102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
HB5243

 

Introduced 1/31/2022, by Rep. Keith R. Wheeler

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.


LRB102 22790 SPS 31939 b

 

 

A BILL FOR

 

HB5243LRB102 22790 SPS 31939 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Cybersecurity Compliance Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Business" means any limited liability company, limited
8liability partnership, corporation, sole proprietorship,
9association, State institution of higher education, private
10college, or other group, however organized and whether
11operating for profit or not-for-profit, or the parent or
12subsidiary of any of the foregoing. "Business" includes a
13financial institution organized, chartered, or holding a
14license authorizing operation under the laws of this State,
15any other state, the United States, or any other country.
16    "Covered entity" means a business that accesses,
17maintains, communicates, or processes personal information or
18restricted information in or through one or more systems,
19networks, or services located in or outside of this State.
20    "Data breach" means unauthorized access to and acquisition
21of computerized data that compromises the security or
22confidentiality of personal information or restricted
23information owned by or licensed to a covered entity and that

 

 

HB5243- 2 -LRB102 22790 SPS 31939 b

1causes, reasonably is believed to have caused, or reasonably
2is believed will cause a material risk of identity theft or
3other fraud to person or property. "Data breach" does not
4include:
5        (1) the good faith acquisition of personal information
6    or restricted information by the covered entity's employee
7    or agent for the purposes of the covered entity so long as
8    the personal information or restricted information is not
9    used for an unlawful purpose or subject to further
10    unauthorized disclosure; or
11        (2) the acquisition of personal information or
12    restricted information pursuant to a search warrant,
13    subpoena, or other court order, or pursuant to a subpoena,
14    order, or duty of a regulatory State agency.
15    "Personal information" has the same meaning as provided in
16the Personal Information Protection Act.
17    "Restricted information" means any information about an
18individual, other than personal information, that, alone or in
19combination with other information, including personal
20information, can be used to distinguish or trace the
21individual's identity or that is linked or linkable to an
22individual, if the information is not encrypted, redacted, or
23altered by any method or technology in such a manner that the
24information is unreadable, and the breach of which is likely
25to result in a material risk of identity theft or other fraud
26to a person or property.
 

 

 

HB5243- 3 -LRB102 22790 SPS 31939 b

1    Section 10. Safe harbor requirements.
2    (a) A covered entity seeking an affirmative defense under
3this Act shall:
4        (1) create, maintain, and comply with a written
5    cybersecurity program that contains administrative,
6    technical, and physical safeguards for the protection of
7    personal information and that reasonably conforms to an
8    industry-recognized cybersecurity framework, as described
9    in Section 15; or
10        (2) create, maintain, and comply with a written
11    cybersecurity program that contains administrative,
12    technical, and physical safeguards for the protection of
13    both personal information and restricted information and
14    that reasonably conforms to an industry-recognized
15    cybersecurity framework, as described in Section 15.
16    (b) A covered entity's cybersecurity program shall be
17designed to do all of the following:
18        (1) protect the security and confidentiality of
19    information;
20        (2) protect against any anticipated threats or hazards
21    to the security or integrity of information; and
22        (3) protect against unauthorized access to and
23    acquisition of the information that is likely to result in
24    a material risk of identity theft or other fraud to the
25    individual to whom the information relates.

 

 

HB5243- 4 -LRB102 22790 SPS 31939 b

1    (c) The scale and scope of a covered entity's
2cybersecurity program under subsection (a), as applicable, is
3appropriate if it is based on all of the following factors:
4        (1) the size and complexity of the covered entity;
5        (2) the nature and scope of the activities of the
6    covered entity;
7        (3) the sensitivity of the information to be
8    protected;
9        (4) the cost and availability of tools to improve
10    information security and reduce vulnerabilities; and
11        (5) the resources available to the covered entity.
12    (d) A covered entity under this Section is entitled to an
13affirmative defense as follows:
14        (1) A covered entity that satisfies paragraph (1) of
15    subsection (a) and subsections (b) and (c) is entitled to
16    an affirmative defense to any cause of action sounding in
17    tort that is brought under the laws of this State or in the
18    courts of this State and that alleges that the failure to
19    implement reasonable information security controls
20    resulted in a data breach concerning personal information.
21        (2) A covered entity that satisfies paragraph (2) of
22    subsection (a) and subsections (b) and (c) is entitled to
23    an affirmative defense to any cause of action sounding in
24    tort that is brought under the laws of this State or in the
25    courts of this State and that alleges that the failure to
26    implement reasonable information security controls

 

 

HB5243- 5 -LRB102 22790 SPS 31939 b

1    resulted in a data breach concerning personal information
2    or restricted information.
 
3    Section 15. Reasonable conformance.
4    (a) A covered entity's cybersecurity program reasonably
5conforms to an industry-recognized cybersecurity framework for
6purposes of this Act if the requirements of subsection (b),
7(c), or (d) are satisfied.
8    (b)(1) The cybersecurity program reasonably conforms to an
9industry-recognized cybersecurity framework for purposes of
10this Act if the cybersecurity program reasonably conforms to
11the current version of any of the following or any combination
12of the following, subject to paragraph (2) and subsection (e):
13        (A) The "framework for improving critical
14    infrastructure cyber security" developed by the National
15    Institute of Standards and Technology (NIST);
16        (B) NIST special publication 800-171;
17        (C) NIST special publications 800-53 and 800-53a;
18        (D) The Federal Risk And Authorization Management
19    Program (FedRAMP) Security Assessment Framework;
20        (E) The Center for Internet Security Critical Security
21    Controls for Effective Cyber Defense; or
22        (F) The International Organization for
23    Standardization/International Electrotechnical Commission
24    27000 Family - Information Security Management Systems.
25    (2) When a final revision to a framework listed in

 

 

HB5243- 6 -LRB102 22790 SPS 31939 b

1paragraph (1) is published, a covered entity whose
2cybersecurity program reasonably conforms to that framework
3shall reasonably conform to the revised framework not later
4than one year after the publication date stated in the
5revision.
6    (c)(1) The covered entity's cybersecurity program
7reasonably conforms to an industry-recognized cybersecurity
8framework for purposes of this Act if the covered entity is
9regulated by the State, by the federal government, or both, or
10is otherwise subject to the requirements of any of the laws or
11regulations listed below, and the cybersecurity program
12reasonably conforms to the entirety of the current version of
13any of the following, subject to paragraph (2):
14        (A) The security requirements of the Health Insurance
15    Portability and Accountability Act of 1996, as set forth
16    in 45 CFR Part 164, Subpart C;
17        (B) Title V of the Gramm-Leach-Bliley Act of 1999,
18    Public Law 106-102, as amended;
19        (C) The Federal Information Security Modernization Act
20    of 2014, Public Law 113-283;
21        (D) The Health Information Technology for Economic and
22    Clinical Health Act, as set forth in 45 CFR Part 162.
23    (2) When a framework listed in paragraph (1) is amended, a
24covered entity whose cybersecurity program reasonably conforms
25to that framework shall reasonably conform to the amended
26framework not later than one year after the effective date of

 

 

HB5243- 7 -LRB102 22790 SPS 31939 b

1the amended framework.
2    (d)(1) The cybersecurity program reasonably conforms to an
3industry-recognized cybersecurity framework for purposes of
4this Act if the cybersecurity program reasonably complies with
5both the current version of the payment card industry (PCI)
6data security standard and conforms to the current version of
7another applicable industry-recognized cybersecurity
8framework listed in subsection (b), subject to paragraph (2)
9of subsection (b) and subsection (e).
10    (2) When a final revision to the PCI data security
11standard is published, a covered entity whose cybersecurity
12program reasonably complies with that standard shall
13reasonably comply with the revised standard not later than one
14year after the publication date stated in the revision.
15    (e) If a covered entity's cybersecurity program reasonably
16conforms to a combination of industry-recognized cybersecurity
17frameworks, or complies with a standard, as in the case of the
18PCI data security standard, as described in subsection (b) or
19(d), and 2 or more of those frameworks are revised, the covered
20entity whose cybersecurity program reasonably conforms to or
21complies with, as applicable, those frameworks shall
22reasonably conform to or comply with, as applicable, all of
23the revised frameworks not later than one year after the
24latest publication date stated in the revisions.
 
25    Section 20. No private right of action. This Act shall not

 

 

HB5243- 8 -LRB102 22790 SPS 31939 b

1be construed to provide a private right of action, including a
2class action, with respect to any act or practice regulated
3under it.
 
4    Section 97. Severability. The provisions of this Act are
5severable under Section 1.31 of the Statute on Statutes.