103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB1740 Introduced 2/9/2023, by Sen. Steve Stadelman SYNOPSIS AS INTRODUCED: New Act Creates the Ransomware Attack Act. Provides that a governmental unit (the State, a unit of local government, or any other subdivision of the State) may not use any public funds to pay any person or entity to recover its computer system after a ransomware attack unless the Governor first makes a proclamation that the ransomware attack against the governmental unit is a disaster under the Illinois Emergency Management Agency Act and, in the proclamation, authorizes the governmental unit to make a payment to recover its computer system following the ransomware attack. Requires a governmental unit to report a ransomware attack to the Department of Innovation and Technology no later than 24 hours after discovering the attack, and requires the Department of Innovation and Technology to adopt rules to implement reporting requirements. Limits the current exercise of home rule powers. Effective immediately. LRB103 28322 AWJ 54701 b A BILL FOR 103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB1740 Introduced 2/9/2023, by Sen. Steve Stadelman SYNOPSIS AS INTRODUCED: New Act New Act Creates the Ransomware Attack Act. Provides that a governmental unit (the State, a unit of local government, or any other subdivision of the State) may not use any public funds to pay any person or entity to recover its computer system after a ransomware attack unless the Governor first makes a proclamation that the ransomware attack against the governmental unit is a disaster under the Illinois Emergency Management Agency Act and, in the proclamation, authorizes the governmental unit to make a payment to recover its computer system following the ransomware attack. Requires a governmental unit to report a ransomware attack to the Department of Innovation and Technology no later than 24 hours after discovering the attack, and requires the Department of Innovation and Technology to adopt rules to implement reporting requirements. Limits the current exercise of home rule powers. Effective immediately. LRB103 28322 AWJ 54701 b LRB103 28322 AWJ 54701 b A BILL FOR
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB1740 Introduced 2/9/2023, by Sen. Steve Stadelman SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Ransomware Attack Act. Provides that a governmental unit (the State, a unit of local government, or any other subdivision of the State) may not use any public funds to pay any person or entity to recover its computer system after a ransomware attack unless the Governor first makes a proclamation that the ransomware attack against the governmental unit is a disaster under the Illinois Emergency Management Agency Act and, in the proclamation, authorizes the governmental unit to make a payment to recover its computer system following the ransomware attack. Requires a governmental unit to report a ransomware attack to the Department of Innovation and Technology no later than 24 hours after discovering the attack, and requires the Department of Innovation and Technology to adopt rules to implement reporting requirements. Limits the current exercise of home rule powers. Effective immediately.
LRB103 28322 AWJ 54701 b LRB103 28322 AWJ 54701 b
LRB103 28322 AWJ 54701 b
A BILL FOR
SB1740LRB103 28322 AWJ 54701 b SB1740 LRB103 28322 AWJ 54701 b
SB1740 LRB103 28322 AWJ 54701 b
1 AN ACT concerning government.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Section 1. Short title. This Act may be cited as the
5 Ransomware Attack Act.
6 Section 5. Definitions. As used in this Act:
7 "Governmental unit" means an agency of the State, a unit
8 of local government, or any other subdivision of the State.
9 "Ransomware" means malware that prevents or limits a user
10 from accessing the user's computer system by locking the
11 user's files until a ransom is paid.
12 Section 10. Payments due to ransomware prohibited;
13 Governor-approved payments.
14 (a) Except as provided in subsection (b), a governmental
15 unit may not use any public funds to pay any person or entity
16 to recover its computer system after a ransomware attack.
17 (b) If the governor makes a proclamation that a ransomware
18 attack against a governmental unit is a disaster under the
19 Illinois Emergency Management Agency Act and, in the
20 proclamation, authorizes the governmental unit to make a
21 payment to recover its computer system following the
22 ransomware attack, then the governmental unit may make any
103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 SB1740 Introduced 2/9/2023, by Sen. Steve Stadelman SYNOPSIS AS INTRODUCED:
New Act New Act
New Act
Creates the Ransomware Attack Act. Provides that a governmental unit (the State, a unit of local government, or any other subdivision of the State) may not use any public funds to pay any person or entity to recover its computer system after a ransomware attack unless the Governor first makes a proclamation that the ransomware attack against the governmental unit is a disaster under the Illinois Emergency Management Agency Act and, in the proclamation, authorizes the governmental unit to make a payment to recover its computer system following the ransomware attack. Requires a governmental unit to report a ransomware attack to the Department of Innovation and Technology no later than 24 hours after discovering the attack, and requires the Department of Innovation and Technology to adopt rules to implement reporting requirements. Limits the current exercise of home rule powers. Effective immediately.
LRB103 28322 AWJ 54701 b LRB103 28322 AWJ 54701 b
LRB103 28322 AWJ 54701 b
A BILL FOR
New Act
LRB103 28322 AWJ 54701 b
SB1740 LRB103 28322 AWJ 54701 b
SB1740- 2 -LRB103 28322 AWJ 54701 b SB1740 - 2 - LRB103 28322 AWJ 54701 b
SB1740 - 2 - LRB103 28322 AWJ 54701 b
1 payment needed using public funds to end the ransomware
2 attack.
3 Section 15. Reports of ransomware attacks; rules. A
4 governmental unit must report a ransomware attack to the
5 Department of Innovation and Technology no later than 24 hours
6 after discovering the attack. The Department of Innovation and
7 Technology shall adopt rules to implement reporting
8 requirements under this Section.
9 Section 90. Home rule. A home rule unit may not authorize
10 payment for ransomware in a manner inconsistent with this Act.
11 This Act is a limitation under subsection (i) of Section 6 of
12 Article VII of the Illinois Constitution on the concurrent
13 exercise by home rule units of powers and functions exercised
14 by the State.
15 Section 99. Effective date. This Act takes effect upon
16 becoming law.
SB1740 - 2 - LRB103 28322 AWJ 54701 b