| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| 1 | AN ACT concerning regulation.
| |||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
| 3 | represented in the General Assembly:
| |||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
| 5 | Security of Connected Devices Act. | |||||||||||||||||||
| 6 | Section 5. Definitions. As used in this Act:
| |||||||||||||||||||
| 7 | "Authentication" means a method of verifying the authority | |||||||||||||||||||
| 8 | of a user, process, or device to access resources in an | |||||||||||||||||||
| 9 | information system.
| |||||||||||||||||||
| 10 | "Connected device" means any device, or other physical | |||||||||||||||||||
| 11 | object that is capable of connecting to the Internet and that | |||||||||||||||||||
| 12 | is assigned an Internet Protocol address or Bluetooth address.
| |||||||||||||||||||
| 13 | "Manufacturer" means the person who manufactures, or | |||||||||||||||||||
| 14 | contracts with another person to manufacture on that person's | |||||||||||||||||||
| 15 | behalf, connected devices that are sold or offered for sale in | |||||||||||||||||||
| 16 | Illinois. A contract with another person to manufacture on the | |||||||||||||||||||
| 17 | person's behalf does not, however, include a contract only to | |||||||||||||||||||
| 18 | purchase a connected device, or only to purchase and brand a | |||||||||||||||||||
| 19 | connected device.
| |||||||||||||||||||
| 20 | "Security feature" means a feature of a device designed to | |||||||||||||||||||
| 21 | provide security for that device.
| |||||||||||||||||||
| 22 | "Unauthorized access, destruction, use, modification, or | |||||||||||||||||||
| 23 | disclosure" means access, destruction, use, modification, or | |||||||||||||||||||
| |||||||
| |||||||
| 1 | disclosure that is not authorized by the consumer.
| ||||||
| 2 | Section 10. Device requirements.
| ||||||
| 3 | (a) A manufacturer of a connected device shall equip the | ||||||
| 4 | device with a reasonable security feature or features that are | ||||||
| 5 | all of the following:
| ||||||
| 6 | (1) Appropriate to the nature and function of the | ||||||
| 7 | device.
| ||||||
| 8 | (2) Appropriate to the information it may collect, | ||||||
| 9 | contain, or transmit.
| ||||||
| 10 | (3) Designed to protect the device and any information | ||||||
| 11 | contained in the device from unauthorized access, | ||||||
| 12 | destruction, use, modification, or disclosure.
| ||||||
| 13 | (b) Subject to all of the requirements of subsection (a), | ||||||
| 14 | if a connected device is equipped with a means for | ||||||
| 15 | authentication outside a local area network, it shall be deemed | ||||||
| 16 | a reasonable security feature under subsection (a) if either of | ||||||
| 17 | the following requirements are met:
| ||||||
| 18 | (1) The preprogrammed password is unique to each device | ||||||
| 19 | manufactured.
| ||||||
| 20 | (2) The device contains a security feature that | ||||||
| 21 | requires a user to generate a new means of authentication | ||||||
| 22 | before access is granted to the device for the first time.
| ||||||
| 23 | Section 15. Exceptions.
| ||||||
| 24 | (a) This Act shall not be construed to impose any duty upon | ||||||
| |||||||
| |||||||
| 1 | the manufacturer of a connected device related to unaffiliated | ||||||
| 2 | third-party software or applications that a user chooses to add | ||||||
| 3 | to a connected device.
| ||||||
| 4 | (b) This Act shall not be construed to impose any duty upon | ||||||
| 5 | a provider of an electronic store, gateway, marketplace, or | ||||||
| 6 | other means of purchasing or downloading software or | ||||||
| 7 | applications, to review or enforce compliance with this title.
| ||||||
| 8 | (c) This Act shall not be construed to impose any duty upon | ||||||
| 9 | the manufacturer of a connected device to prevent a user from | ||||||
| 10 | having full control over a connected device, including the | ||||||
| 11 | ability to modify the software or firmware running on the | ||||||
| 12 | device at the user's discretion.
| ||||||
| 13 | (d) This Act does not apply to any connected device the | ||||||
| 14 | functionality of which is subject to security requirements | ||||||
| 15 | under federal law, regulations, or guidance promulgated by a | ||||||
| 16 | federal agency pursuant to its regulatory enforcement | ||||||
| 17 | authority.
| ||||||
| 18 | (e) This Act shall not be construed to provide a basis for | ||||||
| 19 | a private right of action. The Attorney General shall have the | ||||||
| 20 | exclusive authority to enforce this Act as an unlawful practice | ||||||
| 21 | under the Consumer Fraud and Deceptive Business Practices Act.
| ||||||
| 22 | (f) The duties and obligations imposed by this Act are | ||||||
| 23 | cumulative with any other duties or obligations imposed under | ||||||
| 24 | other law, and shall not be construed to relieve any party from | ||||||
| 25 | any duties or obligations imposed under other law.
| ||||||
| 26 | (g) This Act shall not be construed to limit the authority | ||||||
| |||||||
| |||||||
| 1 | of a law enforcement agency to obtain connected device | ||||||
| 2 | information from a manufacturer as authorized by law or | ||||||
| 3 | pursuant to an order of a court.
| ||||||
| 4 | (h) A covered entity, provider of health care, business | ||||||
| 5 | associate, health care service plan, contractor, employer, or | ||||||
| 6 | any other person subject to the federal Health Insurance | ||||||
| 7 | Portability and Accountability Act of 1996 (Public Law 104-191) | ||||||
| 8 | is not subject to this Act with respect to any activity | ||||||
| 9 | regulated by that Act.
| ||||||