103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB1740
 
Introduced 2/9/2023, by Sen. Steve Stadelman
 
SYNOPSIS AS INTRODUCED:
 

 
New Act

     Creates the Ransomware Attack Act. Provides that a governmental unit (the State, a unit of local government, or any other subdivision of the State) may not use any public funds to pay any person or entity to recover its computer system after a ransomware attack unless the Governor first makes a proclamation that the  ransomware attack against the governmental unit is a disaster under the Illinois Emergency Management Agency Act and, in the proclamation, authorizes the governmental unit to make a payment to recover its computer system following the ransomware attack. Requires a governmental unit to report a ransomware attack to the Department of Innovation and Technology no later than 24 hours after discovering the attack, and requires the Department of Innovation and Technology to adopt rules to implement reporting requirements. Limits the current exercise of home rule powers. Effective immediately.
  


LRB103 28322 AWJ 54701 b

 
 
A BILL FOR
 

  
SB1740LRB103 28322 AWJ 54701 b


  
1    AN ACT concerning government.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 1. Short title. This Act may be cited as the 
5Ransomware Attack Act.
 
6    Section 5. Definitions. As used in this Act:

7    "Governmental unit" means an agency of the State, a unit 
8of local government, or any other subdivision of the State.

9    "Ransomware" means malware that prevents or limits a user 
10from accessing the user's computer system by locking the 
11user's files until a ransom is paid.

 
12    Section 10. Payments due to ransomware prohibited; 
13Governor-approved payments.

14    (a)   Except as provided in subsection (b), a governmental 
15unit may not use any public funds to pay any person or entity 
16to recover its computer system after a ransomware attack.

17    (b)   If the governor makes a proclamation that a ransomware 
18attack against a governmental unit is a disaster under the 
19Illinois Emergency Management Agency Act and, in the 
20proclamation, authorizes the governmental unit to make a 
21payment to recover its computer system following the 
22ransomware attack, then the governmental unit may make any 
 
 
SB1740- 2 -LRB103 28322 AWJ 54701 b

1payment needed using public funds to end the ransomware 
2attack.

 
3    Section 15. Reports of ransomware attacks; rules.  A 
4governmental unit must report a ransomware attack to the 
5Department of Innovation and Technology no later than 24 hours 
6after discovering the attack. The Department of Innovation and 
7Technology shall adopt rules to implement reporting 
8requirements under this Section.
 
9    Section 90. Home rule. A home rule unit may not authorize 
10payment for ransomware in a manner inconsistent with this Act. 
11This Act is a limitation under subsection (i) of Section 6 of 
12Article VII of the Illinois Constitution on the concurrent 
13exercise by home rule units of powers and functions exercised 
14by the State.
 
 
15    Section 99. Effective date. This Act takes effect upon 
16becoming law.