Should it be enacted, SB1740 will impose significant operational constraints on governmental units during cybersecurity incidents. The requirement for a Governor’s proclamation introduces a centralized decision-making process regarding the deployment of public funds for recovery efforts. This not only enhances oversight of government spending but also compels governmental units to act more judiciously when faced with ransom demands, encouraging them to bolster their cybersecurity measures to avoid such situations. Furthermore, the act restricts the ability of home rule units to authorize payments that are inconsistent with the new regulations, thereby limiting their decision-making authority on this critical issue.
Summary
SB1740, known as the Ransomware Attack Act, aims to regulate how governmental units in Illinois respond to ransomware attacks. Under this proposed legislation, governmental entities—including the State itself and local governmental units—are prohibited from using public funds to pay for the recovery of their computer systems after a ransomware incident unless they receive explicit authorization from the Governor. This authorization can only be granted through a disaster proclamation, which must declare the ransomware attack a disaster under the Illinois Emergency Management Agency Act. In addition, the bill mandates that any ransomware attack must be reported to the Department of Innovation and Technology within 24 hours of discovery.
Contention
The bill has sparked discussions regarding the balance of power between state and local authorities. Critics may argue that requiring a disaster proclamation for recovery payments could lead to delays in responding to ransomware attacks, thus exacerbating the damage incurred. Additionally, the limitations on home rule powers raise concerns about local governance and the state’s ability to micromanage responses to cyber incidents. Supporters, however, contend that a unified approach reduces the risk of taxpayers' money being used irresponsibly and promotes a more coherent state-wide response to cybersecurity threats.
A bill for an act prohibiting the state or a political subdivision of the state from expending revenue received from taxpayers for payment to persons responsible for ransomware attacks, and including effective date provisions.(See HF 554.)
A bill for an act prohibiting the state or a political subdivision of the state from expending revenue received from taxpayers for payment to persons responsible for ransomware attacks, and including effective date provisions.(Formerly HSB 153.)
Requesting That The Chief Information Officer Review Whether All Departments, Agencies, And Offices Of The State Have Up-to-date Technology To Reduce Cyber Threats And Help Protect The State Against Cyberattacks.
Requesting That The Chief Information Officer Review Whether All Departments, Agencies, And Offices Of The State Have Up-to-date Technology To Reduce Cyber Threats And Help Protect The State Against Cyberattacks.