| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| 1 | AN ACT concerning safety.
| |||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
| 3 | represented in the General Assembly:
| |||||||||||||||||||
| 4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
| 5 | Illinois Cyber Reserve Act. | |||||||||||||||||||
| 6 | Section 5. Definitions. In this Act: | |||||||||||||||||||
| 7 | "Advisory Board" means the Illinois Cyber Reserve Advisory | |||||||||||||||||||
| 8 | Board created under Section 40. | |||||||||||||||||||
| 9 | "Agency" means the Illinois Emergency Management Agency. | |||||||||||||||||||
| 10 | "Chief information officer" means the individual within | |||||||||||||||||||
| 11 | the Agency designated by the Governor as the chief information | |||||||||||||||||||
| 12 | officer for this State. | |||||||||||||||||||
| 13 | "Client" means a municipal, educational, nonprofit, or | |||||||||||||||||||
| 14 | business organization that has requested and is using the rapid | |||||||||||||||||||
| 15 | response assistance of the Illinois Cyber Reserve under the | |||||||||||||||||||
| 16 | direction of the Agency. | |||||||||||||||||||
| 17 | "Cybersecurity incident" means an event occurring on or | |||||||||||||||||||
| 18 | conducted through a computer network that actually or | |||||||||||||||||||
| 19 | imminently jeopardizes the integrity, confidentiality, or | |||||||||||||||||||
| 20 | availability of computers, information or communications | |||||||||||||||||||
| 21 | systems or networks, physical or virtual infrastructure | |||||||||||||||||||
| 22 | controlled by computers or information systems, or information | |||||||||||||||||||
| 23 | resident on any of these. "Cybersecurity incident" includes, | |||||||||||||||||||
| |||||||
| |||||||
| 1 | but is not limited to, the existence of a vulnerability in an | ||||||
| 2 | information system, system security procedures, internal | ||||||
| 3 | controls, or implementation that is subject to exploitation. | ||||||
| 4 | "Illinois Cyber Reserve" means the program established | ||||||
| 5 | under this Act under which civilian volunteers who have | ||||||
| 6 | expertise in addressing cybersecurity incidents may volunteer | ||||||
| 7 | at the invitation of the Agency to provide rapid response | ||||||
| 8 | assistance to a municipal, educational, nonprofit, or business | ||||||
| 9 | organization in need of expert assistance during a | ||||||
| 10 | cybersecurity incident. | ||||||
| 11 | "Illinois Cyber Reserve volunteer" means an individual who | ||||||
| 12 | has entered into a volunteer agreement with the Agency to serve | ||||||
| 13 | as a volunteer in the Illinois Cyber Reserve. | ||||||
| 14 | "Volunteer agreement" means the contract entered into | ||||||
| 15 | between the Agency and an Illinois Cyber Reserve volunteer | ||||||
| 16 | under Section 15.
| ||||||
| 17 | Section 10. Appointment of volunteers. The Agency may | ||||||
| 18 | appoint individuals to serve as Illinois Cyber Reserve | ||||||
| 19 | volunteers for the purposes of facilitating the | ||||||
| 20 | responsibilities of the Agency as provided under this Act. | ||||||
| 21 | Section 15. Volunteer agreement.The Agency shall enter | ||||||
| 22 | into a contract with any individual who wishes to accept an | ||||||
| 23 | invitation by the Agency to serve as an Illinois Cyber Reserve | ||||||
| 24 | volunteer. The contract must include, at a minimum, all of the | ||||||
| |||||||
| |||||||
| 1 | following: | ||||||
| 2 | (1) A provision acknowledging the confidentiality of | ||||||
| 3 | information relating to this State, State residents, and | ||||||
| 4 | clients. | ||||||
| 5 | (2) A provision protecting from disclosure any | ||||||
| 6 | confidential information of this State, State residents, | ||||||
| 7 | or clients acquired by the Illinois Cyber Reserve volunteer | ||||||
| 8 | through participation in the Illinois Cyber Reserve. | ||||||
| 9 | (3) A provision requiring the Illinois Cyber Reserve | ||||||
| 10 | volunteer to avoid conflicts of interest that might arise | ||||||
| 11 | from a particular deployment. | ||||||
| 12 | (4) A provision requiring the Illinois Cyber Reserve | ||||||
| 13 | volunteer to comply with all existing Agency security | ||||||
| 14 | policies and procedures regarding information technology | ||||||
| 15 | resources. | ||||||
| 16 | (5) A provision requiring the Illinois Cyber Reserve | ||||||
| 17 | volunteer to consent to background screening considered | ||||||
| 18 | appropriate by the Agency under this Act, and a provision | ||||||
| 19 | in which the individual gives that consent as described in | ||||||
| 20 | Section 20. | ||||||
| 21 | (6) A provision requiring the Illinois Cyber Reserve | ||||||
| 22 | volunteer to attest that he or she meets any standards of | ||||||
| 23 | expertise that may be established by the Agency. | ||||||
| 24 | Section 20. Clearance to become a volunteer; requirements. | ||||||
| 25 | (a) When an individual accepts an invitation to serve as an | ||||||
| |||||||
| |||||||
| 1 | Illinois Cyber Reserve volunteer as described in Section 15 the | ||||||
| 2 | Agency shall request the Illinois State Police to do both of | ||||||
| 3 | the following: | ||||||
| 4 | (1) Conduct a criminal history check on the individual. | ||||||
| 5 | (2) Conduct a criminal records check through the | ||||||
| 6 | Federal Bureau of Investigation on the individual.
| ||||||
| 7 | (b) An individual who accepts an invitation to the Illinois | ||||||
| 8 | Cyber Reserve shall give written consent in the volunteer | ||||||
| 9 | agreement for the Illinois State Police to conduct the criminal | ||||||
| 10 | history check and criminal records check required under | ||||||
| 11 | subsection (a). The Agency shall require the individual to | ||||||
| 12 | submit his or her fingerprints to the Illinois State Police and | ||||||
| 13 | the Federal Bureau of Investigation for the criminal records | ||||||
| 14 | check. | ||||||
| 15 | (c) The Agency shall request a criminal history check and | ||||||
| 16 | criminal records check under this Section on all individuals | ||||||
| 17 | who wish to participate as Illinois Cyber Reserve volunteers. | ||||||
| 18 | The Agency shall make the request on a form and in the manner | ||||||
| 19 | prescribed by the Illinois State Police. | ||||||
| 20 | (d) Within a reasonable time after receiving a complete | ||||||
| 21 | request by the Agency for a criminal history check and criminal | ||||||
| 22 | records check on an individual under this Section, the Illinois | ||||||
| 23 | State Police shall conduct the criminal history check and | ||||||
| 24 | provide a report of the results to the Agency. The report must | ||||||
| 25 | indicate that the individual is cleared or not cleared to | ||||||
| 26 | become an Illinois Cyber Reserve volunteer. | ||||||
| |||||||
| |||||||
| 1 | (e) Within a reasonable time after receiving a proper | ||||||
| 2 | request by the Agency for a criminal records check on an | ||||||
| 3 | individual under this Section, the Illinois State Police shall | ||||||
| 4 | initiate the criminal records check with the Federal Bureau of | ||||||
| 5 | Investigation. After receiving the results of the criminal | ||||||
| 6 | records check from the Federal Bureau of Investigation, the | ||||||
| 7 | Illinois State Police shall provide a report to the Agency that | ||||||
| 8 | indicates that the individual is cleared or not cleared to | ||||||
| 9 | become an Illinois Cyber Reserve volunteer. | ||||||
| 10 | (f) If a criminal arrest fingerprint is subsequently | ||||||
| 11 | submitted to the Illinois State Police and matches against a | ||||||
| 12 | fingerprint that was submitted under this Act and stored in its | ||||||
| 13 | automated fingerprint identification system database, the | ||||||
| 14 | Illinois State Police shall notify the Agency that the | ||||||
| 15 | individual is still cleared or is no longer cleared to continue | ||||||
| 16 | as an Illinois Cyber Reserve volunteer. When the Illinois State | ||||||
| 17 | Police is able to participate with the Federal Bureau of | ||||||
| 18 | Investigation automatic notification system, then any | ||||||
| 19 | subsequent arrest fingerprint submitted to the Federal Bureau | ||||||
| 20 | of Investigation must also be reviewed by the Illinois State | ||||||
| 21 | Police. The Illinois State Police shall provide a report to the | ||||||
| 22 | Agency that indicates that the individual is still cleared or | ||||||
| 23 | is no longer cleared to continue as an Illinois Cyber Reserve | ||||||
| 24 | volunteer.
| ||||||
| 25 | Section 25. Nature of the conduct of volunteers. | ||||||
| |||||||
| |||||||
| 1 | (a) An Illinois Cyber Reserve volunteer is not an agent, | ||||||
| 2 | employee, or independent contractor of this State for any | ||||||
| 3 | purpose and has no authority to bind this State with regard to | ||||||
| 4 | third parties. | ||||||
| 5 | (b) This State is not liable to an Illinois Cyber Reserve | ||||||
| 6 | volunteer for personal injury or property damage suffered by | ||||||
| 7 | the Illinois Cyber Reserve volunteer through participation in | ||||||
| 8 | the Illinois Cyber Reserve. | ||||||
| 9 | Section 30. Civil liability. Any Illinois Cyber Reserve | ||||||
| 10 | volunteer who in good faith provides professional services in | ||||||
| 11 | response to a cybersecurity incident shall not be liable for | ||||||
| 12 | civil damages as a result of his or her acts or omissions in | ||||||
| 13 | providing the professional services, except for willful and | ||||||
| 14 | wanton misconduct. This immunity applies to services that are | ||||||
| 15 | provided during or within the time of deployment for a | ||||||
| 16 | cybersecurity incident. | ||||||
| 17 | Section 35. Initiation of deployment. | ||||||
| 18 | (a) On the occurrence of a cybersecurity incident that | ||||||
| 19 | affects a client, the client may request the Agency to deploy | ||||||
| 20 | one or more Illinois Cyber Reserve volunteers to provide rapid | ||||||
| 21 | response assistance under the direction of the Agency. | ||||||
| 22 | (b) The Agency, in its discretion, may initiate deployment | ||||||
| 23 | of Illinois Cyber Reserve volunteers upon the occurrence of a | ||||||
| 24 | cybersecurity incident and the request of a client. | ||||||
| |||||||
| |||||||
| 1 | (c) Acceptance of a deployment by an Illinois Cyber Reserve | ||||||
| 2 | volunteer for a particular cybersecurity incident must be made | ||||||
| 3 | in writing. An Illinois Cyber Reserve volunteer may decline to | ||||||
| 4 | accept deployment for any reason. | ||||||
| 5 | (d) To initiate the deployment of an Illinois Cyber Reserve | ||||||
| 6 | volunteer for a particular cybersecurity incident, the Agency | ||||||
| 7 | shall indicate in writing that the Illinois Cyber Reserve | ||||||
| 8 | volunteer is authorized to provide the assistance. A single | ||||||
| 9 | writing may initiate the deployment of more than one Illinois | ||||||
| 10 | Cyber Reserve volunteer. | ||||||
| 11 | (e) The Agency shall maintain a writing initiating the | ||||||
| 12 | deployment of an Illinois Cyber Reserve volunteer to provide | ||||||
| 13 | assistance to a client for 6 years from the time of deployment | ||||||
| 14 | or for the time required under the Agency's record retention | ||||||
| 15 | policies, whichever is longer. | ||||||
| 16 | (f) The deployment of an Illinois Cyber Reserve volunteer | ||||||
| 17 | to provide assistance to a client must be for 7 days unless the | ||||||
| 18 | writing initiating the deployment contains a different period. | ||||||
| 19 | (g) At the direction of the Agency, the deployment of an | ||||||
| 20 | Illinois Cyber Reserve volunteer may be extended in writing in | ||||||
| 21 | the same manner as the initial deployment.
| ||||||
| 22 | Section 40. Illinois Cyber Reserve Advisory Board. | ||||||
| 23 | (a) The Illinois Cyber Reserve Advisory Board is created as | ||||||
| 24 | an advisory body within the Agency. | ||||||
| 25 | (b) The Advisory Board is composed of the adjutant general, | ||||||
| |||||||
| |||||||
| 1 | the Director of the Agency, the Director of State Police, and | ||||||
| 2 | the Director of the Department of Commerce and Economic | ||||||
| 3 | Opportunity or their designees. | ||||||
| 4 | (c) The Advisory Board shall review and make | ||||||
| 5 | recommendations to the Agency regarding the policies and | ||||||
| 6 | procedures used by the Agency in implementing this Act. | ||||||
| 7 | Section 45. Powers and duties of the Agency. | ||||||
| 8 | (a) After consultation with the Advisory Board, the chief | ||||||
| 9 | information officer shall do both of the following: | ||||||
| 10 | (1) Approve the set of tools that the Illinois Cyber | ||||||
| 11 | Reserve may use in response to a cybersecurity incident. | ||||||
| 12 | (2) Determine the standards of expertise necessary for | ||||||
| 13 | an individual to become a member of the Illinois Cyber | ||||||
| 14 | Reserve.
| ||||||
| 15 | (b) After consultation with the Advisory Board, the Agency | ||||||
| 16 | shall publish guidelines for the operation of the Illinois | ||||||
| 17 | Cyber Reserve program. At a minimum, the published guidelines | ||||||
| 18 | must include the following: | ||||||
| 19 | (1) An explanation of the standard the Agency will use | ||||||
| 20 | to determine whether an individual may serve as an Illinois | ||||||
| 21 | Cyber Reserve volunteer and an explanation of the process | ||||||
| 22 | by which an individual may become an Illinois Cyber Reserve | ||||||
| 23 | volunteer. | ||||||
| 24 | (2) An explanation of the requirements the Agency will | ||||||
| 25 | impose for a client to receive the assistance of the | ||||||
| |||||||
| |||||||
| 1 | Illinois Cyber Reserve and an explanation of the process by | ||||||
| 2 | which a client may request and receive the assistance of | ||||||
| 3 | the Illinois Cyber Reserve. | ||||||
| 4 | (c) The Agency may enter into contracts with clients as a | ||||||
| 5 | condition to providing assistance through the Illinois Cyber | ||||||
| 6 | Reserve. | ||||||
| 7 | (d) The Agency may provide appropriate training to | ||||||
| 8 | individuals who wish to participate in the Illinois Cyber | ||||||
| 9 | Reserve and to existing Illinois Cyber Reserve volunteers. | ||||||
| 10 | (e) The Agency may provide compensation for actual and | ||||||
| 11 | necessary travel and subsistence expenses incurred by Illinois | ||||||
| 12 | Cyber Reserve volunteers on a deployment, at the discretion of | ||||||
| 13 | the Agency. | ||||||
| 14 | (f) The Agency may establish a fee schedule for clients who | ||||||
| 15 | wish to use the assistance of the Illinois Cyber Reserve. The | ||||||
| 16 | Agency may recoup expenses through the fees but may not | ||||||
| 17 | generate a profit. | ||||||
| 18 | (g) Information voluntarily given to the Illinois Cyber | ||||||
| 19 | Reserve or obtained under this Act that would identify or | ||||||
| 20 | provide a means of identifying a person that may, as a result | ||||||
| 21 | of disclosure of the information, become a victim of a | ||||||
| 22 | cybersecurity incident or that would disclose a person's | ||||||
| 23 | cybersecurity plans or cybersecurity-related practices, | ||||||
| 24 | procedures, methods, results, organizational information | ||||||
| 25 | system infrastructure, hardware, or software is exempt from | ||||||
| 26 | disclosure under the Freedom of Information Act. | ||||||
| |||||||
| |||||||
| 1 | (h) The Agency shall adopt any rules necessary for the | ||||||
| 2 | implementation and administration of this Act.
| ||||||