| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| 1 | AN ACT concerning business.
| |||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
| 3 | represented in the General Assembly:
| |||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
| 5 | Cybersecurity Compliance Act. | |||||||||||||||||||
| 6 | Section 5. Definitions. As used in this Act: | |||||||||||||||||||
| 7 | "Business" means any limited liability company, limited | |||||||||||||||||||
| 8 | liability partnership, corporation, sole proprietorship, | |||||||||||||||||||
| 9 | association, State institution of higher education, private | |||||||||||||||||||
| 10 | college, or other group, however organized and whether | |||||||||||||||||||
| 11 | operating for profit or not for profit, or the parent or | |||||||||||||||||||
| 12 | subsidiary of any of the foregoing. "Business" includes a | |||||||||||||||||||
| 13 | financial institution organized, chartered, or holding a | |||||||||||||||||||
| 14 | license authorizing operation under the laws of this State, any | |||||||||||||||||||
| 15 | other state, the United States, or any other country. | |||||||||||||||||||
| 16 | "Covered entity" means a business that accesses, | |||||||||||||||||||
| 17 | maintains, communicates, or processes personal information or | |||||||||||||||||||
| 18 | restricted information in or through one or more systems, | |||||||||||||||||||
| 19 | networks, or services located in or outside of this State. | |||||||||||||||||||
| 20 | "Data breach" means unauthorized access to and acquisition | |||||||||||||||||||
| 21 | of computerized data that compromises the security or | |||||||||||||||||||
| 22 | confidentiality of personal information or restricted | |||||||||||||||||||
| 23 | information owned by or licensed to a covered entity and that | |||||||||||||||||||
| |||||||
| |||||||
| 1 | causes, reasonably is believed to have caused, or reasonably is | ||||||
| 2 | believed will cause a material risk of identity theft or other | ||||||
| 3 | fraud to person or property. "Data breach" does not include: | ||||||
| 4 | (1) good faith acquisition of personal information or | ||||||
| 5 | restricted information by the covered entity's employee or | ||||||
| 6 | agent for the purposes of the covered entity so long as the | ||||||
| 7 | personal information or restricted information is not used | ||||||
| 8 | for an unlawful purpose or subject to further unauthorized | ||||||
| 9 | disclosure; or | ||||||
| 10 | (2) acquisition of personal information or restricted | ||||||
| 11 | information pursuant to a search warrant, subpoena, or | ||||||
| 12 | other court order, or pursuant to a subpoena, order, or | ||||||
| 13 | duty of a regulatory State agency. | ||||||
| 14 | "Personal information" has the same meaning as provided in | ||||||
| 15 | the Personal Information Protection Act. | ||||||
| 16 | "Restricted information" means any information about an | ||||||
| 17 | individual, other than personal information, that, alone or in | ||||||
| 18 | combination with other information, including personal | ||||||
| 19 | information, can be used to distinguish or trace the | ||||||
| 20 | individual's identity or that is linked or linkable to an | ||||||
| 21 | individual, if the information is not encrypted, redacted, or | ||||||
| 22 | altered by any method or technology in such a manner that the | ||||||
| 23 | information is unreadable, and the breach of which is likely to | ||||||
| 24 | result in a material risk of identity theft or other fraud to | ||||||
| 25 | person or property. | ||||||
| |||||||
| |||||||
| 1 | Section 10. Safe harbor requirements. | ||||||
| 2 | (a) A covered entity seeking an affirmative defense under | ||||||
| 3 | this Act shall: | ||||||
| 4 | (1) create, maintain, and comply with a written | ||||||
| 5 | cybersecurity program that contains administrative, | ||||||
| 6 | technical, and physical safeguards for the protection of | ||||||
| 7 | personal information and that reasonably conforms to an | ||||||
| 8 | industry-recognized cybersecurity framework, as described | ||||||
| 9 | in Section 15 of this Act; or | ||||||
| 10 | (2) create, maintain, and comply with a written | ||||||
| 11 | cybersecurity program that contains administrative, | ||||||
| 12 | technical, and physical safeguards for the protection of | ||||||
| 13 | both personal information and restricted information and | ||||||
| 14 | that reasonably conforms to an industry-recognized | ||||||
| 15 | cybersecurity framework, as described in Section 15 of this | ||||||
| 16 | Act. | ||||||
| 17 | (b) A covered entity's cybersecurity program shall be | ||||||
| 18 | designed to do all of the following: | ||||||
| 19 | (1) protect the security and confidentiality of | ||||||
| 20 | information; | ||||||
| 21 | (2) protect against any anticipated threats or hazards | ||||||
| 22 | to the security or integrity of information; and | ||||||
| 23 | (3) protect against unauthorized access to and | ||||||
| 24 | acquisition of the information that is likely to result in | ||||||
| 25 | a material risk of identity theft or other fraud to the | ||||||
| 26 | individual to whom the information relates. | ||||||
| |||||||
| |||||||
| 1 | (c) The scale and scope of a covered entity's cybersecurity | ||||||
| 2 | program under subsection (a) of this Section, as applicable, is | ||||||
| 3 | appropriate if it is based on all of the following factors: | ||||||
| 4 | (1) the size and complexity of the covered entity; | ||||||
| 5 | (2) the nature and scope of the activities of the | ||||||
| 6 | covered entity; | ||||||
| 7 | (3) the sensitivity of the information to be protected; | ||||||
| 8 | (4) the cost and availability of tools to improve | ||||||
| 9 | information security and reduce vulnerabilities; and | ||||||
| 10 | (5) the resources available to the covered entity. | ||||||
| 11 | (d) A covered entity under this Section is entitled to an | ||||||
| 12 | affirmative defense as follows: | ||||||
| 13 | (1) A covered entity that satisfies paragraph (1) of | ||||||
| 14 | subsection (a) and also subsections (b) and (c) of this | ||||||
| 15 | Section is entitled to an affirmative defense to any cause | ||||||
| 16 | of action sounding in tort that is brought under the laws | ||||||
| 17 | of this State or in the courts of this State and that | ||||||
| 18 | alleges that the failure to implement reasonable | ||||||
| 19 | information security controls resulted in a data breach | ||||||
| 20 | concerning personal information. | ||||||
| 21 | (2) A covered entity that satisfies paragraph (2) of | ||||||
| 22 | subsection (a) and also subsections (b) and (c) of this | ||||||
| 23 | Section is entitled to an affirmative defense to any cause | ||||||
| 24 | of action sounding in tort that is brought under the laws | ||||||
| 25 | of this State or in the courts of this State and that | ||||||
| 26 | alleges that the failure to implement reasonable | ||||||
| |||||||
| |||||||
| 1 | information security controls resulted in a data breach | ||||||
| 2 | concerning personal information or restricted information. | ||||||
| 3 | Section 15. Reasonable conformance. | ||||||
| 4 | (a) A covered entity's cybersecurity program reasonably | ||||||
| 5 | conforms to an industry-recognized cybersecurity framework for | ||||||
| 6 | purposes of this Act if the requirements of subsections (b), | ||||||
| 7 | (c), or (d) of this Section is satisfied. | ||||||
| 8 | (b)(1) The cybersecurity program reasonably conforms to | ||||||
| 9 | the current version of any of the following or any combination | ||||||
| 10 | of the following, subject to paragraph (2) and subsection (e) | ||||||
| 11 | of this Section: | ||||||
| 12 | (A) The "framework for improving critical | ||||||
| 13 | infrastructure cyber security" developed by the National | ||||||
| 14 | Institute of Standards and Technology" (NIST); | ||||||
| 15 | (B) NIST special publication 800-171; | ||||||
| 16 | (C) NIST special publications 800-53 and 800-53a; | ||||||
| 17 | (D) The Federal Risk And Authorization Management | ||||||
| 18 | Program (FedRAMP) Security Assessment Framework; | ||||||
| 19 | (E) The Center for Internet Security Critical Security | ||||||
| 20 | Controls for Effective Cyber Defense; or | ||||||
| 21 | (F) The International Organization for | ||||||
| 22 | Standardization/International Electrotechnical Commission | ||||||
| 23 | 27000 Family - Information Security Management Systems. | ||||||
| 24 | (2) When a final revision to a framework listed in | ||||||
| 25 | paragraph (1) is published, a covered entity whose | ||||||
| |||||||
| |||||||
| 1 | cybersecurity program reasonably conforms to that framework | ||||||
| 2 | shall reasonably conform to the revised framework not later | ||||||
| 3 | than one year after the publication date stated in the | ||||||
| 4 | revision. | ||||||
| 5 | (c)(1) The covered entity is regulated by the State, by the | ||||||
| 6 | federal government, or both, or is otherwise subject to the | ||||||
| 7 | requirements of any of the laws or regulations listed below, | ||||||
| 8 | and the cybersecurity program reasonably conforms to the | ||||||
| 9 | entirety of the current version of any of the following, | ||||||
| 10 | subject to paragraph (2): | ||||||
| 11 | (A) The security requirements of the Health Insurance | ||||||
| 12 | Portability and Accountability Act of 1996, as set forth in | ||||||
| 13 | 45 CFR Part 164 Subpart C; | ||||||
| 14 | (B) Title V of the Gramm-Leach-Bliley Act of 1999, | ||||||
| 15 | Public Law 106-102, as amended; | ||||||
| 16 | (C) The Federal Information Security Modernization Act | ||||||
| 17 | of 2014, Public Law 113-283; | ||||||
| 18 | (D) The Health Information Technology for Economic and | ||||||
| 19 | Clinical Health Act, as set forth in 45 CFR part 162. | ||||||
| 20 | (2) When a framework listed in paragraph (1) of this | ||||||
| 21 | subsection is amended, a covered entity whose cybersecurity | ||||||
| 22 | program reasonably conforms to that framework shall reasonably | ||||||
| 23 | conform to the amended framework not later than one year after | ||||||
| 24 | the effective date of the amended framework. | ||||||
| 25 | (d)(1) The cybersecurity program reasonably complies with | ||||||
| 26 | both the current version of the payment card industry (PCI) | ||||||
| |||||||
| |||||||
| 1 | data security standard and conforms to the current version of | ||||||
| 2 | another applicable industry-recognized cybersecurity framework | ||||||
| 3 | listed in subsection (b) of this Section, subject to paragraph | ||||||
| 4 | (2) and subsection (e) of this Section. | ||||||
| 5 | (2) When a final revision to the PCI data security standard | ||||||
| 6 | is published, a covered entity whose cybersecurity program | ||||||
| 7 | reasonably complies with that standard shall reasonably comply | ||||||
| 8 | with the revised standard not later than one year after the | ||||||
| 9 | publication date stated in the revision. | ||||||
| 10 | (e) If a covered entity's cybersecurity program reasonably | ||||||
| 11 | conforms to a combination of industry-recognized cybersecurity | ||||||
| 12 | frameworks, or complies with a standard, as in the case of the | ||||||
| 13 | payment card industry (PCI) data security standard, as | ||||||
| 14 | described in subsection (b) or (d), and 2 or more of those | ||||||
| 15 | frameworks are revised, the covered entity whose cybersecurity | ||||||
| 16 | program reasonably conforms to or complies with, as applicable, | ||||||
| 17 | those frameworks shall reasonably conform to or comply with, as | ||||||
| 18 | applicable, all of the revised frameworks not later than one | ||||||
| 19 | year after the latest publication date stated in the revisions.
| ||||||
| 20 | Section 20. No private right of action. This Act shall not | ||||||
| 21 | be construed to provide a private right of action, including a | ||||||
| 22 | class action, with respect to any act or practice regulated | ||||||
| 23 | under it.
| ||||||
| 24 | Section 97. Severability. The provisions of this Act are | ||||||
| |||||||
| |||||||
| 1 | severable under Section 1.31 of the Statute on Statutes.
| ||||||