IL
Illinois House Bill HB3576

Illinois 2025-2026 Regular Session

Illinois House Bill HB3576 Compare Versions

Only one version of the bill is available at this time.
OldNewDifferences
11 104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED: 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes. LRB104 08875 AAS 18930 b A BILL FOR 104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED: 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101 220 ILCS 5/4-102 new Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes. LRB104 08875 AAS 18930 b LRB104 08875 AAS 18930 b A BILL FOR
22 104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED:
33 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101 220 ILCS 5/4-102 new
44 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101
55 220 ILCS 5/4-102 new
66 Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes.
77 LRB104 08875 AAS 18930 b LRB104 08875 AAS 18930 b
88 LRB104 08875 AAS 18930 b
99 A BILL FOR
1010 HB3576LRB104 08875 AAS 18930 b HB3576 LRB104 08875 AAS 18930 b
1111 HB3576 LRB104 08875 AAS 18930 b
1212 1 AN ACT concerning regulation.
1313 2 Be it enacted by the People of the State of Illinois,
1414 3 represented in the General Assembly:
1515 4 Section 5. The Public Utilities Act is amended by changing
1616 5 Section 4-101 and by adding Section 4-102 as follows:
1717 6 (220 ILCS 5/4-101) (from Ch. 111 2/3, par. 4-101)
1818 7 Sec. 4-101. The Commerce Commission shall have general
1919 8 supervision of all public utilities, except as otherwise
2020 9 provided in this Act, shall inquire into the management of the
2121 10 business thereof and shall keep itself informed as to the
2222 11 manner and method in which the business is conducted. It shall
2323 12 examine those public utilities and keep informed as to their
2424 13 general condition, their franchises, capitalization, rates and
2525 14 other charges, and the manner in which their plants, equipment
2626 15 and other property owned, leased, controlled or operated are
2727 16 managed, conducted and operated, not only with respect to the
2828 17 adequacy, security and accommodation afforded by their service
2929 18 but also with respect to their compliance with this Act and any
3030 19 other law, with the orders of the Commission and with the
3131 20 charter and franchise requirements.
3232 21 Whenever the Commission is authorized or required by law
3333 22 to consider some aspect of criminal history record information
3434 23 for the purpose of carrying out its statutory powers and
3535
3636
3737
3838 104TH GENERAL ASSEMBLY State of Illinois 2025 and 2026 HB3576 Introduced , by Rep. Dagmara Avelar SYNOPSIS AS INTRODUCED:
3939 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101220 ILCS 5/4-102 new 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101 220 ILCS 5/4-102 new
4040 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101
4141 220 ILCS 5/4-102 new
4242 Amends the Public Utilities Act. Provides that, within 120 days after the effective date of the amendatory provisions, each water purveyor shall develop a cybersecurity program that defines and implements organizational accountabilities and responsibilities for cyber risk management activities, and establishes policies, plans, processes, and procedures for identifying and mitigating cyber risk to its public community water system. Provides that, within certain time periods after the effective date of the amendatory provisions, a water purveyor shall create a cybersecurity incident reporting process; obtain a cybersecurity insurance policy that meets certain standards; reasonably conform to the most recent version of one or more of specified industry-recognized cybersecurity frameworks; submit a compliance report; submit an incident report; and submit an annual status report. Sets forth provisions concerning violations of the amendatory provisions and rulemaking abilities of the Department of Natural Resources and the Illinois Commerce Commission. Makes other changes.
4343 LRB104 08875 AAS 18930 b LRB104 08875 AAS 18930 b
4444 LRB104 08875 AAS 18930 b
4545 A BILL FOR
4646
4747
4848
4949
5050
5151 220 ILCS 5/4-101 from Ch. 111 2/3, par. 4-101
5252 220 ILCS 5/4-102 new
5353
5454
5555
5656 LRB104 08875 AAS 18930 b
5757
5858
5959
6060
6161
6262
6363
6464
6565
6666 HB3576 LRB104 08875 AAS 18930 b
6767
6868
6969 HB3576- 2 -LRB104 08875 AAS 18930 b HB3576 - 2 - LRB104 08875 AAS 18930 b
7070 HB3576 - 2 - LRB104 08875 AAS 18930 b
7171 1 responsibilities, then, upon request and payment of fees in
7272 2 conformance with the requirements of Section 2605-400 of the
7373 3 Illinois State Police Law, the Illinois State Police is
7474 4 authorized to furnish, pursuant to positive identification,
7575 5 such information contained in State files as is necessary to
7676 6 fulfill the request.
7777 7 The Commission shall require all public utilities to
7878 8 establish a security policy that includes on-site safeguards
7979 9 to restrict physical or electronic access to critical
8080 10 infrastructure and computerized control and data systems. The
8181 11 Commission shall maintain a record of and each regulated
8282 12 entity shall provide to the Commission an annual affidavit
8383 13 signed by a representative of the regulated entity that
8484 14 states:
8585 15 (1) that the entity has a security policy in place;
8686 16 (2) that the entity has conducted at least one
8787 17 practice exercise based on the security policy within the
8888 18 12 months immediately preceding the date of the affidavit;
8989 19 and
9090 20 (3) with respect to any entity that is an electric
9191 21 public utility, that the entity follows, at a minimum, the
9292 22 most current security standards set forth by the North
9393 23 American Electric Reliability Council.
9494 24 A water public utility's security policy shall also meet
9595 25 the requirements set forth in Section 4-102.
9696 26 (Source: P.A. 102-538, eff. 8-20-21.)
9797
9898
9999
100100
101101
102102 HB3576 - 2 - LRB104 08875 AAS 18930 b
103103
104104
105105 HB3576- 3 -LRB104 08875 AAS 18930 b HB3576 - 3 - LRB104 08875 AAS 18930 b
106106 HB3576 - 3 - LRB104 08875 AAS 18930 b
107107 1 (220 ILCS 5/4-102 new)
108108 2 Sec. 4-102. Cybersecurity policy for water purveyors.
109109 3 (a) As used in this Section:
110110 4 "Cybersecurity incident" means an event occurring on or
111111 5 conducted through a computer network that jeopardizes the
112112 6 integrity, confidentiality, or availability of computers,
113113 7 information systems, communications systems, networks,
114114 8 physical or virtual infrastructure controlled by computers or
115115 9 information systems, or information residing on such computers
116116 10 or information systems.
117117 11 "Cybersecurity insurance policy" means an insurance policy
118118 12 designed to mitigate losses from cybersecurity incidents,
119119 13 including, but not limited to, data breaches, business
120120 14 interruption, and network damage.
121121 15 "Department" means the Department of Natural Resources.
122122 16 "Industrial control system" means an information system
123123 17 used to control industrial processes such as manufacturing,
124124 18 product handling, production, or distribution.
125125 19 "Industrial control system" includes supervisory control
126126 20 and data acquisition systems used to control geographically
127127 21 dispersed assets, and distributed control systems and smaller
128128 22 control systems using programmable logic controllers to
129129 23 control localized processes.
130130 24 "Information resource" means information and related
131131 25 resources, such as personnel, equipment, funds, and
132132
133133
134134
135135
136136
137137 HB3576 - 3 - LRB104 08875 AAS 18930 b
138138
139139
140140 HB3576- 4 -LRB104 08875 AAS 18930 b HB3576 - 4 - LRB104 08875 AAS 18930 b
141141 HB3576 - 4 - LRB104 08875 AAS 18930 b
142142 1 information technology.
143143 2 "Information system" means a discrete set of information
144144 3 resources organized for the collection, processing,
145145 4 maintenance, use, sharing, dissemination, or disposition of
146146 5 information.
147147 6 "Public community water system" means a public water
148148 7 system which serves at least 15 service connections used by
149149 8 year-round residents or regularly serves at least 25
150150 9 year-round residents.
151151 10 "Public water system" means a system for the provision to
152152 11 the public of water for human consumption through pipes or
153153 12 other constructed conveyances, if such system has at least 15
154154 13 service connections or regularly serves an average of at least
155155 14 25 individuals daily at least 60 days out of the year. "Public
156156 15 water system" includes (i) any collection, treatment, storage
157157 16 and distribution facilities under control of the operator of
158158 17 such system and used primarily in connection with such system,
159159 18 and (ii) any collection or pre-treatment storage facilities
160160 19 not under such control which are used primarily in connection
161161 20 with such system.
162162 21 "Water purveyor" means any person that owns a public
163163 22 community water system with more than 500 service connections.
164164 23 (b) Within 120 days after the effective date of this
165165 24 amendatory Act of the 104th General Assembly, each water
166166 25 purveyor shall develop a cybersecurity program that defines
167167 26 and implements organizational accountabilities and
168168
169169
170170
171171
172172
173173 HB3576 - 4 - LRB104 08875 AAS 18930 b
174174
175175
176176 HB3576- 5 -LRB104 08875 AAS 18930 b HB3576 - 5 - LRB104 08875 AAS 18930 b
177177 HB3576 - 5 - LRB104 08875 AAS 18930 b
178178 1 responsibilities for cyber risk management activities, and
179179 2 establishes policies, plans, processes, and procedures for
180180 3 identifying and mitigating cyber risk to the water purveyor's
181181 4 public community water system. As part of the cybersecurity
182182 5 program, a water purveyor shall do the following:
183183 6 (1) identify the individual directly responsible for
184184 7 ensuring that the policies, plans, processes, and
185185 8 procedures established pursuant to this Section are
186186 9 executed in a timely manner;
187187 10 (2) conduct risk assessments and implement appropriate
188188 11 controls to mitigate identified risks to the public
189189 12 community water system;
190190 13 (3) maintain situational awareness of cyber threats
191191 14 and vulnerabilities to the public community water system;
192192 15 and
193193 16 (4) create and exercise incident response and recovery
194194 17 plans.
195195 18 A water purveyor shall submit a copy of the cybersecurity
196196 19 program developed pursuant to this subsection (b) to the
197197 20 Commission in a form and manner as determined by the
198198 21 Commission.
199199 22 (c) Within 60 days after developing the cybersecurity
200200 23 program required pursuant to subsection (b) of this Section,
201201 24 each water purveyor shall create a cybersecurity incident
202202 25 reporting process.
203203 26 (d) No later than 180 days after the effective date of this
204204
205205
206206
207207
208208
209209 HB3576 - 5 - LRB104 08875 AAS 18930 b
210210
211211
212212 HB3576- 6 -LRB104 08875 AAS 18930 b HB3576 - 6 - LRB104 08875 AAS 18930 b
213213 HB3576 - 6 - LRB104 08875 AAS 18930 b
214214 1 amendatory Act of the 104th General Assembly, each water
215215 2 purveyor shall obtain a cybersecurity insurance policy that
216216 3 meets any applicable standards adopted by the Commission.
217217 4 (e) No later than 180 days after the effective date of this
218218 5 amendatory Act of the 104th General Assembly, each water
219219 6 purveyor shall update its cybersecurity program developed
220220 7 pursuant to this Section to apply to all of the public
221221 8 community water system's industrial control systems and to
222222 9 reasonably conform to the most recent version of one or more of
223223 10 the following industry-recognized cybersecurity frameworks:
224224 11 (1) the Framework for Improving Critical
225225 12 Infrastructure Cybersecurity developed by the National
226226 13 Institute of Standards and Technology;
227227 14 (2) the Center for Internet Security Critical Security
228228 15 Controls for Effective Cyber Defense; or
229229 16 (3) the International Organization for Standardization
230230 17 and International Electrotechnical Commission 27000 family
231231 18 of standards for an information security management
232232 19 system.
233233 20 Whenever a final revision to one or more of the frameworks
234234 21 listed in this subsection (e) is published, a water purveyor
235235 22 whose cybersecurity program conformed to that framework shall
236236 23 revise its cybersecurity program to reasonably conform to the
237237 24 revised framework, and submit a copy of the revised
238238 25 cybersecurity program to the Commission, no later than 180
239239 26 days after publication of the revised framework.
240240
241241
242242
243243
244244
245245 HB3576 - 6 - LRB104 08875 AAS 18930 b
246246
247247
248248 HB3576- 7 -LRB104 08875 AAS 18930 b HB3576 - 7 - LRB104 08875 AAS 18930 b
249249 HB3576 - 7 - LRB104 08875 AAS 18930 b
250250 1 (f) No later than one year after the effective date of this
251251 2 amendatory Act of the 104th General Assembly, and each year
252252 3 thereafter, each water purveyor shall submit to the Department
253253 4 and the Commission a certification demonstrating that the
254254 5 water purveyor is in compliance with the requirements of this
255255 6 Section. The certification shall be made in a form and manner
256256 7 as determined by the Department, in consultation with the
257257 8 Commission. The certification shall be signed by a senior
258258 9 executive responsible for security of the regulated entity.
259259 10 (g) The Commission shall cause to be audited any public
260260 11 community water system that fails to submit a cybersecurity
261261 12 program, a revision, or a certification pursuant to this
262262 13 Section. Any audit shall be conducted by a qualified and
263263 14 independent cybersecurity company, at the water purveyor's
264264 15 expense. Following the audit, the water purveyor shall submit
265265 16 the audit and any corrective action plans derived from the
266266 17 audit to the Commission.
267267 18 (h) A water purveyor shall, upon the request of the
268268 19 Department or the Commission, provide proof of compliance with
269269 20 the requirements of this Section, in a form and manner as
270270 21 determined by the Department or by the Commission.
271271 22 (i) On and after 90 days after the effective date of this
272272 23 amendatory Act of the 104th General Assembly, a water purveyor
273273 24 shall inform the Commission, in a written or oral report,
274274 25 within 48 hours or as soon as practicable after the discovery
275275 26 or occurrence of any notable, unusual, or significant
276276
277277
278278
279279
280280
281281 HB3576 - 7 - LRB104 08875 AAS 18930 b
282282
283283
284284 HB3576- 8 -LRB104 08875 AAS 18930 b HB3576 - 8 - LRB104 08875 AAS 18930 b
285285 HB3576 - 8 - LRB104 08875 AAS 18930 b
286286 1 cybersecurity incident or any cybersecurity incident that must
287287 2 be reported to another regulatory agency, including the
288288 3 following:
289289 4 (1) any cybersecurity incident that results in the
290290 5 compromise of the confidentiality, integrity,
291291 6 availability, or privacy of the water purveyor's utility
292292 7 billing, communications, data management, or business
293293 8 information systems, or the information on such systems;
294294 9 and
295295 10 (2) any cybersecurity incident against the water
296296 11 purveyor's industrial control systems, including
297297 12 monitoring, operations, and centralized control systems,
298298 13 that adversely impacts, disables, or manipulates
299299 14 infrastructure, resulting in loss of service,
300300 15 contamination of finished water, or damage to
301301 16 infrastructure.
302302 17 (j) No later than 30 days after receiving a report of a
303303 18 cybersecurity incident from a water purveyor pursuant to
304304 19 subsection (i), the Commission shall cause to be audited the
305305 20 water purveyor's cybersecurity program and any actions the
306306 21 water purveyor took in response to the cybersecurity incident.
307307 22 The audit shall identify cyber threats and vulnerabilities to
308308 23 the public community water system, weaknesses in the public
309309 24 community water system's cybersecurity program, and strategies
310310 25 to address those weaknesses so as to protect the public
311311 26 community water system from the threat of future cybersecurity
312312
313313
314314
315315
316316
317317 HB3576 - 8 - LRB104 08875 AAS 18930 b
318318
319319
320320 HB3576- 9 -LRB104 08875 AAS 18930 b HB3576 - 9 - LRB104 08875 AAS 18930 b
321321 HB3576 - 9 - LRB104 08875 AAS 18930 b
322322 1 incidents. Any audit shall be conducted by a qualified and
323323 2 independent cybersecurity company at the water purveyor's
324324 3 expense. After the completion of the audit, the water purveyor
325325 4 shall submit the audit and any corrective action plans derived
326326 5 from the audit to the Commission.
327327 6 (k) By July 31 of each year, a water purveyor shall provide
328328 7 to the Commission a report that identifies the following:
329329 8 (1) an overview of the water purveyor's approach to
330330 9 cybersecurity awareness and protection;
331331 10 (2) a description of cybersecurity awareness training
332332 11 efforts for the water purveyor's staff members,
333333 12 specialized cybersecurity training for cybersecurity
334334 13 personnel, and participation by the water purveyor's
335335 14 cybersecurity staff in emergency preparedness exercises in
336336 15 the previous calendar year;
337337 16 (3) an organizational diagram of the water purveyor's
338338 17 cybersecurity organization, including positions and
339339 18 contact information for primary and secondary
340340 19 cybersecurity emergency contacts;
341341 20 (4) a description of the water purveyor's internal and
342342 21 external communications plan regarding unauthorized
343343 22 actions that result in interruption, degradation of
344344 23 service, financial harm, or breach of sensitive business
345345 24 or customer data, including the water purveyor's plan for
346346 25 notifying the Commission and customers;
347347 26 (5) a redacted summary of any unauthorized actions
348348
349349
350350
351351
352352
353353 HB3576 - 9 - LRB104 08875 AAS 18930 b
354354
355355
356356 HB3576- 10 -LRB104 08875 AAS 18930 b HB3576 - 10 - LRB104 08875 AAS 18930 b
357357 HB3576 - 10 - LRB104 08875 AAS 18930 b
358358 1 that resulted in material interruption, financial harm, or
359359 2 breach of sensitive business or customer data, including
360360 3 the parties that were notified of the unauthorized action
361361 4 and any remedial actions undertaken;
362362 5 (6) key performance indicators and other metrics
363363 6 related to physical security and cybersecurity;
364364 7 (7) any notable cybersecurity information not included
365365 8 in paragraphs (1) through (6); and
366366 9 (8) any other information as directed by the
367367 10 Commission.
368368 11 (l) The Department or the Commission shall create a
369369 12 centralized portal allowing for electronic submittal of the
370370 13 report required under this Section. The lack of a centralized
371371 14 portal pursuant to this subsection (l) shall not negate the
372372 15 requirement for a water purveyor to submit a report.
373373 16 (m) Any person who violates the provisions of this
374374 17 Section, or any rule or regulation adopted pursuant thereto,
375375 18 shall be subject to the penalties and other remedies set forth
376376 19 in Sections 4-202 and Section 4-203. No later than 18 months
377377 20 after the effective date of this amendatory Act of the 104th
378378 21 General Assembly, the Department shall adopt a schedule of
379379 22 civil administrative penalties for specific violations of this
380380 23 Section.
381381 24 (n) Reports and other submissions made under this Section
382382 25 shall not be open to public inspection unless otherwise
383383 26 ordered by the Commission. Regulated entities shall not report
384384
385385
386386
387387
388388
389389 HB3576 - 10 - LRB104 08875 AAS 18930 b
390390
391391
392392 HB3576- 11 -LRB104 08875 AAS 18930 b HB3576 - 11 - LRB104 08875 AAS 18930 b
393393 HB3576 - 11 - LRB104 08875 AAS 18930 b
394394
395395
396396
397397
398398
399399 HB3576 - 11 - LRB104 08875 AAS 18930 b