103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
SB1740

 

Introduced 2/9/2023, by Sen. Steve Stadelman

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Ransomware Attack Act. Provides that a governmental unit (the State, a unit of local government, or any other subdivision of the State) may not use any public funds to pay any person or entity to recover its computer system after a ransomware attack unless the Governor first makes a proclamation that the ransomware attack against the governmental unit is a disaster under the Illinois Emergency Management Agency Act and, in the proclamation, authorizes the governmental unit to make a payment to recover its computer system following the ransomware attack. Requires a governmental unit to report a ransomware attack to the Department of Innovation and Technology no later than 24 hours after discovering the attack, and requires the Department of Innovation and Technology to adopt rules to implement reporting requirements. Limits the current exercise of home rule powers. Effective immediately.


LRB103 28322 AWJ 54701 b

 

 

A BILL FOR

 

SB1740LRB103 28322 AWJ 54701 b

1    AN ACT concerning government.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Ransomware Attack Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Governmental unit" means an agency of the State, a unit
8of local government, or any other subdivision of the State.
9    "Ransomware" means malware that prevents or limits a user
10from accessing the user's computer system by locking the
11user's files until a ransom is paid.
 
12    Section 10. Payments due to ransomware prohibited;
13Governor-approved payments.
14    (a) Except as provided in subsection (b), a governmental
15unit may not use any public funds to pay any person or entity
16to recover its computer system after a ransomware attack.
17    (b) If the governor makes a proclamation that a ransomware
18attack against a governmental unit is a disaster under the
19Illinois Emergency Management Agency Act and, in the
20proclamation, authorizes the governmental unit to make a
21payment to recover its computer system following the
22ransomware attack, then the governmental unit may make any

 

 

SB1740- 2 -LRB103 28322 AWJ 54701 b

1payment needed using public funds to end the ransomware
2attack.
 
3    Section 15. Reports of ransomware attacks; rules. A
4governmental unit must report a ransomware attack to the
5Department of Innovation and Technology no later than 24 hours
6after discovering the attack. The Department of Innovation and
7Technology shall adopt rules to implement reporting
8requirements under this Section.
 
9    Section 90. Home rule. A home rule unit may not authorize
10payment for ransomware in a manner inconsistent with this Act.
11This Act is a limitation under subsection (i) of Section 6 of
12Article VII of the Illinois Constitution on the concurrent
13exercise by home rule units of powers and functions exercised
14by the State.
 
15    Section 99. Effective date. This Act takes effect upon
16becoming law.