IL
Illinois House Bill HB4433

Illinois 2023-2024 Regular Session

Illinois House Bill HB4433 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4433 Introduced , by Rep. Thaddeus Jones SYNOPSIS AS INTRODUCED: New Act5 ILCS 140/7.5 Creates the Insurance Data Security Law. Sets forth provisions concerning an information security program, investigations of cybersecurity events, and notifications of cybersecurity events. Provides that the Director of Insurance shall have power to examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of the Act. Provides that whenever the Director has reason to believe that a licensee has been or is engaged in conduct in the State which violates the Act, the Director may take action that is necessary or appropriate to enforce the provisions of the Act. Provides that any documents, materials, or other information in the control or possession of the Department of Insurance that are furnished by a licensee or an employee or agent acting on behalf of a licensee or that are obtained by the Director in an investigation or examination shall be confidential by law and privileged, shall not be subject to the Freedom of Information Act, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. Sets forth provisions concerning exceptions, penalties, and severability. Provides that the Department may adopt rules necessary to carry out the provisions of the Act. Defines terms. Makes a conforming change in the Freedom of Information Act. Effective January 1, 2025. LRB103 36043 RPS 66130 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4433 Introduced , by Rep. Thaddeus Jones SYNOPSIS AS INTRODUCED: New Act5 ILCS 140/7.5 New Act 5 ILCS 140/7.5 Creates the Insurance Data Security Law. Sets forth provisions concerning an information security program, investigations of cybersecurity events, and notifications of cybersecurity events. Provides that the Director of Insurance shall have power to examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of the Act. Provides that whenever the Director has reason to believe that a licensee has been or is engaged in conduct in the State which violates the Act, the Director may take action that is necessary or appropriate to enforce the provisions of the Act. Provides that any documents, materials, or other information in the control or possession of the Department of Insurance that are furnished by a licensee or an employee or agent acting on behalf of a licensee or that are obtained by the Director in an investigation or examination shall be confidential by law and privileged, shall not be subject to the Freedom of Information Act, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. Sets forth provisions concerning exceptions, penalties, and severability. Provides that the Department may adopt rules necessary to carry out the provisions of the Act. Defines terms. Makes a conforming change in the Freedom of Information Act. Effective January 1, 2025. LRB103 36043 RPS 66130 b LRB103 36043 RPS 66130 b A BILL FOR
22 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4433 Introduced , by Rep. Thaddeus Jones SYNOPSIS AS INTRODUCED:
33 New Act5 ILCS 140/7.5 New Act 5 ILCS 140/7.5
44 New Act
55 5 ILCS 140/7.5
66 Creates the Insurance Data Security Law. Sets forth provisions concerning an information security program, investigations of cybersecurity events, and notifications of cybersecurity events. Provides that the Director of Insurance shall have power to examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of the Act. Provides that whenever the Director has reason to believe that a licensee has been or is engaged in conduct in the State which violates the Act, the Director may take action that is necessary or appropriate to enforce the provisions of the Act. Provides that any documents, materials, or other information in the control or possession of the Department of Insurance that are furnished by a licensee or an employee or agent acting on behalf of a licensee or that are obtained by the Director in an investigation or examination shall be confidential by law and privileged, shall not be subject to the Freedom of Information Act, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. Sets forth provisions concerning exceptions, penalties, and severability. Provides that the Department may adopt rules necessary to carry out the provisions of the Act. Defines terms. Makes a conforming change in the Freedom of Information Act. Effective January 1, 2025.
77 LRB103 36043 RPS 66130 b LRB103 36043 RPS 66130 b
88 LRB103 36043 RPS 66130 b
99 A BILL FOR
1010 HB4433LRB103 36043 RPS 66130 b HB4433 LRB103 36043 RPS 66130 b
1111 HB4433 LRB103 36043 RPS 66130 b
1212 1 AN ACT concerning regulation.
1313 2 Be it enacted by the People of the State of Illinois,
1414 3 represented in the General Assembly:
1515 4 Section 1. Short title. This Act may be cited as the
1616 5 Insurance Data Security Law.
1717 6 Section 2. Purpose and intent.
1818 7 (a) The purpose and intent of this Act is to establish
1919 8 standards for data security and standards for the
2020 9 investigation of and notification to the Director of a
2121 10 cybersecurity event applicable to licensees.
2222 11 (b) This Act shall not be construed to create or imply a
2323 12 private cause of action for a violation of its provisions nor
2424 13 shall it be construed to curtail a private cause of action
2525 14 which would otherwise exist in the absence of this Act.
2626 15 Section 5. Definitions. As used in this Act:
2727 16 "Authorized individual" means an individual known to and
2828 17 screened by the licensee and determined to be necessary and
2929 18 appropriate to have access to the nonpublic information held
3030 19 by the licensee and its information systems.
3131 20 "Consumer" means an individual, including, but not limited
3232 21 to, an applicant, policyholder, insured, beneficiary,
3333 22 claimant, or certificate holder who is a resident of this
3434
3535
3636
3737 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB4433 Introduced , by Rep. Thaddeus Jones SYNOPSIS AS INTRODUCED:
3838 New Act5 ILCS 140/7.5 New Act 5 ILCS 140/7.5
3939 New Act
4040 5 ILCS 140/7.5
4141 Creates the Insurance Data Security Law. Sets forth provisions concerning an information security program, investigations of cybersecurity events, and notifications of cybersecurity events. Provides that the Director of Insurance shall have power to examine and investigate the affairs of any licensee to determine whether the licensee has been or is engaged in any conduct in violation of the Act. Provides that whenever the Director has reason to believe that a licensee has been or is engaged in conduct in the State which violates the Act, the Director may take action that is necessary or appropriate to enforce the provisions of the Act. Provides that any documents, materials, or other information in the control or possession of the Department of Insurance that are furnished by a licensee or an employee or agent acting on behalf of a licensee or that are obtained by the Director in an investigation or examination shall be confidential by law and privileged, shall not be subject to the Freedom of Information Act, shall not be subject to subpoena, and shall not be subject to discovery or admissible in evidence in any private civil action. Sets forth provisions concerning exceptions, penalties, and severability. Provides that the Department may adopt rules necessary to carry out the provisions of the Act. Defines terms. Makes a conforming change in the Freedom of Information Act. Effective January 1, 2025.
4242 LRB103 36043 RPS 66130 b LRB103 36043 RPS 66130 b
4343 LRB103 36043 RPS 66130 b
4444 A BILL FOR
4545
4646
4747
4848
4949
5050 New Act
5151 5 ILCS 140/7.5
5252
5353
5454
5555 LRB103 36043 RPS 66130 b
5656
5757
5858
5959
6060
6161
6262
6363
6464
6565 HB4433 LRB103 36043 RPS 66130 b
6666
6767
6868 HB4433- 2 -LRB103 36043 RPS 66130 b HB4433 - 2 - LRB103 36043 RPS 66130 b
6969 HB4433 - 2 - LRB103 36043 RPS 66130 b
7070 1 State and whose nonpublic information is in a licensee's
7171 2 possession, custody, or control.
7272 3 "Cybersecurity event" means an event resulting in
7373 4 unauthorized access to, disruption, or misuse of an
7474 5 information system or information stored on such information
7575 6 system. "Cybersecurity event" does not include the
7676 7 unauthorized acquisition of encrypted nonpublic information if
7777 8 the encryption, process, or key is not also acquired,
7878 9 released, or used without authorization. "Cybersecurity event"
7979 10 does not include an event with regard to which the licensee has
8080 11 determined that the nonpublic information accessed by an
8181 12 unauthorized person has not been used or released and has been
8282 13 returned or destroyed.
8383 14 "Department" means the Department of Insurance.
8484 15 "Director" means the Director of Insurance.
8585 16 "Encrypted" means the transformation of data into a form
8686 17 which results in a low probability of assigning meaning
8787 18 without the use of a protective process or key.
8888 19 "Information security program" means the administrative,
8989 20 technical, and physical safeguards that a licensee uses to
9090 21 access, collect, distribute, process, protect, store, use,
9191 22 transmit, dispose of, or otherwise handle nonpublic
9292 23 information.
9393 24 "Information system" means a discrete set of electronic
9494 25 information resources organized for the collection,
9595 26 processing, maintenance, use, sharing, dissemination, or
9696
9797
9898
9999
100100
101101 HB4433 - 2 - LRB103 36043 RPS 66130 b
102102
103103
104104 HB4433- 3 -LRB103 36043 RPS 66130 b HB4433 - 3 - LRB103 36043 RPS 66130 b
105105 HB4433 - 3 - LRB103 36043 RPS 66130 b
106106 1 disposition of electronic information, as well as any
107107 2 specialized system such as industrial and process controls
108108 3 systems, telephone switching and private branch exchange
109109 4 systems, and environmental control systems.
110110 5 "Licensee" means any person licensed, authorized to
111111 6 operate, or registered, or required to be licensed,
112112 7 authorized, or registered pursuant to the insurance laws of
113113 8 this State. "Licensee" does not include a purchasing group or
114114 9 a risk retention group chartered and licensed in a state other
115115 10 than this State or a licensee that is acting as an assuming
116116 11 insurer that is domiciled in another state or jurisdiction.
117117 12 "Multi-factor authentication" means authentication
118118 13 through verification of at least 2 of the following types of
119119 14 authentication factors:
120120 15 (1) knowledge factors, including a password;
121121 16 (2) possession factors, including a token or text
122122 17 message on a mobile phone; or
123123 18 (3) inherence factors, including a biometric
124124 19 characteristic.
125125 20 "Nonpublic information" means information that is not
126126 21 publicly available information and that is:
127127 22 (1) business-related information of a licensee the
128128 23 tampering with which, or unauthorized disclosure, access,
129129 24 or use of which, would cause a material adverse impact to
130130 25 the business, operations, or security of the licensee;
131131 26 (2) any information concerning a consumer which
132132
133133
134134
135135
136136
137137 HB4433 - 3 - LRB103 36043 RPS 66130 b
138138
139139
140140 HB4433- 4 -LRB103 36043 RPS 66130 b HB4433 - 4 - LRB103 36043 RPS 66130 b
141141 HB4433 - 4 - LRB103 36043 RPS 66130 b
142142 1 because of name, number, personal mark, or other
143143 2 identifier can be used to identify such consumer, in
144144 3 combination with any one or more of the following data
145145 4 elements:
146146 5 (A) social security number;
147147 6 (B) driver's license number or nondriver
148148 7 identification card number;
149149 8 (C) account number, credit card number, or debit
150150 9 card number;
151151 10 (D) any security code, access code, or password
152152 11 that would permit access to a consumer's financial
153153 12 account; or
154154 13 (E) biometric records; or
155155 14 (3) any information or data, except age or gender, in
156156 15 any form or medium created by or derived from a health care
157157 16 provider or a consumer and that relates to:
158158 17 (A) the past, present, or future physical, mental,
159159 18 or behavioral health or condition of any consumer or a
160160 19 member of the consumer's family;
161161 20 (B) the provision of health care to any consumer;
162162 21 or
163163 22 (C) payment for the provision of health care to
164164 23 any consumer.
165165 24 "Person" means any individual or any nongovernmental
166166 25 entity, including, but not limited to, any nongovernmental
167167 26 partnership, corporation, branch, agency, or association.
168168
169169
170170
171171
172172
173173 HB4433 - 4 - LRB103 36043 RPS 66130 b
174174
175175
176176 HB4433- 5 -LRB103 36043 RPS 66130 b HB4433 - 5 - LRB103 36043 RPS 66130 b
177177 HB4433 - 5 - LRB103 36043 RPS 66130 b
178178 1 "Publicly available information" means any information
179179 2 that a licensee has a reasonable basis to believe is lawfully
180180 3 made available to the general public from federal, State, or
181181 4 local government records; widely distributed media; or
182182 5 disclosures to the general public that are required to be made
183183 6 by federal, State, or local law. "Publicly available
184184 7 information" includes information that a consumer may direct
185185 8 not to be made available to the general public, but that the
186186 9 consumer has not directed not be made available.
187187 10 "Risk assessment" means the risk assessment that each
188188 11 licensee is required to conduct under subsection (c) of
189189 12 Section 10.
190190 13 "Third-party service provider" means a person, not
191191 14 otherwise defined as a licensee, that contracts with a
192192 15 licensee to maintain, process, store, or otherwise is
193193 16 permitted access to nonpublic information through its
194194 17 provision of services to the licensee.
195195 18 Section 10. Information security program.
196196 19 (a) Commensurate with the size and complexity of the
197197 20 licensee, the nature and scope of the licensee's activities,
198198 21 including its use of third-party service providers, and the
199199 22 sensitivity of the nonpublic information used by the licensee
200200 23 or in the licensee's possession, custody, or control, each
201201 24 licensee shall develop, implement, and maintain a
202202 25 comprehensive written information security program based on
203203
204204
205205
206206
207207
208208 HB4433 - 5 - LRB103 36043 RPS 66130 b
209209
210210
211211 HB4433- 6 -LRB103 36043 RPS 66130 b HB4433 - 6 - LRB103 36043 RPS 66130 b
212212 HB4433 - 6 - LRB103 36043 RPS 66130 b
213213 1 the licensee's risk assessment and that contains
214214 2 administrative, technical, and physical safeguards for the
215215 3 protection of nonpublic information and the licensee's
216216 4 information system.
217217 5 (b) A licensee's information security program shall be
218218 6 designed to:
219219 7 (1) protect the security and confidentiality of
220220 8 nonpublic information and the security of the information
221221 9 system;
222222 10 (2) protect against any threats or hazards to the
223223 11 security or integrity of nonpublic information and the
224224 12 information system;
225225 13 (3) protect against unauthorized access to or use of
226226 14 nonpublic information;
227227 15 (4) minimize the likelihood of harm to any consumer;
228228 16 and
229229 17 (5) define and periodically reevaluate a schedule for
230230 18 retention of nonpublic information and a mechanism for its
231231 19 destruction when no longer needed.
232232 20 (c) A licensee shall:
233233 21 (1) designate one or more employees, an affiliate, or
234234 22 an outside vendor designated to act on behalf of the
235235 23 licensee who is responsible for the information security
236236 24 program;
237237 25 (2) identify reasonably foreseeable internal or
238238 26 external threats that could result in unauthorized access,
239239
240240
241241
242242
243243
244244 HB4433 - 6 - LRB103 36043 RPS 66130 b
245245
246246
247247 HB4433- 7 -LRB103 36043 RPS 66130 b HB4433 - 7 - LRB103 36043 RPS 66130 b
248248 HB4433 - 7 - LRB103 36043 RPS 66130 b
249249 1 transmission, disclosure, misuse, alteration, or
250250 2 destruction of nonpublic information, including the
251251 3 security of information systems and nonpublic information
252252 4 that are accessible to or held by third-party service
253253 5 providers;
254254 6 (3) assess the likelihood and potential damage of
255255 7 these threats, taking into consideration the sensitivity
256256 8 of the nonpublic information;
257257 9 (4) assess the sufficiency of policies, procedures,
258258 10 information systems, and other safeguards in place to
259259 11 manage these threats, including consideration of threats
260260 12 in each relevant area of the licensee's operations,
261261 13 including:
262262 14 (A) employee training and management;
263263 15 (B) information systems, including network and
264264 16 software design, as well as information
265265 17 classification, governance, processing, storage,
266266 18 transmission, and disposal; and
267267 19 (C) detecting, preventing, and responding to
268268 20 attacks, intrusions, or other systems failures; and
269269 21 (5) implement information safeguards to manage the
270270 22 threats identified in its ongoing assessment, and, no less
271271 23 than annually, assess the effectiveness of the safeguards'
272272 24 key controls, systems, and procedures.
273273 25 (d) Based on its risk assessment, the licensee shall:
274274 26 (1) design its information security program to
275275
276276
277277
278278
279279
280280 HB4433 - 7 - LRB103 36043 RPS 66130 b
281281
282282
283283 HB4433- 8 -LRB103 36043 RPS 66130 b HB4433 - 8 - LRB103 36043 RPS 66130 b
284284 HB4433 - 8 - LRB103 36043 RPS 66130 b
285285 1 mitigate the identified risks, commensurate with the size
286286 2 and complexity of the licensee's activities, including its
287287 3 use of third-party service providers, and the sensitivity
288288 4 of the nonpublic information used by the licensee or in
289289 5 the licensee's possession, custody, or control;
290290 6 (2) select and implement appropriate security measures
291291 7 from the following:
292292 8 (A) place access controls on information systems,
293293 9 including controls to authenticate and permit access
294294 10 only to authorized individuals to protect against the
295295 11 unauthorized acquisition of nonpublic information;
296296 12 (B) identify and manage the data, personnel,
297297 13 devices, systems, and facilities that enable the
298298 14 organization to achieve business purposes in
299299 15 accordance with their relative importance to business
300300 16 objectives and the organization's risk strategy;
301301 17 (C) restrict access at physical locations
302302 18 containing nonpublic information only to authorized
303303 19 individuals;
304304 20 (D) protect, by encryption or other appropriate
305305 21 means, all nonpublic information while being
306306 22 transmitted over an external network and all nonpublic
307307 23 information stored on a laptop computer or other
308308 24 portable computing or storage device or media;
309309 25 (E) adopt secure development practices for
310310 26 in-house-developed applications utilized by the
311311
312312
313313
314314
315315
316316 HB4433 - 8 - LRB103 36043 RPS 66130 b
317317
318318
319319 HB4433- 9 -LRB103 36043 RPS 66130 b HB4433 - 9 - LRB103 36043 RPS 66130 b
320320 HB4433 - 9 - LRB103 36043 RPS 66130 b
321321 1 licensee and procedures for evaluating, assessing, or
322322 2 testing the security of externally developed
323323 3 applications utilized by the licensee;
324324 4 (F) modify the information system in accordance
325325 5 with the licensee's information security program;
326326 6 (G) utilize effective controls, including
327327 7 multifactor authentication procedures for any
328328 8 individual accessing nonpublic information;
329329 9 (H) regularly test and monitor systems and
330330 10 procedures to detect actual and attempted attacks on
331331 11 or intrusions into information systems;
332332 12 (I) include audit trails within the information
333333 13 security program designed to detect and respond to
334334 14 cybersecurity events and designed to reconstruct
335335 15 material financial transactions sufficient to support
336336 16 normal operations and obligations of the licensee;
337337 17 (J) implement measures to protect against
338338 18 destruction, loss, or damage of nonpublic information
339339 19 due to environmental hazards, including fire and water
340340 20 damage, other catastrophes, or technological failures;
341341 21 and
342342 22 (K) develop, implement, and maintain procedures
343343 23 for the secure disposal of nonpublic information in
344344 24 any format;
345345 25 (3) include cybersecurity risks in the licensee's
346346 26 enterprise risk management process;
347347
348348
349349
350350
351351
352352 HB4433 - 9 - LRB103 36043 RPS 66130 b
353353
354354
355355 HB4433- 10 -LRB103 36043 RPS 66130 b HB4433 - 10 - LRB103 36043 RPS 66130 b
356356 HB4433 - 10 - LRB103 36043 RPS 66130 b
357357 1 (4) stay informed regarding emerging threats or
358358 2 vulnerabilities and utilize reasonable security measures
359359 3 when sharing information relative to the character of the
360360 4 sharing and the type of information shared; and
361361 5 (5) provide its personnel with cybersecurity awareness
362362 6 training that is updated as necessary to reflect risks
363363 7 identified by the licensee in the risk assessment.
364364 8 (e) If the licensee has a board of directors, the board or
365365 9 an appropriate committee of the board shall, at a minimum:
366366 10 (1) require the licensee's executive management or its
367367 11 delegates to develop, implement, and maintain the
368368 12 licensee's information security program;
369369 13 (2) require the licensee's executive management or its
370370 14 delegates to report in writing, at least annually, the
371371 15 following information:
372372 16 (A) the overall status of the information security
373373 17 program and the licensee's compliance with this Act;
374374 18 and
375375 19 (B) material matters related to the information
376376 20 security program, addressing issues such as risk
377377 21 assessment, risk management and control decisions,
378378 22 third-party service provider arrangements, results of
379379 23 testing, cybersecurity events or violations and
380380 24 management's responses thereto, and recommendations
381381 25 for changes in the information security program; and
382382 26 (3) if executive management delegates any of its
383383
384384
385385
386386
387387
388388 HB4433 - 10 - LRB103 36043 RPS 66130 b
389389
390390
391391 HB4433- 11 -LRB103 36043 RPS 66130 b HB4433 - 11 - LRB103 36043 RPS 66130 b
392392 HB4433 - 11 - LRB103 36043 RPS 66130 b
393393 1 responsibilities under this Section, it shall oversee the
394394 2 development, implementation, and maintenance of the
395395 3 licensee's information security program prepared by the
396396 4 delegate and shall receive a report from the delegate
397397 5 complying with the requirements of the report to the board
398398 6 of directors.
399399 7 (f) A licensee shall exercise due diligence in selecting
400400 8 its third-party service provider and a licensee shall require
401401 9 a third-party service provider to implement appropriate
402402 10 administrative, technical, and physical measures to protect
403403 11 and secure the information systems and nonpublic information
404404 12 that are accessible to or held by the third-party service
405405 13 provider.
406406 14 (g) The licensee shall monitor, evaluate, and adjust, as
407407 15 appropriate, the information security program consistent with
408408 16 any relevant changes in technology, the sensitivity of its
409409 17 nonpublic information, internal or external threats to
410410 18 information, and the licensee's own changing business
411411 19 arrangements, including mergers and acquisitions, alliances
412412 20 and joint ventures, outsourcing arrangements, and changes to
413413 21 information systems.
414414 22 (h) As part of its information security program, a
415415 23 licensee shall establish a written incident response plan
416416 24 designed to promptly respond to and recover from any
417417 25 cybersecurity event that compromises the confidentiality,
418418 26 integrity, or availability of nonpublic information in its
419419
420420
421421
422422
423423
424424 HB4433 - 11 - LRB103 36043 RPS 66130 b
425425
426426
427427 HB4433- 12 -LRB103 36043 RPS 66130 b HB4433 - 12 - LRB103 36043 RPS 66130 b
428428 HB4433 - 12 - LRB103 36043 RPS 66130 b
429429 1 possession, the licensee's information systems, or the
430430 2 continuing functionality of any aspect of the licensee's
431431 3 business or operations. The incident response plan shall
432432 4 address the following areas:
433433 5 (1) the internal process for responding to a
434434 6 cybersecurity event;
435435 7 (2) the goals of the incident response plan;
436436 8 (3) the definition of clear roles, responsibilities,
437437 9 and levels of decision-making authority;
438438 10 (4) external and internal communications and
439439 11 information sharing;
440440 12 (5) identification of requirements for the remediation
441441 13 of any identified weaknesses in information systems and
442442 14 associated controls;
443443 15 (6) documentation and reporting regarding
444444 16 cybersecurity events and related incident response
445445 17 activities; and
446446 18 (7) the evaluation and revision of the incident
447447 19 response plan following a cybersecurity event, as
448448 20 necessary.
449449 21 (i) Annually, an insurer domiciled in this State shall
450450 22 submit to the Director a written statement by February 15
451451 23 certifying that the insurer is in compliance with the
452452 24 requirements set forth in this Section. Each insurer shall
453453 25 maintain for examination by the Department all records,
454454 26 schedules, and data supporting this certificate for a period
455455
456456
457457
458458
459459
460460 HB4433 - 12 - LRB103 36043 RPS 66130 b
461461
462462
463463 HB4433- 13 -LRB103 36043 RPS 66130 b HB4433 - 13 - LRB103 36043 RPS 66130 b
464464 HB4433 - 13 - LRB103 36043 RPS 66130 b
465465 1 of 5 years. To the extent an insurer has identified areas,
466466 2 systems, or processes that require material improvement,
467467 3 updating, or redesign, the insurer shall document the
468468 4 identification and the remedial efforts planned and underway
469469 5 to address such areas, systems, or processes. The
470470 6 documentation of identified areas, systems, or processes must
471471 7 be available for inspection by the Director.
472472 8 (j) Licensees shall comply with subsection (f) 2 years
473473 9 after the effective date of this Act, and shall comply with all
474474 10 other subsections of this Section one year after the effective
475475 11 date of this Act.
476476 12 Section 15. Investigation of a cybersecurity event.
477477 13 (a) If the licensee learns that a cybersecurity event has
478478 14 occurred or may have occurred, the licensee, or an outside
479479 15 vendor or service provider designated to act on behalf of the
480480 16 licensee, shall conduct a prompt investigation.
481481 17 (b) During the investigation the licensee, or an outside
482482 18 vendor or service provider designated to act on behalf of the
483483 19 licensee, shall, at a minimum, comply with as many of the
484484 20 following as possible:
485485 21 (1) determine whether a cybersecurity event has
486486 22 occurred;
487487 23 (2) assess the nature and scope of the cybersecurity
488488 24 event;
489489 25 (3) identify any nonpublic information that may have
490490
491491
492492
493493
494494
495495 HB4433 - 13 - LRB103 36043 RPS 66130 b
496496
497497
498498 HB4433- 14 -LRB103 36043 RPS 66130 b HB4433 - 14 - LRB103 36043 RPS 66130 b
499499 HB4433 - 14 - LRB103 36043 RPS 66130 b
500500 1 been involved in the cybersecurity event; and
501501 2 (4) perform or oversee reasonable measures to restore
502502 3 the security of the information systems compromised in the
503503 4 cybersecurity event in order to prevent further
504504 5 unauthorized acquisition, release, or use of nonpublic
505505 6 information in the licensee's possession, custody, or
506506 7 control.
507507 8 (c) If the licensee learns that a cybersecurity event has
508508 9 occurred or may have occurred in a system maintained by a
509509 10 third-party service provider, the licensee will complete the
510510 11 steps listed in subsection (b) or confirm and document that
511511 12 the third-party service provider has completed those steps.
512512 13 (d) The licensee shall maintain records concerning all
513513 14 cybersecurity events for a period of at least 5 years from the
514514 15 date of the cybersecurity event and shall produce those
515515 16 records upon demand of the Director.
516516 17 Section 20. Notification of a cybersecurity event.
517517 18 (a) A licensee shall notify the Director as promptly as
518518 19 possible but no later than 72 hours after a determination that
519519 20 a cybersecurity event has occurred when either of the
520520 21 following criteria has been met:
521521 22 (1) this State is the licensee's state of domicile, in
522522 23 the case of an insurer, or this State is the licensee's
523523 24 home state, in the case of an insurance producer, as those
524524 25 terms are defined in Article XXXI of the Illinois
525525
526526
527527
528528
529529
530530 HB4433 - 14 - LRB103 36043 RPS 66130 b
531531
532532
533533 HB4433- 15 -LRB103 36043 RPS 66130 b HB4433 - 15 - LRB103 36043 RPS 66130 b
534534 HB4433 - 15 - LRB103 36043 RPS 66130 b
535535 1 Insurance Code; or
536536 2 (2) the licensee reasonably believes that the
537537 3 nonpublic information involved is of 250 or more consumers
538538 4 residing in this State and that is either of the
539539 5 following:
540540 6 (A) a cybersecurity event impacting the licensee
541541 7 of which notice is required to be provided to any
542542 8 government body, self-regulatory agency, or any other
543543 9 supervisory body pursuant to any State or federal law;
544544 10 or
545545 11 (B) a cybersecurity event that has a reasonable
546546 12 likelihood of materially harming:
547547 13 (i) any consumer residing in this State; or
548548 14 (ii) any material part of the normal
549549 15 operations of the licensee.
550550 16 (b) A licensee shall provide as much of the following
551551 17 information as possible:
552552 18 (1) the date of the cybersecurity event;
553553 19 (2) a description of how the information was exposed,
554554 20 lost, stolen, or breached, including the specific roles
555555 21 and responsibilities of third-party service providers, if
556556 22 any;
557557 23 (3) how the cybersecurity event was discovered;
558558 24 (4) whether any lost, stolen, or breached information
559559 25 has been recovered and if so, how it was recovered;
560560 26 (5) the identity of the source of the cybersecurity
561561
562562
563563
564564
565565
566566 HB4433 - 15 - LRB103 36043 RPS 66130 b
567567
568568
569569 HB4433- 16 -LRB103 36043 RPS 66130 b HB4433 - 16 - LRB103 36043 RPS 66130 b
570570 HB4433 - 16 - LRB103 36043 RPS 66130 b
571571 1 event;
572572 2 (6) whether the licensee has filed a police report or
573573 3 has notified any regulatory, government, or law
574574 4 enforcement agencies and, if so, when such notification
575575 5 was provided;
576576 6 (7) a description of the specific types of information
577577 7 acquired without authorization, including types of medical
578578 8 information, types of financial information, or types of
579579 9 information allowing identification of the consumer;
580580 10 (8) the period during which the information system was
581581 11 compromised by the cybersecurity event;
582582 12 (9) the number of total consumers in this State
583583 13 affected by the cybersecurity event; the licensee shall
584584 14 provide the best estimate in the initial report to the
585585 15 Director and update this estimate with each subsequent
586586 16 report to the Director pursuant to this Section;
587587 17 (10) the results of any internal review identifying a
588588 18 lapse in either automated controls or internal procedures,
589589 19 or confirming that all automated controls or internal
590590 20 procedures were followed;
591591 21 (11) a description of efforts being undertaken to
592592 22 remediate the situation which permitted the cybersecurity
593593 23 event to occur;
594594 24 (12) a copy of the licensee's privacy policy and a
595595 25 statement outlining the steps the licensee will take to
596596 26 investigate and notify consumers affected by the
597597
598598
599599
600600
601601
602602 HB4433 - 16 - LRB103 36043 RPS 66130 b
603603
604604
605605 HB4433- 17 -LRB103 36043 RPS 66130 b HB4433 - 17 - LRB103 36043 RPS 66130 b
606606 HB4433 - 17 - LRB103 36043 RPS 66130 b
607607 1 cybersecurity event; and
608608 2 (13) the name of a contact person who is both familiar
609609 3 with the cybersecurity event and authorized to act for the
610610 4 licensee.
611611 5 The licensee shall provide the information in electronic
612612 6 form as directed by the Director. The licensee shall have a
613613 7 continuing obligation to update and supplement initial and
614614 8 subsequent notifications to the Director concerning the
615615 9 cybersecurity event.
616616 10 (c) Licensees shall comply with the Personal Information
617617 11 Protection Act, as applicable, and provide a copy of the
618618 12 notice sent to consumers under that statute to the Director
619619 13 when a licensee is required to notify the Director under
620620 14 subsection (a).
621621 15 (d) If a licensee becomes aware of a cybersecurity event
622622 16 in a system maintained by a third-party service provider, the
623623 17 licensee shall treat the event as it would under subsection
624624 18 (a). The computation of licensee's deadlines shall begin on
625625 19 the day after the third-party service provider notifies the
626626 20 licensee of the cybersecurity event or the licensee otherwise
627627 21 has actual knowledge of the cybersecurity event, whichever is
628628 22 sooner.
629629 23 (e) Nothing in this Act shall prevent or abrogate an
630630 24 agreement between a licensee and another licensee, a
631631 25 third-party service provider, or any other party to fulfill
632632 26 any of the investigation requirements imposed under Section 15
633633
634634
635635
636636
637637
638638 HB4433 - 17 - LRB103 36043 RPS 66130 b
639639
640640
641641 HB4433- 18 -LRB103 36043 RPS 66130 b HB4433 - 18 - LRB103 36043 RPS 66130 b
642642 HB4433 - 18 - LRB103 36043 RPS 66130 b
643643 1 or notice requirements imposed under this Section.
644644 2 (f) In the case of a cybersecurity event involving
645645 3 nonpublic information that is used by the licensee that is
646646 4 acting as an assuming insurer or in the possession, custody,
647647 5 or control of a licensee that is acting as an assuming insurer
648648 6 and that does not have a direct contractual relationship with
649649 7 the affected consumers, the assuming insurer shall notify its
650650 8 affected ceding insurers and the Director of its state of
651651 9 domicile within 72 hours after making the determination that a
652652 10 cybersecurity event has occurred.
653653 11 In the case of a cybersecurity event involving nonpublic
654654 12 information that is in the possession, custody, or control of
655655 13 a third-party service provider of a licensee that is an
656656 14 assuming insurer, the assuming insurer shall notify its
657657 15 affected ceding insurers and the Director of its state of
658658 16 domicile within 72 hours after receiving notice from its
659659 17 third-party service provider that a cybersecurity event has
660660 18 occurred.
661661 19 The ceding insurers that have a direct contractual
662662 20 relationship with affected consumers shall fulfill the
663663 21 consumer notification requirements imposed under the Personal
664664 22 Information Protection Act and any other notification
665665 23 requirements relating to a cybersecurity event imposed under
666666 24 this Section.
667667 25 (g) In the case of a cybersecurity event involving
668668 26 nonpublic information that is in the possession, custody, or
669669
670670
671671
672672
673673
674674 HB4433 - 18 - LRB103 36043 RPS 66130 b
675675
676676
677677 HB4433- 19 -LRB103 36043 RPS 66130 b HB4433 - 19 - LRB103 36043 RPS 66130 b
678678 HB4433 - 19 - LRB103 36043 RPS 66130 b
679679 1 control of a licensee that is an insurer or its third-party
680680 2 service provider and for which a consumer accessed the
681681 3 insurer's services through an independent insurance producer,
682682 4 the insurer shall notify the producers of record of all
683683 5 affected consumers as soon as practicable as directed by the
684684 6 Director. The insurer is excused from this obligation for
685685 7 those instances in which it does not have the current producer
686686 8 of record information for any individual consumer.
687687 9 Section 25. Power of Director.
688688 10 (a) The Director shall have power to examine and
689689 11 investigate the affairs of any licensee to determine whether
690690 12 the licensee has been or is engaged in any conduct in violation
691691 13 of this Act. This power is in addition to the powers which the
692692 14 Director has under the Illinois Insurance Code, including
693693 15 Sections 132, 132.3, 132.4, 133, 401, 402, 403, and 425 of the
694694 16 Illinois Insurance Code. Any investigation or examination
695695 17 shall be conducted pursuant to the Illinois Insurance Code,
696696 18 including Sections 132, 132.3, 132.4, 133, 401, 402, 403, and
697697 19 425 of the Illinois Insurance Code.
698698 20 (b) Whenever the Director has reason to believe that a
699699 21 licensee has been or is engaged in conduct in this State which
700700 22 violates this Act, the Director may take action that is
701701 23 necessary or appropriate to enforce the provisions of this
702702 24 Act.
703703
704704
705705
706706
707707
708708 HB4433 - 19 - LRB103 36043 RPS 66130 b
709709
710710
711711 HB4433- 20 -LRB103 36043 RPS 66130 b HB4433 - 20 - LRB103 36043 RPS 66130 b
712712 HB4433 - 20 - LRB103 36043 RPS 66130 b
713713 1 Section 30. Confidentiality.
714714 2 (a) Any documents, materials, or other information in the
715715 3 control or possession of the Department that are furnished by
716716 4 a licensee or an employee or agent thereof acting on behalf of
717717 5 licensee pursuant to subsection (i) of Section 10, subsection
718718 6 (b) of Section 20, or that are obtained by the Director in an
719719 7 investigation or examination pursuant to Section 25 shall be
720720 8 confidential by law and privileged, shall not be subject to
721721 9 the Freedom of Information Act, shall not be subject to
722722 10 subpoena, and shall not be subject to discovery or admissible
723723 11 in evidence in any private civil action. However, the Director
724724 12 is authorized to use the documents, materials, or other
725725 13 information in the furtherance of any regulatory or legal
726726 14 action brought as a part of the Director's duties.
727727 15 (b) Neither the Director nor any person who received
728728 16 documents, materials, or other information while acting under
729729 17 the authority of the Director shall be permitted or required
730730 18 to testify in any private civil action concerning any
731731 19 confidential documents, materials, or information subject to
732732 20 subsection (a).
733733 21 (c) In order to assist in the performance of the
734734 22 Director's duties under this Act, the Director:
735735 23 (1) may share documents, materials, or other
736736 24 information, including the confidential and privileged
737737 25 documents, materials, or information subject to subsection
738738 26 (a), with other State, federal, and international
739739
740740
741741
742742
743743
744744 HB4433 - 20 - LRB103 36043 RPS 66130 b
745745
746746
747747 HB4433- 21 -LRB103 36043 RPS 66130 b HB4433 - 21 - LRB103 36043 RPS 66130 b
748748 HB4433 - 21 - LRB103 36043 RPS 66130 b
749749 1 regulatory agencies, with the National Association of
750750 2 Insurance Commissioners and its affiliates or
751751 3 subsidiaries, and with State, federal, and international
752752 4 law enforcement authorities, if the recipient agrees in
753753 5 writing to maintain the confidentiality and privileged
754754 6 status of the document, material, or other information;
755755 7 (2) may receive documents, materials, or information,
756756 8 including otherwise confidential and privileged documents,
757757 9 materials, or information, from the National Association
758758 10 of Insurance Commissioners and its affiliates or
759759 11 subsidiaries and from regulatory and law enforcement
760760 12 officials of other foreign or domestic jurisdictions, and
761761 13 shall maintain as confidential or privileged any document,
762762 14 material, or information received with notice or the
763763 15 understanding that it is confidential or privileged under
764764 16 the laws of the jurisdiction that is the source of the
765765 17 document, material, or information;
766766 18 (3) may share documents, materials, or other
767767 19 information subject to subsection (a), with a third-party
768768 20 consultant or vendor if the consultant agrees in writing
769769 21 to maintain the confidentiality and privileged status of
770770 22 the document, material, or other information; and
771771 23 (4) may enter into agreements governing sharing and
772772 24 use of information consistent with this subsection.
773773 25 (d) No waiver of any applicable privilege or claim of
774774 26 confidentiality in the documents, materials, or information
775775
776776
777777
778778
779779
780780 HB4433 - 21 - LRB103 36043 RPS 66130 b
781781
782782
783783 HB4433- 22 -LRB103 36043 RPS 66130 b HB4433 - 22 - LRB103 36043 RPS 66130 b
784784 HB4433 - 22 - LRB103 36043 RPS 66130 b
785785 1 shall occur as a result of disclosure to the Director under
786786 2 this Section or as a result of sharing as authorized in
787787 3 subsection (c).
788788 4 (e) Nothing in this Act shall prohibit the Director from
789789 5 releasing final, adjudicated actions that are open to public
790790 6 inspection pursuant to the Illinois Insurance Code to a
791791 7 database or other clearinghouse service maintained by the
792792 8 National Association of Insurance Commissioners and its
793793 9 affiliates or subsidiaries.
794794 10 Section 35. Exceptions.
795795 11 (a) The following exceptions shall apply to this Act:
796796 12 (1) A licensee with fewer than 10 employees, including
797797 13 any independent contractors, is exempt from Section 10.
798798 14 (2) A licensee subject to the Health Insurance
799799 15 Portability and Accountability Act that has established
800800 16 and maintains an information security program pursuant to
801801 17 such statutes, rules, regulations, procedures, or
802802 18 guidelines established thereunder, shall be considered to
803803 19 meet the requirements of Section 10 if the licensee is
804804 20 compliant with the Health Insurance Portability and
805805 21 Accountability Act and submits a written statement
806806 22 certifying its compliance with the same.
807807 23 (3) An employee, agent, representative, or designee of
808808 24 a licensee that is also a licensee is exempt from Section
809809 25 10 and need not develop its own information security
810810
811811
812812
813813
814814
815815 HB4433 - 22 - LRB103 36043 RPS 66130 b
816816
817817
818818 HB4433- 23 -LRB103 36043 RPS 66130 b HB4433 - 23 - LRB103 36043 RPS 66130 b
819819 HB4433 - 23 - LRB103 36043 RPS 66130 b
820820 1 program to the extent that the employee, agent,
821821 2 representative, or designee is covered by the information
822822 3 security program of the other licensee.
823823 4 (b) If a licensee ceases to qualify for an exception, the
824824 5 licensee shall comply with this Act within 180 days.
825825 6 Section 40. Penalties. In the case of a violation of this
826826 7 Act, a licensee may be penalized in accordance with the
827827 8 provisions of the Illinois Insurance Code, including Section
828828 9 403A of the Illinois Insurance Code.
829829 10 Section 45. Rules. The Department may, in accordance with
830830 11 the Illinois Administrative Procedure Act and Section 401 of
831831 12 the Illinois Insurance Code, adopt such rules as shall be
832832 13 necessary to carry out the provisions of this Act.
833833 14 Section 50. Severability. If any provision of this Act or
834834 15 its application to any person or circumstance is held invalid,
835835 16 the invalidity of that provision or application does not
836836 17 affect other provisions or applications of this Act that can
837837 18 be given effect without the invalid provision or application.
838838 19 Section 105. The Freedom of Information Act is amended by
839839 20 changing Section 7.5 as follows:
840840 21 (5 ILCS 140/7.5)
841841
842842
843843
844844
845845
846846 HB4433 - 23 - LRB103 36043 RPS 66130 b
847847
848848
849849 HB4433- 24 -LRB103 36043 RPS 66130 b HB4433 - 24 - LRB103 36043 RPS 66130 b
850850 HB4433 - 24 - LRB103 36043 RPS 66130 b
851851 1 (Text of Section before amendment by P.A. 103-472)
852852 2 Sec. 7.5. Statutory exemptions. To the extent provided for
853853 3 by the statutes referenced below, the following shall be
854854 4 exempt from inspection and copying:
855855 5 (a) All information determined to be confidential
856856 6 under Section 4002 of the Technology Advancement and
857857 7 Development Act.
858858 8 (b) Library circulation and order records identifying
859859 9 library users with specific materials under the Library
860860 10 Records Confidentiality Act.
861861 11 (c) Applications, related documents, and medical
862862 12 records received by the Experimental Organ Transplantation
863863 13 Procedures Board and any and all documents or other
864864 14 records prepared by the Experimental Organ Transplantation
865865 15 Procedures Board or its staff relating to applications it
866866 16 has received.
867867 17 (d) Information and records held by the Department of
868868 18 Public Health and its authorized representatives relating
869869 19 to known or suspected cases of sexually transmissible
870870 20 disease or any information the disclosure of which is
871871 21 restricted under the Illinois Sexually Transmissible
872872 22 Disease Control Act.
873873 23 (e) Information the disclosure of which is exempted
874874 24 under Section 30 of the Radon Industry Licensing Act.
875875 25 (f) Firm performance evaluations under Section 55 of
876876 26 the Architectural, Engineering, and Land Surveying
877877
878878
879879
880880
881881
882882 HB4433 - 24 - LRB103 36043 RPS 66130 b
883883
884884
885885 HB4433- 25 -LRB103 36043 RPS 66130 b HB4433 - 25 - LRB103 36043 RPS 66130 b
886886 HB4433 - 25 - LRB103 36043 RPS 66130 b
887887 1 Qualifications Based Selection Act.
888888 2 (g) Information the disclosure of which is restricted
889889 3 and exempted under Section 50 of the Illinois Prepaid
890890 4 Tuition Act.
891891 5 (h) Information the disclosure of which is exempted
892892 6 under the State Officials and Employees Ethics Act, and
893893 7 records of any lawfully created State or local inspector
894894 8 general's office that would be exempt if created or
895895 9 obtained by an Executive Inspector General's office under
896896 10 that Act.
897897 11 (i) Information contained in a local emergency energy
898898 12 plan submitted to a municipality in accordance with a
899899 13 local emergency energy plan ordinance that is adopted
900900 14 under Section 11-21.5-5 of the Illinois Municipal Code.
901901 15 (j) Information and data concerning the distribution
902902 16 of surcharge moneys collected and remitted by carriers
903903 17 under the Emergency Telephone System Act.
904904 18 (k) Law enforcement officer identification information
905905 19 or driver identification information compiled by a law
906906 20 enforcement agency or the Department of Transportation
907907 21 under Section 11-212 of the Illinois Vehicle Code.
908908 22 (l) Records and information provided to a residential
909909 23 health care facility resident sexual assault and death
910910 24 review team or the Executive Council under the Abuse
911911 25 Prevention Review Team Act.
912912 26 (m) Information provided to the predatory lending
913913
914914
915915
916916
917917
918918 HB4433 - 25 - LRB103 36043 RPS 66130 b
919919
920920
921921 HB4433- 26 -LRB103 36043 RPS 66130 b HB4433 - 26 - LRB103 36043 RPS 66130 b
922922 HB4433 - 26 - LRB103 36043 RPS 66130 b
923923 1 database created pursuant to Article 3 of the Residential
924924 2 Real Property Disclosure Act, except to the extent
925925 3 authorized under that Article.
926926 4 (n) Defense budgets and petitions for certification of
927927 5 compensation and expenses for court appointed trial
928928 6 counsel as provided under Sections 10 and 15 of the
929929 7 Capital Crimes Litigation Act (repealed). This subsection
930930 8 (n) shall apply until the conclusion of the trial of the
931931 9 case, even if the prosecution chooses not to pursue the
932932 10 death penalty prior to trial or sentencing.
933933 11 (o) Information that is prohibited from being
934934 12 disclosed under Section 4 of the Illinois Health and
935935 13 Hazardous Substances Registry Act.
936936 14 (p) Security portions of system safety program plans,
937937 15 investigation reports, surveys, schedules, lists, data, or
938938 16 information compiled, collected, or prepared by or for the
939939 17 Department of Transportation under Sections 2705-300 and
940940 18 2705-616 of the Department of Transportation Law of the
941941 19 Civil Administrative Code of Illinois, the Regional
942942 20 Transportation Authority under Section 2.11 of the
943943 21 Regional Transportation Authority Act, or the St. Clair
944944 22 County Transit District under the Bi-State Transit Safety
945945 23 Act (repealed).
946946 24 (q) Information prohibited from being disclosed by the
947947 25 Personnel Record Review Act.
948948 26 (r) Information prohibited from being disclosed by the
949949
950950
951951
952952
953953
954954 HB4433 - 26 - LRB103 36043 RPS 66130 b
955955
956956
957957 HB4433- 27 -LRB103 36043 RPS 66130 b HB4433 - 27 - LRB103 36043 RPS 66130 b
958958 HB4433 - 27 - LRB103 36043 RPS 66130 b
959959 1 Illinois School Student Records Act.
960960 2 (s) Information the disclosure of which is restricted
961961 3 under Section 5-108 of the Public Utilities Act.
962962 4 (t) (Blank).
963963 5 (u) Records and information provided to an independent
964964 6 team of experts under the Developmental Disability and
965965 7 Mental Health Safety Act (also known as Brian's Law).
966966 8 (v) Names and information of people who have applied
967967 9 for or received Firearm Owner's Identification Cards under
968968 10 the Firearm Owners Identification Card Act or applied for
969969 11 or received a concealed carry license under the Firearm
970970 12 Concealed Carry Act, unless otherwise authorized by the
971971 13 Firearm Concealed Carry Act; and databases under the
972972 14 Firearm Concealed Carry Act, records of the Concealed
973973 15 Carry Licensing Review Board under the Firearm Concealed
974974 16 Carry Act, and law enforcement agency objections under the
975975 17 Firearm Concealed Carry Act.
976976 18 (v-5) Records of the Firearm Owner's Identification
977977 19 Card Review Board that are exempted from disclosure under
978978 20 Section 10 of the Firearm Owners Identification Card Act.
979979 21 (w) Personally identifiable information which is
980980 22 exempted from disclosure under subsection (g) of Section
981981 23 19.1 of the Toll Highway Act.
982982 24 (x) Information which is exempted from disclosure
983983 25 under Section 5-1014.3 of the Counties Code or Section
984984 26 8-11-21 of the Illinois Municipal Code.
985985
986986
987987
988988
989989
990990 HB4433 - 27 - LRB103 36043 RPS 66130 b
991991
992992
993993 HB4433- 28 -LRB103 36043 RPS 66130 b HB4433 - 28 - LRB103 36043 RPS 66130 b
994994 HB4433 - 28 - LRB103 36043 RPS 66130 b
995995 1 (y) Confidential information under the Adult
996996 2 Protective Services Act and its predecessor enabling
997997 3 statute, the Elder Abuse and Neglect Act, including
998998 4 information about the identity and administrative finding
999999 5 against any caregiver of a verified and substantiated
10001000 6 decision of abuse, neglect, or financial exploitation of
10011001 7 an eligible adult maintained in the Registry established
10021002 8 under Section 7.5 of the Adult Protective Services Act.
10031003 9 (z) Records and information provided to a fatality
10041004 10 review team or the Illinois Fatality Review Team Advisory
10051005 11 Council under Section 15 of the Adult Protective Services
10061006 12 Act.
10071007 13 (aa) Information which is exempted from disclosure
10081008 14 under Section 2.37 of the Wildlife Code.
10091009 15 (bb) Information which is or was prohibited from
10101010 16 disclosure by the Juvenile Court Act of 1987.
10111011 17 (cc) Recordings made under the Law Enforcement
10121012 18 Officer-Worn Body Camera Act, except to the extent
10131013 19 authorized under that Act.
10141014 20 (dd) Information that is prohibited from being
10151015 21 disclosed under Section 45 of the Condominium and Common
10161016 22 Interest Community Ombudsperson Act.
10171017 23 (ee) Information that is exempted from disclosure
10181018 24 under Section 30.1 of the Pharmacy Practice Act.
10191019 25 (ff) Information that is exempted from disclosure
10201020 26 under the Revised Uniform Unclaimed Property Act.
10211021
10221022
10231023
10241024
10251025
10261026 HB4433 - 28 - LRB103 36043 RPS 66130 b
10271027
10281028
10291029 HB4433- 29 -LRB103 36043 RPS 66130 b HB4433 - 29 - LRB103 36043 RPS 66130 b
10301030 HB4433 - 29 - LRB103 36043 RPS 66130 b
10311031 1 (gg) Information that is prohibited from being
10321032 2 disclosed under Section 7-603.5 of the Illinois Vehicle
10331033 3 Code.
10341034 4 (hh) Records that are exempt from disclosure under
10351035 5 Section 1A-16.7 of the Election Code.
10361036 6 (ii) Information which is exempted from disclosure
10371037 7 under Section 2505-800 of the Department of Revenue Law of
10381038 8 the Civil Administrative Code of Illinois.
10391039 9 (jj) Information and reports that are required to be
10401040 10 submitted to the Department of Labor by registering day
10411041 11 and temporary labor service agencies but are exempt from
10421042 12 disclosure under subsection (a-1) of Section 45 of the Day
10431043 13 and Temporary Labor Services Act.
10441044 14 (kk) Information prohibited from disclosure under the
10451045 15 Seizure and Forfeiture Reporting Act.
10461046 16 (ll) Information the disclosure of which is restricted
10471047 17 and exempted under Section 5-30.8 of the Illinois Public
10481048 18 Aid Code.
10491049 19 (mm) Records that are exempt from disclosure under
10501050 20 Section 4.2 of the Crime Victims Compensation Act.
10511051 21 (nn) Information that is exempt from disclosure under
10521052 22 Section 70 of the Higher Education Student Assistance Act.
10531053 23 (oo) Communications, notes, records, and reports
10541054 24 arising out of a peer support counseling session
10551055 25 prohibited from disclosure under the First Responders
10561056 26 Suicide Prevention Act.
10571057
10581058
10591059
10601060
10611061
10621062 HB4433 - 29 - LRB103 36043 RPS 66130 b
10631063
10641064
10651065 HB4433- 30 -LRB103 36043 RPS 66130 b HB4433 - 30 - LRB103 36043 RPS 66130 b
10661066 HB4433 - 30 - LRB103 36043 RPS 66130 b
10671067 1 (pp) Names and all identifying information relating to
10681068 2 an employee of an emergency services provider or law
10691069 3 enforcement agency under the First Responders Suicide
10701070 4 Prevention Act.
10711071 5 (qq) Information and records held by the Department of
10721072 6 Public Health and its authorized representatives collected
10731073 7 under the Reproductive Health Act.
10741074 8 (rr) Information that is exempt from disclosure under
10751075 9 the Cannabis Regulation and Tax Act.
10761076 10 (ss) Data reported by an employer to the Department of
10771077 11 Human Rights pursuant to Section 2-108 of the Illinois
10781078 12 Human Rights Act.
10791079 13 (tt) Recordings made under the Children's Advocacy
10801080 14 Center Act, except to the extent authorized under that
10811081 15 Act.
10821082 16 (uu) Information that is exempt from disclosure under
10831083 17 Section 50 of the Sexual Assault Evidence Submission Act.
10841084 18 (vv) Information that is exempt from disclosure under
10851085 19 subsections (f) and (j) of Section 5-36 of the Illinois
10861086 20 Public Aid Code.
10871087 21 (ww) Information that is exempt from disclosure under
10881088 22 Section 16.8 of the State Treasurer Act.
10891089 23 (xx) Information that is exempt from disclosure or
10901090 24 information that shall not be made public under the
10911091 25 Illinois Insurance Code.
10921092 26 (yy) Information prohibited from being disclosed under
10931093
10941094
10951095
10961096
10971097
10981098 HB4433 - 30 - LRB103 36043 RPS 66130 b
10991099
11001100
11011101 HB4433- 31 -LRB103 36043 RPS 66130 b HB4433 - 31 - LRB103 36043 RPS 66130 b
11021102 HB4433 - 31 - LRB103 36043 RPS 66130 b
11031103 1 the Illinois Educational Labor Relations Act.
11041104 2 (zz) Information prohibited from being disclosed under
11051105 3 the Illinois Public Labor Relations Act.
11061106 4 (aaa) Information prohibited from being disclosed
11071107 5 under Section 1-167 of the Illinois Pension Code.
11081108 6 (bbb) Information that is prohibited from disclosure
11091109 7 by the Illinois Police Training Act and the Illinois State
11101110 8 Police Act.
11111111 9 (ccc) Records exempt from disclosure under Section
11121112 10 2605-304 of the Illinois State Police Law of the Civil
11131113 11 Administrative Code of Illinois.
11141114 12 (ddd) Information prohibited from being disclosed
11151115 13 under Section 35 of the Address Confidentiality for
11161116 14 Victims of Domestic Violence, Sexual Assault, Human
11171117 15 Trafficking, or Stalking Act.
11181118 16 (eee) Information prohibited from being disclosed
11191119 17 under subsection (b) of Section 75 of the Domestic
11201120 18 Violence Fatality Review Act.
11211121 19 (fff) Images from cameras under the Expressway Camera
11221122 20 Act. This subsection (fff) is inoperative on and after
11231123 21 July 1, 2025.
11241124 22 (ggg) Information prohibited from disclosure under
11251125 23 paragraph (3) of subsection (a) of Section 14 of the Nurse
11261126 24 Agency Licensing Act.
11271127 25 (hhh) Information submitted to the Illinois State
11281128 26 Police in an affidavit or application for an assault
11291129
11301130
11311131
11321132
11331133
11341134 HB4433 - 31 - LRB103 36043 RPS 66130 b
11351135
11361136
11371137 HB4433- 32 -LRB103 36043 RPS 66130 b HB4433 - 32 - LRB103 36043 RPS 66130 b
11381138 HB4433 - 32 - LRB103 36043 RPS 66130 b
11391139 1 weapon endorsement, assault weapon attachment endorsement,
11401140 2 .50 caliber rifle endorsement, or .50 caliber cartridge
11411141 3 endorsement under the Firearm Owners Identification Card
11421142 4 Act.
11431143 5 (iii) Data exempt from disclosure under Section 50 of
11441144 6 the School Safety Drill Act.
11451145 7 (jjj) (hhh) Information exempt from disclosure under
11461146 8 Section 30 of the Insurance Data Security Law.
11471147 9 (kkk) (iii) Confidential business information
11481148 10 prohibited from disclosure under Section 45 of the Paint
11491149 11 Stewardship Act.
11501150 12 (Source: P.A. 102-36, eff. 6-25-21; 102-237, eff. 1-1-22;
11511151 13 102-292, eff. 1-1-22; 102-520, eff. 8-20-21; 102-559, eff.
11521152 14 8-20-21; 102-813, eff. 5-13-22; 102-946, eff. 7-1-22;
11531153 15 102-1042, eff. 6-3-22; 102-1116, eff. 1-10-23; 103-8, eff.
11541154 16 6-7-23; 103-34, eff. 6-9-23; 103-142, eff. 1-1-24; 103-372,
11551155 17 eff. 1-1-24; 103-508, eff. 8-4-23; revised 9-5-23.)
11561156 18 (Text of Section after amendment by P.A. 103-472)
11571157 19 Sec. 7.5. Statutory exemptions. To the extent provided for
11581158 20 by the statutes referenced below, the following shall be
11591159 21 exempt from inspection and copying:
11601160 22 (a) All information determined to be confidential
11611161 23 under Section 4002 of the Technology Advancement and
11621162 24 Development Act.
11631163 25 (b) Library circulation and order records identifying
11641164
11651165
11661166
11671167
11681168
11691169 HB4433 - 32 - LRB103 36043 RPS 66130 b
11701170
11711171
11721172 HB4433- 33 -LRB103 36043 RPS 66130 b HB4433 - 33 - LRB103 36043 RPS 66130 b
11731173 HB4433 - 33 - LRB103 36043 RPS 66130 b
11741174 1 library users with specific materials under the Library
11751175 2 Records Confidentiality Act.
11761176 3 (c) Applications, related documents, and medical
11771177 4 records received by the Experimental Organ Transplantation
11781178 5 Procedures Board and any and all documents or other
11791179 6 records prepared by the Experimental Organ Transplantation
11801180 7 Procedures Board or its staff relating to applications it
11811181 8 has received.
11821182 9 (d) Information and records held by the Department of
11831183 10 Public Health and its authorized representatives relating
11841184 11 to known or suspected cases of sexually transmissible
11851185 12 disease or any information the disclosure of which is
11861186 13 restricted under the Illinois Sexually Transmissible
11871187 14 Disease Control Act.
11881188 15 (e) Information the disclosure of which is exempted
11891189 16 under Section 30 of the Radon Industry Licensing Act.
11901190 17 (f) Firm performance evaluations under Section 55 of
11911191 18 the Architectural, Engineering, and Land Surveying
11921192 19 Qualifications Based Selection Act.
11931193 20 (g) Information the disclosure of which is restricted
11941194 21 and exempted under Section 50 of the Illinois Prepaid
11951195 22 Tuition Act.
11961196 23 (h) Information the disclosure of which is exempted
11971197 24 under the State Officials and Employees Ethics Act, and
11981198 25 records of any lawfully created State or local inspector
11991199 26 general's office that would be exempt if created or
12001200
12011201
12021202
12031203
12041204
12051205 HB4433 - 33 - LRB103 36043 RPS 66130 b
12061206
12071207
12081208 HB4433- 34 -LRB103 36043 RPS 66130 b HB4433 - 34 - LRB103 36043 RPS 66130 b
12091209 HB4433 - 34 - LRB103 36043 RPS 66130 b
12101210 1 obtained by an Executive Inspector General's office under
12111211 2 that Act.
12121212 3 (i) Information contained in a local emergency energy
12131213 4 plan submitted to a municipality in accordance with a
12141214 5 local emergency energy plan ordinance that is adopted
12151215 6 under Section 11-21.5-5 of the Illinois Municipal Code.
12161216 7 (j) Information and data concerning the distribution
12171217 8 of surcharge moneys collected and remitted by carriers
12181218 9 under the Emergency Telephone System Act.
12191219 10 (k) Law enforcement officer identification information
12201220 11 or driver identification information compiled by a law
12211221 12 enforcement agency or the Department of Transportation
12221222 13 under Section 11-212 of the Illinois Vehicle Code.
12231223 14 (l) Records and information provided to a residential
12241224 15 health care facility resident sexual assault and death
12251225 16 review team or the Executive Council under the Abuse
12261226 17 Prevention Review Team Act.
12271227 18 (m) Information provided to the predatory lending
12281228 19 database created pursuant to Article 3 of the Residential
12291229 20 Real Property Disclosure Act, except to the extent
12301230 21 authorized under that Article.
12311231 22 (n) Defense budgets and petitions for certification of
12321232 23 compensation and expenses for court appointed trial
12331233 24 counsel as provided under Sections 10 and 15 of the
12341234 25 Capital Crimes Litigation Act (repealed). This subsection
12351235 26 (n) shall apply until the conclusion of the trial of the
12361236
12371237
12381238
12391239
12401240
12411241 HB4433 - 34 - LRB103 36043 RPS 66130 b
12421242
12431243
12441244 HB4433- 35 -LRB103 36043 RPS 66130 b HB4433 - 35 - LRB103 36043 RPS 66130 b
12451245 HB4433 - 35 - LRB103 36043 RPS 66130 b
12461246 1 case, even if the prosecution chooses not to pursue the
12471247 2 death penalty prior to trial or sentencing.
12481248 3 (o) Information that is prohibited from being
12491249 4 disclosed under Section 4 of the Illinois Health and
12501250 5 Hazardous Substances Registry Act.
12511251 6 (p) Security portions of system safety program plans,
12521252 7 investigation reports, surveys, schedules, lists, data, or
12531253 8 information compiled, collected, or prepared by or for the
12541254 9 Department of Transportation under Sections 2705-300 and
12551255 10 2705-616 of the Department of Transportation Law of the
12561256 11 Civil Administrative Code of Illinois, the Regional
12571257 12 Transportation Authority under Section 2.11 of the
12581258 13 Regional Transportation Authority Act, or the St. Clair
12591259 14 County Transit District under the Bi-State Transit Safety
12601260 15 Act (repealed).
12611261 16 (q) Information prohibited from being disclosed by the
12621262 17 Personnel Record Review Act.
12631263 18 (r) Information prohibited from being disclosed by the
12641264 19 Illinois School Student Records Act.
12651265 20 (s) Information the disclosure of which is restricted
12661266 21 under Section 5-108 of the Public Utilities Act.
12671267 22 (t) (Blank).
12681268 23 (u) Records and information provided to an independent
12691269 24 team of experts under the Developmental Disability and
12701270 25 Mental Health Safety Act (also known as Brian's Law).
12711271 26 (v) Names and information of people who have applied
12721272
12731273
12741274
12751275
12761276
12771277 HB4433 - 35 - LRB103 36043 RPS 66130 b
12781278
12791279
12801280 HB4433- 36 -LRB103 36043 RPS 66130 b HB4433 - 36 - LRB103 36043 RPS 66130 b
12811281 HB4433 - 36 - LRB103 36043 RPS 66130 b
12821282 1 for or received Firearm Owner's Identification Cards under
12831283 2 the Firearm Owners Identification Card Act or applied for
12841284 3 or received a concealed carry license under the Firearm
12851285 4 Concealed Carry Act, unless otherwise authorized by the
12861286 5 Firearm Concealed Carry Act; and databases under the
12871287 6 Firearm Concealed Carry Act, records of the Concealed
12881288 7 Carry Licensing Review Board under the Firearm Concealed
12891289 8 Carry Act, and law enforcement agency objections under the
12901290 9 Firearm Concealed Carry Act.
12911291 10 (v-5) Records of the Firearm Owner's Identification
12921292 11 Card Review Board that are exempted from disclosure under
12931293 12 Section 10 of the Firearm Owners Identification Card Act.
12941294 13 (w) Personally identifiable information which is
12951295 14 exempted from disclosure under subsection (g) of Section
12961296 15 19.1 of the Toll Highway Act.
12971297 16 (x) Information which is exempted from disclosure
12981298 17 under Section 5-1014.3 of the Counties Code or Section
12991299 18 8-11-21 of the Illinois Municipal Code.
13001300 19 (y) Confidential information under the Adult
13011301 20 Protective Services Act and its predecessor enabling
13021302 21 statute, the Elder Abuse and Neglect Act, including
13031303 22 information about the identity and administrative finding
13041304 23 against any caregiver of a verified and substantiated
13051305 24 decision of abuse, neglect, or financial exploitation of
13061306 25 an eligible adult maintained in the Registry established
13071307 26 under Section 7.5 of the Adult Protective Services Act.
13081308
13091309
13101310
13111311
13121312
13131313 HB4433 - 36 - LRB103 36043 RPS 66130 b
13141314
13151315
13161316 HB4433- 37 -LRB103 36043 RPS 66130 b HB4433 - 37 - LRB103 36043 RPS 66130 b
13171317 HB4433 - 37 - LRB103 36043 RPS 66130 b
13181318 1 (z) Records and information provided to a fatality
13191319 2 review team or the Illinois Fatality Review Team Advisory
13201320 3 Council under Section 15 of the Adult Protective Services
13211321 4 Act.
13221322 5 (aa) Information which is exempted from disclosure
13231323 6 under Section 2.37 of the Wildlife Code.
13241324 7 (bb) Information which is or was prohibited from
13251325 8 disclosure by the Juvenile Court Act of 1987.
13261326 9 (cc) Recordings made under the Law Enforcement
13271327 10 Officer-Worn Body Camera Act, except to the extent
13281328 11 authorized under that Act.
13291329 12 (dd) Information that is prohibited from being
13301330 13 disclosed under Section 45 of the Condominium and Common
13311331 14 Interest Community Ombudsperson Act.
13321332 15 (ee) Information that is exempted from disclosure
13331333 16 under Section 30.1 of the Pharmacy Practice Act.
13341334 17 (ff) Information that is exempted from disclosure
13351335 18 under the Revised Uniform Unclaimed Property Act.
13361336 19 (gg) Information that is prohibited from being
13371337 20 disclosed under Section 7-603.5 of the Illinois Vehicle
13381338 21 Code.
13391339 22 (hh) Records that are exempt from disclosure under
13401340 23 Section 1A-16.7 of the Election Code.
13411341 24 (ii) Information which is exempted from disclosure
13421342 25 under Section 2505-800 of the Department of Revenue Law of
13431343 26 the Civil Administrative Code of Illinois.
13441344
13451345
13461346
13471347
13481348
13491349 HB4433 - 37 - LRB103 36043 RPS 66130 b
13501350
13511351
13521352 HB4433- 38 -LRB103 36043 RPS 66130 b HB4433 - 38 - LRB103 36043 RPS 66130 b
13531353 HB4433 - 38 - LRB103 36043 RPS 66130 b
13541354 1 (jj) Information and reports that are required to be
13551355 2 submitted to the Department of Labor by registering day
13561356 3 and temporary labor service agencies but are exempt from
13571357 4 disclosure under subsection (a-1) of Section 45 of the Day
13581358 5 and Temporary Labor Services Act.
13591359 6 (kk) Information prohibited from disclosure under the
13601360 7 Seizure and Forfeiture Reporting Act.
13611361 8 (ll) Information the disclosure of which is restricted
13621362 9 and exempted under Section 5-30.8 of the Illinois Public
13631363 10 Aid Code.
13641364 11 (mm) Records that are exempt from disclosure under
13651365 12 Section 4.2 of the Crime Victims Compensation Act.
13661366 13 (nn) Information that is exempt from disclosure under
13671367 14 Section 70 of the Higher Education Student Assistance Act.
13681368 15 (oo) Communications, notes, records, and reports
13691369 16 arising out of a peer support counseling session
13701370 17 prohibited from disclosure under the First Responders
13711371 18 Suicide Prevention Act.
13721372 19 (pp) Names and all identifying information relating to
13731373 20 an employee of an emergency services provider or law
13741374 21 enforcement agency under the First Responders Suicide
13751375 22 Prevention Act.
13761376 23 (qq) Information and records held by the Department of
13771377 24 Public Health and its authorized representatives collected
13781378 25 under the Reproductive Health Act.
13791379 26 (rr) Information that is exempt from disclosure under
13801380
13811381
13821382
13831383
13841384
13851385 HB4433 - 38 - LRB103 36043 RPS 66130 b
13861386
13871387
13881388 HB4433- 39 -LRB103 36043 RPS 66130 b HB4433 - 39 - LRB103 36043 RPS 66130 b
13891389 HB4433 - 39 - LRB103 36043 RPS 66130 b
13901390 1 the Cannabis Regulation and Tax Act.
13911391 2 (ss) Data reported by an employer to the Department of
13921392 3 Human Rights pursuant to Section 2-108 of the Illinois
13931393 4 Human Rights Act.
13941394 5 (tt) Recordings made under the Children's Advocacy
13951395 6 Center Act, except to the extent authorized under that
13961396 7 Act.
13971397 8 (uu) Information that is exempt from disclosure under
13981398 9 Section 50 of the Sexual Assault Evidence Submission Act.
13991399 10 (vv) Information that is exempt from disclosure under
14001400 11 subsections (f) and (j) of Section 5-36 of the Illinois
14011401 12 Public Aid Code.
14021402 13 (ww) Information that is exempt from disclosure under
14031403 14 Section 16.8 of the State Treasurer Act.
14041404 15 (xx) Information that is exempt from disclosure or
14051405 16 information that shall not be made public under the
14061406 17 Illinois Insurance Code.
14071407 18 (yy) Information prohibited from being disclosed under
14081408 19 the Illinois Educational Labor Relations Act.
14091409 20 (zz) Information prohibited from being disclosed under
14101410 21 the Illinois Public Labor Relations Act.
14111411 22 (aaa) Information prohibited from being disclosed
14121412 23 under Section 1-167 of the Illinois Pension Code.
14131413 24 (bbb) Information that is prohibited from disclosure
14141414 25 by the Illinois Police Training Act and the Illinois State
14151415 26 Police Act.
14161416
14171417
14181418
14191419
14201420
14211421 HB4433 - 39 - LRB103 36043 RPS 66130 b
14221422
14231423
14241424 HB4433- 40 -LRB103 36043 RPS 66130 b HB4433 - 40 - LRB103 36043 RPS 66130 b
14251425 HB4433 - 40 - LRB103 36043 RPS 66130 b
14261426 1 (ccc) Records exempt from disclosure under Section
14271427 2 2605-304 of the Illinois State Police Law of the Civil
14281428 3 Administrative Code of Illinois.
14291429 4 (ddd) Information prohibited from being disclosed
14301430 5 under Section 35 of the Address Confidentiality for
14311431 6 Victims of Domestic Violence, Sexual Assault, Human
14321432 7 Trafficking, or Stalking Act.
14331433 8 (eee) Information prohibited from being disclosed
14341434 9 under subsection (b) of Section 75 of the Domestic
14351435 10 Violence Fatality Review Act.
14361436 11 (fff) Images from cameras under the Expressway Camera
14371437 12 Act. This subsection (fff) is inoperative on and after
14381438 13 July 1, 2025.
14391439 14 (ggg) Information prohibited from disclosure under
14401440 15 paragraph (3) of subsection (a) of Section 14 of the Nurse
14411441 16 Agency Licensing Act.
14421442 17 (hhh) Information submitted to the Illinois State
14431443 18 Police in an affidavit or application for an assault
14441444 19 weapon endorsement, assault weapon attachment endorsement,
14451445 20 .50 caliber rifle endorsement, or .50 caliber cartridge
14461446 21 endorsement under the Firearm Owners Identification Card
14471447 22 Act.
14481448 23 (iii) Data exempt from disclosure under Section 50 of
14491449 24 the School Safety Drill Act.
14501450 25 (jjj) (hhh) Information exempt from disclosure under
14511451 26 Section 30 of the Insurance Data Security Law.
14521452
14531453
14541454
14551455
14561456
14571457 HB4433 - 40 - LRB103 36043 RPS 66130 b
14581458
14591459
14601460 HB4433- 41 -LRB103 36043 RPS 66130 b HB4433 - 41 - LRB103 36043 RPS 66130 b
14611461 HB4433 - 41 - LRB103 36043 RPS 66130 b
14621462 1 (kkk) (iii) Confidential business information
14631463 2 prohibited from disclosure under Section 45 of the Paint
14641464 3 Stewardship Act.
14651465 4 (lll) (iii) Data exempt from disclosure under Section
14661466 5 2-3.196 of the School Code.
14671467 6 (mmm) Information exempt from disclosure under Section
14681468 7 30 of the Insurance Data Security Law.
14691469 8 (Source: P.A. 102-36, eff. 6-25-21; 102-237, eff. 1-1-22;
14701470 9 102-292, eff. 1-1-22; 102-520, eff. 8-20-21; 102-559, eff.
14711471 10 8-20-21; 102-813, eff. 5-13-22; 102-946, eff. 7-1-22;
14721472 11 102-1042, eff. 6-3-22; 102-1116, eff. 1-10-23; 103-8, eff.
14731473 12 6-7-23; 103-34, eff. 6-9-23; 103-142, eff. 1-1-24; 103-372,
14741474 13 eff. 1-1-24; 103-472, eff. 8-1-24; 103-508, eff. 8-4-23;
14751475 14 revised 9-5-23.)
14761476 15 Section 95. No acceleration or delay. Where this Act makes
14771477 16 changes in a statute that is represented in this Act by text
14781478 17 that is not yet or no longer in effect (for example, a Section
14791479 18 represented by multiple versions), the use of that text does
14801480 19 not accelerate or delay the taking effect of (i) the changes
14811481 20 made by this Act or (ii) provisions derived from any other
14821482 21 Public Act.
14831483
14841484
14851485
14861486
14871487
14881488 HB4433 - 41 - LRB103 36043 RPS 66130 b