms
26 to that framework shall reasonably conform to the amended
HB4081 - 6 - LRB103 32146 BMS 61211 b
HB4081- 7 -LRB103 32146 BMS 61211 b HB4081 - 7 - LRB103 32146 BMS 61211 b
HB4081 - 7 - LRB103 32146 BMS 61211 b
1 framework not later than one year after the effective date of
2 the amended framework.
3 (d)(1) The cybersecurity program reasonably conforms to an
4 industry-recognized cybersecurity framework for purposes of
5 this Act if the cybersecurity program reasonably complies with
6 both the current version of the payment card industry (PCI)
7 data security standard and conforms to the current version of
8 another applicable industry-recognized cybersecurity
9 framework listed in subsection (b), subject to paragraph (2)
10 of subsection (b) and subsection (e).
11 (2) When a final revision to the PCI data security
12 standard is published, a covered entity whose cybersecurity
13 program reasonably complies with that standard shall
14 reasonably comply with the revised standard not later than one
15 year after the publication date stated in the revision.
16 (e) If a covered entity's cybersecurity program reasonably
17 conforms to a combination of industry-recognized cybersecurity
18 frameworks, or complies with a standard, as in the case of the
19 PCI data security standard, as described in subsection (b) or
20 (d), and 2 or more of those frameworks are revised, the covered
21 entity whose cybersecurity program reasonably conforms to or
22 complies with, as applicable, those frameworks shall
23 reasonably conform to or comply with, as applicable, all of
24 the revised frameworks not later than one year after the
25 latest publication date stated in the revisions.
HB4081 - 7 - LRB103 32146 BMS 61211 b
HB4081- 8 -LRB103 32146 BMS 61211 b HB4081 - 8 - LRB103 32146 BMS 61211 b
HB4081 - 8 - LRB103 32146 BMS 61211 b
1 Section 20. No private right of action. This Act shall not
2 be construed to provide a private right of action, including a
3 class action, with respect to any act or practice regulated
4 under it.
5 Section 97. Severability. The provisions of this Act are
6 severable under Section 1.31 of the Statute on Statutes.
HB4081 - 8 - LRB103 32146 BMS 61211 b