| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
| ||||||||||||||||||||
1 | AN ACT concerning business.
| |||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||
4 | Section 1. Short title. This Act may be cited as the | |||||||||||||||||||
5 | Cybersecurity Compliance Act. | |||||||||||||||||||
6 | Section 5. Definitions. As used in this Act: | |||||||||||||||||||
7 | "Business" means any limited liability company, limited | |||||||||||||||||||
8 | liability partnership, corporation, sole proprietorship, | |||||||||||||||||||
9 | association, State institution of higher education, private | |||||||||||||||||||
10 | college, or other group, however organized and whether | |||||||||||||||||||
11 | operating for profit or not for profit, or the parent or | |||||||||||||||||||
12 | subsidiary of any of the foregoing. "Business" includes a | |||||||||||||||||||
13 | financial institution organized, chartered, or holding a | |||||||||||||||||||
14 | license authorizing operation under the laws of this State, | |||||||||||||||||||
15 | any other state, the United States, or any other country. | |||||||||||||||||||
16 | "Covered entity" means a business that accesses, | |||||||||||||||||||
17 | maintains, communicates, or processes personal information or | |||||||||||||||||||
18 | restricted information in or through one or more systems, | |||||||||||||||||||
19 | networks, or services located in or outside of this State. | |||||||||||||||||||
20 | "Data breach" means unauthorized access to and acquisition | |||||||||||||||||||
21 | of computerized data that compromises the security or | |||||||||||||||||||
22 | confidentiality of personal information or restricted | |||||||||||||||||||
23 | information owned by or licensed to a covered entity and that |
| |||||||
| |||||||
1 | causes, reasonably is believed to have caused, or reasonably | ||||||
2 | is believed will cause a material risk of identity theft or | ||||||
3 | other fraud to person or property. "Data breach" does not | ||||||
4 | include: | ||||||
5 | (1) the good faith acquisition of personal information | ||||||
6 | or restricted information by the covered entity's employee | ||||||
7 | or agent for the purposes of the covered entity so long as | ||||||
8 | the personal information or restricted information is not | ||||||
9 | used for an unlawful purpose or subject to further | ||||||
10 | unauthorized disclosure; or | ||||||
11 | (2) the acquisition of personal information or | ||||||
12 | restricted information pursuant to a search warrant, | ||||||
13 | subpoena, or other court order, or pursuant to a subpoena, | ||||||
14 | order, or duty of a regulatory State agency. | ||||||
15 | "Personal information" has the same meaning as provided in | ||||||
16 | the Personal Information Protection Act. | ||||||
17 | "Restricted information" means any information about an | ||||||
18 | individual, other than personal information, that, alone or in | ||||||
19 | combination with other information, including personal | ||||||
20 | information, can be used to distinguish or trace the | ||||||
21 | individual's identity or that is linked or linkable to an | ||||||
22 | individual, if the information is not encrypted, redacted, or | ||||||
23 | altered by any method or technology in such a manner that the | ||||||
24 | information is unreadable, and the breach of which is likely | ||||||
25 | to result in a material risk of identity theft or other fraud | ||||||
26 | to a person or property. |
| |||||||
| |||||||
1 | Section 10. Safe harbor requirements. | ||||||
2 | (a) A covered entity seeking an affirmative defense under | ||||||
3 | this Act shall: | ||||||
4 | (1) create, maintain, and comply with a written | ||||||
5 | cybersecurity program that contains administrative, | ||||||
6 | technical, and physical safeguards for the protection of | ||||||
7 | personal information and that reasonably conforms to an | ||||||
8 | industry-recognized cybersecurity framework, as described | ||||||
9 | in Section 15; or | ||||||
10 | (2) create, maintain, and comply with a written | ||||||
11 | cybersecurity program that contains administrative, | ||||||
12 | technical, and physical safeguards for the protection of | ||||||
13 | both personal information and restricted information and | ||||||
14 | that reasonably conforms to an industry-recognized | ||||||
15 | cybersecurity framework, as described in Section 15. | ||||||
16 | (b) A covered entity's cybersecurity program shall be | ||||||
17 | designed to do all of the following: | ||||||
18 | (1) protect the security and confidentiality of | ||||||
19 | information; | ||||||
20 | (2) protect against any anticipated threats or hazards | ||||||
21 | to the security or integrity of information; and | ||||||
22 | (3) protect against unauthorized access to and | ||||||
23 | acquisition of the information that is likely to result in | ||||||
24 | a material risk of identity theft or other fraud to the | ||||||
25 | individual to whom the information relates. |
| |||||||
| |||||||
1 | (c) The scale and scope of a covered entity's | ||||||
2 | cybersecurity program under subsection (a), as applicable, is | ||||||
3 | appropriate if it is based on all of the following factors: | ||||||
4 | (1) the size and complexity of the covered entity; | ||||||
5 | (2) the nature and scope of the activities of the | ||||||
6 | covered entity; | ||||||
7 | (3) the sensitivity of the information to be | ||||||
8 | protected; | ||||||
9 | (4) the cost and availability of tools to improve | ||||||
10 | information security and reduce vulnerabilities; and | ||||||
11 | (5) the resources available to the covered entity. | ||||||
12 | (d) A covered entity under this Section is entitled to an | ||||||
13 | affirmative defense as follows: | ||||||
14 | (1) A covered entity that satisfies paragraph (1) of | ||||||
15 | subsection (a) and also subsections (b) and (c) is | ||||||
16 | entitled to an affirmative defense to any cause of action | ||||||
17 | sounding in tort that is brought under the laws of this | ||||||
18 | State or in the courts of this State and that alleges that | ||||||
19 | the failure to implement reasonable information security | ||||||
20 | controls resulted in a data breach concerning personal | ||||||
21 | information. | ||||||
22 | (2) A covered entity that satisfies paragraph (2) of | ||||||
23 | subsection (a) and also subsections (b) and (c) is | ||||||
24 | entitled to an affirmative defense to any cause of action | ||||||
25 | sounding in tort that is brought under the laws of this | ||||||
26 | State or in the courts of this State and that alleges that |
| |||||||
| |||||||
1 | the failure to implement reasonable information security | ||||||
2 | controls resulted in a data breach concerning personal | ||||||
3 | information or restricted information. | ||||||
4 | Section 15. Reasonable conformance. | ||||||
5 | (a) A covered entity's cybersecurity program reasonably | ||||||
6 | conforms to an industry-recognized cybersecurity framework for | ||||||
7 | purposes of this Act if the requirements of subsection (b), | ||||||
8 | (c), or (d) are satisfied. | ||||||
9 | (b)(1) The cybersecurity program reasonably conforms to an | ||||||
10 | industry-recognized cybersecurity framework for purposes of | ||||||
11 | this Act if the cybersecurity program reasonably conforms to | ||||||
12 | the current version of any of the following or any combination | ||||||
13 | of the following, subject to paragraph (2) and subsection (e): | ||||||
14 | (A) The "framework for improving critical | ||||||
15 | infrastructure cyber security" developed by the National | ||||||
16 | Institute of Standards and Technology (NIST); | ||||||
17 | (B) NIST special publication 800-171; | ||||||
18 | (C) NIST special publications 800-53 and 800-53a; | ||||||
19 | (D) The Federal Risk And Authorization Management | ||||||
20 | Program (FedRAMP) Security Assessment Framework; | ||||||
21 | (E) The Center for Internet Security Critical Security | ||||||
22 | Controls for Effective Cyber Defense; or | ||||||
23 | (F) The International Organization for | ||||||
24 | Standardization/International Electrotechnical Commission | ||||||
25 | 27000 Family - Information Security Management Systems. |
| |||||||
| |||||||
1 | (2) When a final revision to a framework listed in | ||||||
2 | paragraph (1) is published, a covered entity whose | ||||||
3 | cybersecurity program reasonably conforms to that framework | ||||||
4 | shall reasonably conform to the revised framework not later | ||||||
5 | than one year after the publication date stated in the | ||||||
6 | revision. | ||||||
7 | (c)(1) The covered entity's cybersecurity program | ||||||
8 | reasonably conforms to an industry-recognized cybersecurity | ||||||
9 | framework for purposes of this Act if the covered entity is | ||||||
10 | regulated by the State, by the federal government, or both, or | ||||||
11 | is otherwise subject to the requirements of any of the laws or | ||||||
12 | regulations listed below, and the cybersecurity program | ||||||
13 | reasonably conforms to the entirety of the current version of | ||||||
14 | any of the following, subject to paragraph (2): | ||||||
15 | (A) The security requirements of the Health Insurance | ||||||
16 | Portability and Accountability Act of 1996, as set forth | ||||||
17 | in 45 CFR Part 164, Subpart C; | ||||||
18 | (B) Title V of the Gramm-Leach-Bliley Act of 1999, | ||||||
19 | Public Law 106-102, as amended; | ||||||
20 | (C) The Federal Information Security Modernization Act | ||||||
21 | of 2014, Public Law 113-283; | ||||||
22 | (D) The Health Information Technology for Economic and | ||||||
23 | Clinical Health Act, as set forth in 45 CFR Part 162. | ||||||
24 | (2) When a framework listed in paragraph (1) is amended, a | ||||||
25 | covered entity whose cybersecurity program reasonably conforms | ||||||
26 | to that framework shall reasonably conform to the amended |
| |||||||
| |||||||
1 | framework not later than one year after the effective date of | ||||||
2 | the amended framework. | ||||||
3 | (d)(1) The cybersecurity program reasonably conforms to an | ||||||
4 | industry-recognized cybersecurity framework for purposes of | ||||||
5 | this Act if the cybersecurity program reasonably complies with | ||||||
6 | both the current version of the payment card industry (PCI) | ||||||
7 | data security standard and conforms to the current version of | ||||||
8 | another applicable industry-recognized cybersecurity | ||||||
9 | framework listed in subsection (b), subject to paragraph (2) | ||||||
10 | of subsection (b) and subsection (e). | ||||||
11 | (2) When a final revision to the PCI data security | ||||||
12 | standard is published, a covered entity whose cybersecurity | ||||||
13 | program reasonably complies with that standard shall | ||||||
14 | reasonably comply with the revised standard not later than one | ||||||
15 | year after the publication date stated in the revision. | ||||||
16 | (e) If a covered entity's cybersecurity program reasonably | ||||||
17 | conforms to a combination of industry-recognized cybersecurity | ||||||
18 | frameworks, or complies with a standard, as in the case of the | ||||||
19 | PCI data security standard, as described in subsection (b) or | ||||||
20 | (d), and 2 or more of those frameworks are revised, the covered | ||||||
21 | entity whose cybersecurity program reasonably conforms to or | ||||||
22 | complies with, as applicable, those frameworks shall | ||||||
23 | reasonably conform to or comply with, as applicable, all of | ||||||
24 | the revised frameworks not later than one year after the | ||||||
25 | latest publication date stated in the revisions.
|
| |||||||
| |||||||
1 | Section 20. No private right of action. This Act shall not | ||||||
2 | be construed to provide a private right of action, including a | ||||||
3 | class action, with respect to any act or practice regulated | ||||||
4 | under it.
| ||||||
5 | Section 97. Severability. The provisions of this Act are | ||||||
6 | severable under Section 1.31 of the Statute on Statutes.
|