| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
1 | AN ACT concerning regulation.
| |||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
5 | Security of Connected Devices Act. | |||||||||||||||||||
6 | Section 5. Definitions. As used in this Act:
| |||||||||||||||||||
7 | "Authentication" means a method of verifying the authority | |||||||||||||||||||
8 | of a user, process, or device to access resources in an | |||||||||||||||||||
9 | information system.
| |||||||||||||||||||
10 | "Connected device" means any device, or other physical | |||||||||||||||||||
11 | object that is capable of connecting to the Internet and that | |||||||||||||||||||
12 | is assigned an Internet Protocol address or Bluetooth address.
| |||||||||||||||||||
13 | "Manufacturer" means the person who manufactures, or | |||||||||||||||||||
14 | contracts with another person to manufacture on that person's | |||||||||||||||||||
15 | behalf, connected devices that are sold or offered for sale in | |||||||||||||||||||
16 | Illinois. A contract with another person to manufacture on the | |||||||||||||||||||
17 | person's behalf does not, however, include a contract only to | |||||||||||||||||||
18 | purchase a connected device, or only to purchase and brand a | |||||||||||||||||||
19 | connected device.
| |||||||||||||||||||
20 | "Security feature" means a feature of a device designed to | |||||||||||||||||||
21 | provide security for that device.
| |||||||||||||||||||
22 | "Unauthorized access, destruction, use, modification, or | |||||||||||||||||||
23 | disclosure" means access, destruction, use, modification, or |
| |||||||
| |||||||
1 | disclosure that is not authorized by the consumer.
| ||||||
2 | Section 10. Device requirements.
| ||||||
3 | (a) A manufacturer of a connected device shall equip the | ||||||
4 | device with a reasonable security feature or features that are | ||||||
5 | all of the following:
| ||||||
6 | (1) Appropriate to the nature and function of the | ||||||
7 | device.
| ||||||
8 | (2) Appropriate to the information it may collect, | ||||||
9 | contain, or transmit.
| ||||||
10 | (3) Designed to protect the device and any information | ||||||
11 | contained in the device from unauthorized access, | ||||||
12 | destruction, use, modification, or disclosure.
| ||||||
13 | (b) Subject to all of the requirements of subsection (a), | ||||||
14 | if a connected device is equipped with a means for | ||||||
15 | authentication outside a local area network, it shall be | ||||||
16 | deemed a reasonable security feature under subsection (a) if | ||||||
17 | either of the following requirements are met:
| ||||||
18 | (1) The preprogrammed password is unique to each | ||||||
19 | device manufactured.
| ||||||
20 | (2) The device contains a security feature that | ||||||
21 | requires a user to generate a new means of authentication | ||||||
22 | before access is granted to the device for the first time.
| ||||||
23 | Section 15. Exceptions.
| ||||||
24 | (a) This Act shall not be construed to impose any duty upon |
| |||||||
| |||||||
1 | the manufacturer of a connected device related to unaffiliated | ||||||
2 | third-party software or applications that a user chooses to | ||||||
3 | add to a connected device.
| ||||||
4 | (b) This Act shall not be construed to impose any duty upon | ||||||
5 | a provider of an electronic store, gateway, marketplace, or | ||||||
6 | other means of purchasing or downloading software or | ||||||
7 | applications, to review or enforce compliance with this title.
| ||||||
8 | (c) This Act shall not be construed to impose any duty upon | ||||||
9 | the manufacturer of a connected device to prevent a user from | ||||||
10 | having full control over a connected device, including the | ||||||
11 | ability to modify the software or firmware running on the | ||||||
12 | device at the user's discretion.
| ||||||
13 | (d) This Act does not apply to any connected device the | ||||||
14 | functionality of which is subject to security requirements | ||||||
15 | under federal law, regulations, or guidance promulgated by a | ||||||
16 | federal agency pursuant to its regulatory enforcement | ||||||
17 | authority.
| ||||||
18 | (e) This Act shall not be construed to provide a basis for | ||||||
19 | a private right of action. The Attorney General shall have the | ||||||
20 | exclusive authority to enforce this Act as an unlawful | ||||||
21 | practice under the Consumer Fraud and Deceptive Business | ||||||
22 | Practices Act.
| ||||||
23 | (f) The duties and obligations imposed by this Act are | ||||||
24 | cumulative with any other duties or obligations imposed under | ||||||
25 | other law, and shall not be construed to relieve any party from | ||||||
26 | any duties or obligations imposed under other law.
|
| |||||||
| |||||||
1 | (g) This Act shall not be construed to limit the authority | ||||||
2 | of a law enforcement agency to obtain connected device | ||||||
3 | information from a manufacturer as authorized by law or | ||||||
4 | pursuant to an order of a court.
| ||||||
5 | (h) A covered entity, provider of health care, business | ||||||
6 | associate, health care service plan, contractor, employer, or | ||||||
7 | any other person subject to the federal Health Insurance | ||||||
8 | Portability and Accountability Act of 1996 (Public Law | ||||||
9 | 104-191) is not subject to this Act with respect to any | ||||||
10 | activity regulated by that Act.
|