Full Text of HB5165 102nd General Assembly
HB5165eng 102ND GENERAL ASSEMBLY |
| | HB5165 Engrossed | | LRB102 22762 RJF 31908 b |
|
| 1 | | AN ACT concerning cybersecurity.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Freedom of Information Act is amended by | 5 | | changing Section 7 as follows: | 6 | | (5 ILCS 140/7) (from Ch. 116, par. 207) | 7 | | Sec. 7. Exemptions.
| 8 | | (1) When a request is made to inspect or copy a public | 9 | | record that contains information that is exempt from | 10 | | disclosure under this Section, but also contains information | 11 | | that is not exempt from disclosure, the public body may elect | 12 | | to redact the information that is exempt. The public body | 13 | | shall make the remaining information available for inspection | 14 | | and copying. Subject to this requirement, the following shall | 15 | | be exempt from inspection and copying:
| 16 | | (a) Information specifically prohibited from | 17 | | disclosure by federal or
State law or rules and | 18 | | regulations implementing federal or State law.
| 19 | | (b) Private information, unless disclosure is required | 20 | | by another provision of this Act, a State or federal law , | 21 | | or a court order. | 22 | | (b-5) Files, documents, and other data or databases | 23 | | maintained by one or more law enforcement agencies and |
| | | HB5165 Engrossed | - 2 - | LRB102 22762 RJF 31908 b |
|
| 1 | | specifically designed to provide information to one or | 2 | | more law enforcement agencies regarding the physical or | 3 | | mental status of one or more individual subjects. | 4 | | (c) Personal information contained within public | 5 | | records, the disclosure of which would constitute a | 6 | | clearly
unwarranted invasion of personal privacy, unless | 7 | | the disclosure is
consented to in writing by the | 8 | | individual subjects of the information. "Unwarranted | 9 | | invasion of personal privacy" means the disclosure of | 10 | | information that is highly personal or objectionable to a | 11 | | reasonable person and in which the subject's right to | 12 | | privacy outweighs any legitimate public interest in | 13 | | obtaining the information. The
disclosure of information | 14 | | that bears on the public duties of public
employees and | 15 | | officials shall not be considered an invasion of personal
| 16 | | privacy.
| 17 | | (d) Records in the possession of any public body | 18 | | created in the course of administrative enforcement
| 19 | | proceedings, and any law enforcement or correctional | 20 | | agency for
law enforcement purposes,
but only to the | 21 | | extent that disclosure would:
| 22 | | (i) interfere with pending or actually and | 23 | | reasonably contemplated
law enforcement proceedings | 24 | | conducted by any law enforcement or correctional
| 25 | | agency that is the recipient of the request;
| 26 | | (ii) interfere with active administrative |
| | | HB5165 Engrossed | - 3 - | LRB102 22762 RJF 31908 b |
|
| 1 | | enforcement proceedings
conducted by the public body | 2 | | that is the recipient of the request;
| 3 | | (iii) create a substantial likelihood that a | 4 | | person will be deprived of a fair trial or an impartial | 5 | | hearing;
| 6 | | (iv) unavoidably disclose the identity of a | 7 | | confidential source, confidential information | 8 | | furnished only by the confidential source, or persons | 9 | | who file complaints with or provide information to | 10 | | administrative, investigative, law enforcement, or | 11 | | penal agencies; except that the identities of | 12 | | witnesses to traffic accidents, traffic accident | 13 | | reports, and rescue reports shall be provided by | 14 | | agencies of local government, except when disclosure | 15 | | would interfere with an active criminal investigation | 16 | | conducted by the agency that is the recipient of the | 17 | | request;
| 18 | | (v) disclose unique or specialized investigative | 19 | | techniques other than
those generally used and known | 20 | | or disclose internal documents of
correctional | 21 | | agencies related to detection, observation or | 22 | | investigation of
incidents of crime or misconduct, and | 23 | | disclosure would result in demonstrable harm to the | 24 | | agency or public body that is the recipient of the | 25 | | request;
| 26 | | (vi) endanger the life or physical safety of law |
| | | HB5165 Engrossed | - 4 - | LRB102 22762 RJF 31908 b |
|
| 1 | | enforcement personnel
or any other person; or
| 2 | | (vii) obstruct an ongoing criminal investigation | 3 | | by the agency that is the recipient of the request.
| 4 | | (d-5) A law enforcement record created for law | 5 | | enforcement purposes and contained in a shared electronic | 6 | | record management system if the law enforcement agency | 7 | | that is the recipient of the request did not create the | 8 | | record, did not participate in or have a role in any of the | 9 | | events which are the subject of the record, and only has | 10 | | access to the record through the shared electronic record | 11 | | management system. | 12 | | (d-6) Records contained in the Officer Professional | 13 | | Conduct Database under Section 9.2 of the Illinois Police | 14 | | Training Act, except to the extent authorized under that | 15 | | Section. This includes the documents supplied to the | 16 | | Illinois Law Enforcement Training Standards Board from the | 17 | | Illinois State Police and Illinois State Police Merit | 18 | | Board. | 19 | | (e) Records that relate to or affect the security of | 20 | | correctional
institutions and detention facilities.
| 21 | | (e-5) Records requested by persons committed to the | 22 | | Department of Corrections, Department of Human Services | 23 | | Division of Mental Health, or a county jail if those | 24 | | materials are available in the library of the correctional | 25 | | institution or facility or jail where the inmate is | 26 | | confined. |
| | | HB5165 Engrossed | - 5 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (e-6) Records requested by persons committed to the | 2 | | Department of Corrections, Department of Human Services | 3 | | Division of Mental Health, or a county jail if those | 4 | | materials include records from staff members' personnel | 5 | | files, staff rosters, or other staffing assignment | 6 | | information. | 7 | | (e-7) Records requested by persons committed to the | 8 | | Department of Corrections or Department of Human Services | 9 | | Division of Mental Health if those materials are available | 10 | | through an administrative request to the Department of | 11 | | Corrections or Department of Human Services Division of | 12 | | Mental Health. | 13 | | (e-8) Records requested by a person committed to the | 14 | | Department of Corrections, Department of Human Services | 15 | | Division of Mental Health, or a county jail, the | 16 | | disclosure of which would result in the risk of harm to any | 17 | | person or the risk of an escape from a jail or correctional | 18 | | institution or facility. | 19 | | (e-9) Records requested by a person in a county jail | 20 | | or committed to the Department of Corrections or | 21 | | Department of Human Services Division of Mental Health, | 22 | | containing personal information pertaining to the person's | 23 | | victim or the victim's family, including, but not limited | 24 | | to, a victim's home address, home telephone number, work | 25 | | or school address, work telephone number, social security | 26 | | number, or any other identifying information, except as |
| | | HB5165 Engrossed | - 6 - | LRB102 22762 RJF 31908 b |
|
| 1 | | may be relevant to a requester's current or potential case | 2 | | or claim. | 3 | | (e-10) Law enforcement records of other persons | 4 | | requested by a person committed to the Department of | 5 | | Corrections, Department of Human Services Division of | 6 | | Mental Health, or a county jail, including, but not | 7 | | limited to, arrest and booking records, mug shots, and | 8 | | crime scene photographs, except as these records may be | 9 | | relevant to the requester's current or potential case or | 10 | | claim. | 11 | | (f) Preliminary drafts, notes, recommendations, | 12 | | memoranda , and other
records in which opinions are | 13 | | expressed, or policies or actions are
formulated, except | 14 | | that a specific record or relevant portion of a
record | 15 | | shall not be exempt when the record is publicly cited
and | 16 | | identified by the head of the public body. The exemption | 17 | | provided in
this paragraph (f) extends to all those | 18 | | records of officers and agencies
of the General Assembly | 19 | | that pertain to the preparation of legislative
documents.
| 20 | | (g) Trade secrets and commercial or financial | 21 | | information obtained from
a person or business where the | 22 | | trade secrets or commercial or financial information are | 23 | | furnished under a claim that they are
proprietary, | 24 | | privileged, or confidential, and that disclosure of the | 25 | | trade
secrets or commercial or financial information would | 26 | | cause competitive harm to the person or business, and only |
| | | HB5165 Engrossed | - 7 - | LRB102 22762 RJF 31908 b |
|
| 1 | | insofar as the claim directly applies to the records | 2 | | requested. | 3 | | The information included under this exemption includes | 4 | | all trade secrets and commercial or financial information | 5 | | obtained by a public body, including a public pension | 6 | | fund, from a private equity fund or a privately held | 7 | | company within the investment portfolio of a private | 8 | | equity fund as a result of either investing or evaluating | 9 | | a potential investment of public funds in a private equity | 10 | | fund. The exemption contained in this item does not apply | 11 | | to the aggregate financial performance information of a | 12 | | private equity fund, nor to the identity of the fund's | 13 | | managers or general partners. The exemption contained in | 14 | | this item does not apply to the identity of a privately | 15 | | held company within the investment portfolio of a private | 16 | | equity fund, unless the disclosure of the identity of a | 17 | | privately held company may cause competitive harm. | 18 | | Nothing contained in this
paragraph (g) shall be | 19 | | construed to prevent a person or business from
consenting | 20 | | to disclosure.
| 21 | | (h) Proposals and bids for any contract, grant, or | 22 | | agreement, including
information which if it were | 23 | | disclosed would frustrate procurement or give
an advantage | 24 | | to any person proposing to enter into a contractor | 25 | | agreement
with the body, until an award or final selection | 26 | | is made. Information
prepared by or for the body in |
| | | HB5165 Engrossed | - 8 - | LRB102 22762 RJF 31908 b |
|
| 1 | | preparation of a bid solicitation shall be
exempt until an | 2 | | award or final selection is made.
| 3 | | (i) Valuable formulae,
computer geographic systems,
| 4 | | designs, drawings and research data obtained or
produced | 5 | | by any public body when disclosure could reasonably be | 6 | | expected to
produce private gain or public loss.
The | 7 | | exemption for "computer geographic systems" provided in | 8 | | this paragraph
(i) does not extend to requests made by | 9 | | news media as defined in Section 2 of
this Act when the | 10 | | requested information is not otherwise exempt and the only
| 11 | | purpose of the request is to access and disseminate | 12 | | information regarding the
health, safety, welfare, or | 13 | | legal rights of the general public.
| 14 | | (j) The following information pertaining to | 15 | | educational matters: | 16 | | (i) test questions, scoring keys , and other | 17 | | examination data used to
administer an academic | 18 | | examination;
| 19 | | (ii) information received by a primary or | 20 | | secondary school, college, or university under its | 21 | | procedures for the evaluation of faculty members by | 22 | | their academic peers; | 23 | | (iii) information concerning a school or | 24 | | university's adjudication of student disciplinary | 25 | | cases, but only to the extent that disclosure would | 26 | | unavoidably reveal the identity of the student; and |
| | | HB5165 Engrossed | - 9 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (iv) course materials or research materials used | 2 | | by faculty members. | 3 | | (k) Architects' plans, engineers' technical | 4 | | submissions, and
other
construction related technical | 5 | | documents for
projects not constructed or developed in | 6 | | whole or in part with public funds
and the same for | 7 | | projects constructed or developed with public funds, | 8 | | including, but not limited to, power generating and | 9 | | distribution stations and other transmission and | 10 | | distribution facilities, water treatment facilities, | 11 | | airport facilities, sport stadiums, convention centers, | 12 | | and all government owned, operated, or occupied buildings, | 13 | | but
only to the extent
that disclosure would compromise | 14 | | security.
| 15 | | (l) Minutes of meetings of public bodies closed to the
| 16 | | public as provided in the Open Meetings Act until the | 17 | | public body
makes the minutes available to the public | 18 | | under Section 2.06 of the Open
Meetings Act.
| 19 | | (m) Communications between a public body and an | 20 | | attorney or auditor
representing the public body that | 21 | | would not be subject to discovery in
litigation, and | 22 | | materials prepared or compiled by or for a public body in
| 23 | | anticipation of a criminal, civil, or administrative | 24 | | proceeding upon the
request of an attorney advising the | 25 | | public body, and materials prepared or
compiled with | 26 | | respect to internal audits of public bodies.
|
| | | HB5165 Engrossed | - 10 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (n) Records relating to a public body's adjudication | 2 | | of employee grievances or disciplinary cases; however, | 3 | | this exemption shall not extend to the final outcome of | 4 | | cases in which discipline is imposed.
| 5 | | (o) Administrative or technical information associated | 6 | | with automated
data processing operations, including, but | 7 | | not limited to, software,
operating protocols, computer | 8 | | program abstracts, file layouts, source
listings, object | 9 | | modules, load modules, user guides, documentation
| 10 | | pertaining to all logical and physical design of | 11 | | computerized systems,
employee manuals, and any other | 12 | | information that, if disclosed, would
jeopardize the | 13 | | security of the system or its data or the security of
| 14 | | materials exempt under this Section.
| 15 | | (p) Records relating to collective negotiating matters
| 16 | | between public bodies and their employees or | 17 | | representatives, except that
any final contract or | 18 | | agreement shall be subject to inspection and copying.
| 19 | | (q) Test questions, scoring keys, and other | 20 | | examination data used to determine the qualifications of | 21 | | an applicant for a license or employment.
| 22 | | (r) The records, documents, and information relating | 23 | | to real estate
purchase negotiations until those | 24 | | negotiations have been completed or
otherwise terminated. | 25 | | With regard to a parcel involved in a pending or
actually | 26 | | and reasonably contemplated eminent domain proceeding |
| | | HB5165 Engrossed | - 11 - | LRB102 22762 RJF 31908 b |
|
| 1 | | under the Eminent Domain Act, records, documents, and
| 2 | | information relating to that parcel shall be exempt except | 3 | | as may be
allowed under discovery rules adopted by the | 4 | | Illinois Supreme Court. The
records, documents, and | 5 | | information relating to a real estate sale shall be
exempt | 6 | | until a sale is consummated.
| 7 | | (s) Any and all proprietary information and records | 8 | | related to the
operation of an intergovernmental risk | 9 | | management association or
self-insurance pool or jointly | 10 | | self-administered health and accident
cooperative or pool.
| 11 | | Insurance or self insurance (including any | 12 | | intergovernmental risk management association or self | 13 | | insurance pool) claims, loss or risk management | 14 | | information, records, data, advice or communications.
| 15 | | (t) Information contained in or related to | 16 | | examination, operating, or
condition reports prepared by, | 17 | | on behalf of, or for the use of a public
body responsible | 18 | | for the regulation or supervision of financial
| 19 | | institutions, insurance companies, or pharmacy benefit | 20 | | managers, unless disclosure is otherwise
required by State | 21 | | law.
| 22 | | (u) Information that would disclose
or might lead to | 23 | | the disclosure of
secret or confidential information, | 24 | | codes, algorithms, programs, or private
keys intended to | 25 | | be used to create electronic signatures under the Uniform | 26 | | Electronic Transactions Act.
|
| | | HB5165 Engrossed | - 12 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (v) Vulnerability assessments, security measures, and | 2 | | response policies
or plans that are designed to identify, | 3 | | prevent, or respond to potential
attacks upon a | 4 | | community's population or systems, facilities, or | 5 | | installations,
the destruction or contamination of which | 6 | | would constitute a clear and present
danger to the health | 7 | | or safety of the community, but only to the extent that
| 8 | | disclosure could reasonably be expected to expose the | 9 | | vulnerability or jeopardize the effectiveness of the
| 10 | | measures , policies, or plans, or the safety of the | 11 | | personnel who implement them or the public.
Information | 12 | | exempt under this item may include such things as details
| 13 | | pertaining to the mobilization or deployment of personnel | 14 | | or equipment, to the
operation of communication systems or | 15 | | protocols, to cybersecurity vulnerabilities, or to | 16 | | tactical operations.
| 17 | | (w) (Blank). | 18 | | (x) Maps and other records regarding the location or | 19 | | security of generation, transmission, distribution, | 20 | | storage, gathering,
treatment, or switching facilities | 21 | | owned by a utility, by a power generator, or by the | 22 | | Illinois Power Agency.
| 23 | | (y) Information contained in or related to proposals, | 24 | | bids, or negotiations related to electric power | 25 | | procurement under Section 1-75 of the Illinois Power | 26 | | Agency Act and Section 16-111.5 of the Public Utilities |
| | | HB5165 Engrossed | - 13 - | LRB102 22762 RJF 31908 b |
|
| 1 | | Act that is determined to be confidential and proprietary | 2 | | by the Illinois Power Agency or by the Illinois Commerce | 3 | | Commission.
| 4 | | (z) Information about students exempted from | 5 | | disclosure under Sections 10-20.38 or 34-18.29 of the | 6 | | School Code, and information about undergraduate students | 7 | | enrolled at an institution of higher education exempted | 8 | | from disclosure under Section 25 of the Illinois Credit | 9 | | Card Marketing Act of 2009. | 10 | | (aa) Information the disclosure of which is
exempted | 11 | | under the Viatical Settlements Act of 2009.
| 12 | | (bb) Records and information provided to a mortality | 13 | | review team and records maintained by a mortality review | 14 | | team appointed under the Department of Juvenile Justice | 15 | | Mortality Review Team Act. | 16 | | (cc) Information regarding interments, entombments, or | 17 | | inurnments of human remains that are submitted to the | 18 | | Cemetery Oversight Database under the Cemetery Care Act or | 19 | | the Cemetery Oversight Act, whichever is applicable. | 20 | | (dd) Correspondence and records (i) that may not be | 21 | | disclosed under Section 11-9 of the Illinois Public Aid | 22 | | Code or (ii) that pertain to appeals under Section 11-8 of | 23 | | the Illinois Public Aid Code. | 24 | | (ee) The names, addresses, or other personal | 25 | | information of persons who are minors and are also | 26 | | participants and registrants in programs of park |
| | | HB5165 Engrossed | - 14 - | LRB102 22762 RJF 31908 b |
|
| 1 | | districts, forest preserve districts, conservation | 2 | | districts, recreation agencies, and special recreation | 3 | | associations. | 4 | | (ff) The names, addresses, or other personal | 5 | | information of participants and registrants in programs of | 6 | | park districts, forest preserve districts, conservation | 7 | | districts, recreation agencies, and special recreation | 8 | | associations where such programs are targeted primarily to | 9 | | minors. | 10 | | (gg) Confidential information described in Section | 11 | | 1-100 of the Illinois Independent Tax Tribunal Act of | 12 | | 2012. | 13 | | (hh) The report submitted to the State Board of | 14 | | Education by the School Security and Standards Task Force | 15 | | under item (8) of subsection (d) of Section 2-3.160 of the | 16 | | School Code and any information contained in that report. | 17 | | (ii) Records requested by persons committed to or | 18 | | detained by the Department of Human Services under the | 19 | | Sexually Violent Persons Commitment Act or committed to | 20 | | the Department of Corrections under the Sexually Dangerous | 21 | | Persons Act if those materials: (i) are available in the | 22 | | library of the facility where the individual is confined; | 23 | | (ii) include records from staff members' personnel files, | 24 | | staff rosters, or other staffing assignment information; | 25 | | or (iii) are available through an administrative request | 26 | | to the Department of Human Services or the Department of |
| | | HB5165 Engrossed | - 15 - | LRB102 22762 RJF 31908 b |
|
| 1 | | Corrections. | 2 | | (jj) Confidential information described in Section | 3 | | 5-535 of the Civil Administrative Code of Illinois. | 4 | | (kk) The public body's credit card numbers, debit card | 5 | | numbers, bank account numbers, Federal Employer | 6 | | Identification Number, security code numbers, passwords, | 7 | | and similar account information, the disclosure of which | 8 | | could result in identity theft or impression or defrauding | 9 | | of a governmental entity or a person. | 10 | | (ll) Records concerning the work of the threat | 11 | | assessment team of a school district. | 12 | | (1.5) Any information exempt from disclosure under the | 13 | | Judicial Privacy Act shall be redacted from public records | 14 | | prior to disclosure under this Act. | 15 | | (2) A public record that is not in the possession of a | 16 | | public body but is in the possession of a party with whom the | 17 | | agency has contracted to perform a governmental function on | 18 | | behalf of the public body, and that directly relates to the | 19 | | governmental function and is not otherwise exempt under this | 20 | | Act, shall be considered a public record of the public body, | 21 | | for purposes of this Act. | 22 | | (3) This Section does not authorize withholding of | 23 | | information or limit the
availability of records to the | 24 | | public, except as stated in this Section or
otherwise provided | 25 | | in this Act.
| 26 | | (Source: P.A. 101-434, eff. 1-1-20; 101-452, eff. 1-1-20; |
| | | HB5165 Engrossed | - 16 - | LRB102 22762 RJF 31908 b |
|
| 1 | | 101-455, eff. 8-23-19; 101-652, eff. 1-1-22; 102-38, eff. | 2 | | 6-25-21; 102-558, eff. 8-20-21; 102-694, eff. 1-7-22; revised | 3 | | 2-3-22.) | 4 | | Section 10. The Department of Innovation and Technology | 5 | | Act is amended by adding Section 1-75 as follows: | 6 | | (20 ILCS 1370/1-75 new) | 7 | | Sec. 1-75. Local government cybersecurity designee. The | 8 | | principal executive officer, or his or her designee, of each | 9 | | municipality with a population of 35,000 or greater and of | 10 | | each county shall designate a local official or employee as | 11 | | the primary point of contact for local cybersecurity issues. | 12 | | Each jurisdiction must provide the name and contact | 13 | | information of the cybersecurity designee to the Department | 14 | | and update the information as necessary. | 15 | | Section 15. The Illinois Information Security Improvement | 16 | | Act is amended by changing Section 5-25 and by adding Section | 17 | | 5-30 as follows: | 18 | | (20 ILCS 1375/5-25)
| 19 | | Sec. 5-25. Responsibilities. | 20 | | (a) The Secretary shall: | 21 | | (1) appoint a Statewide Chief Information Security | 22 | | Officer pursuant to Section 5-20; |
| | | HB5165 Engrossed | - 17 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (2) provide the Office with the staffing and resources | 2 | | deemed necessary by the Secretary to fulfill the | 3 | | responsibilities of the Office; | 4 | | (3) oversee statewide information security policies | 5 | | and practices, including:
| 6 | | (A) directing and overseeing the development, | 7 | | implementation, and communication of statewide | 8 | | information security policies, standards, and | 9 | | guidelines; | 10 | | (B) overseeing the education of State agency | 11 | | personnel regarding the requirement to identify and | 12 | | provide information security protections commensurate | 13 | | with the risk and magnitude of the harm resulting from | 14 | | the unauthorized access, use, disclosure, disruption, | 15 | | modification, or destruction of information in a | 16 | | critical information system; | 17 | | (C) overseeing the development and implementation | 18 | | of a statewide information security risk management | 19 | | program; | 20 | | (D) overseeing State agency compliance with the | 21 | | requirements of this Section; | 22 | | (E) coordinating Information Security policies and | 23 | | practices with related information and personnel | 24 | | resources management policies and procedures; and | 25 | | (F) providing an effective and efficient process | 26 | | to assist State agencies with complying with the |
| | | HB5165 Engrossed | - 18 - | LRB102 22762 RJF 31908 b |
|
| 1 | | requirements of this Act ; and . | 2 | | (4) subject to appropriation, establish a | 3 | | cybersecurity liaison program to advise and assist units | 4 | | of local government in identifying cyber threats, | 5 | | performing risk assessments, sharing best practices, and | 6 | | responding to cyber incidents. | 7 | | (b) The Statewide Chief Information Security Officer | 8 | | shall: | 9 | | (1) serve as the head of the Office and ensure the | 10 | | execution of the responsibilities of the Office as set | 11 | | forth in subsection (c) of Section 5-15, the Statewide | 12 | | Chief Information Security Officer shall also oversee | 13 | | State agency personnel with significant responsibilities | 14 | | for information security and ensure a competent workforce | 15 | | that keeps pace with the changing information security | 16 | | environment; | 17 | | (2) develop and recommend information security | 18 | | policies, standards, procedures, and guidelines to the | 19 | | Secretary for statewide adoption and monitor compliance | 20 | | with these policies, standards, guidelines, and procedures | 21 | | through periodic testing; | 22 | | (3) develop and maintain risk-based, cost-effective | 23 | | information security programs and control techniques to | 24 | | address all applicable security and compliance | 25 | | requirements throughout the life cycle of State agency | 26 | | information systems; |
| | | HB5165 Engrossed | - 19 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (4) establish the procedures, processes, and | 2 | | technologies to rapidly and effectively identify threats, | 3 | | risks, and vulnerabilities to State information systems, | 4 | | and ensure the prioritization of the remediation of | 5 | | vulnerabilities that pose risk to the State; | 6 | | (5) develop and implement capabilities and procedures | 7 | | for detecting, reporting, and responding to information | 8 | | security incidents; | 9 | | (6) establish and direct a statewide information | 10 | | security risk management program to identify information | 11 | | security risks in State agencies and deploy risk | 12 | | mitigation strategies, processes, and procedures; | 13 | | (7) establish the State's capability to sufficiently | 14 | | protect the security of data through effective information | 15 | | system security planning, secure system development, | 16 | | acquisition, and deployment, the application of protective | 17 | | technologies and information system certification, | 18 | | accreditation, and assessments; | 19 | | (8) ensure that State agency personnel, including | 20 | | contractors, are appropriately screened and receive | 21 | | information security awareness training; | 22 | | (9) convene meetings with agency heads and other State | 23 | | officials to help ensure: | 24 | | (A) the ongoing communication of risk and risk | 25 | | reduction strategies, | 26 | | (B) effective implementation of information |
| | | HB5165 Engrossed | - 20 - | LRB102 22762 RJF 31908 b |
|
| 1 | | security policies and practices, and | 2 | | (C) the incorporation of and compliance with | 3 | | information security policies, standards, and | 4 | | guidelines into the policies and procedures of the | 5 | | agencies; | 6 | | (10) provide operational and technical assistance to | 7 | | State agencies in implementing policies, principles, | 8 | | standards, and guidelines on information security, | 9 | | including implementation of standards promulgated under | 10 | | subparagraph (A) of paragraph (3) of subsection (a) of | 11 | | this Section, and provide assistance and effective and | 12 | | efficient means for State agencies to comply with the | 13 | | State agency requirements under this Act; | 14 | | (11) in coordination and consultation with the | 15 | | Secretary and the Governor's Office of Management and | 16 | | Budget, review State agency budget requests related to | 17 | | Information Security systems and provide recommendations | 18 | | to the Governor's Office of Management and Budget; | 19 | | (12) ensure the preparation and maintenance of plans | 20 | | and procedures to provide cyber resilience and continuity | 21 | | of operations for critical information systems that | 22 | | support the operations of the State; and | 23 | | (13) take such other actions as the Secretary may | 24 | | direct.
| 25 | | (Source: P.A. 100-611, eff. 7-20-18; 101-81, eff. 7-12-19.) |
| | | HB5165 Engrossed | - 21 - | LRB102 22762 RJF 31908 b |
|
| 1 | | (20 ILCS 1375/5-30 new) | 2 | | Sec. 5-30. Local government employee cybersecurity | 3 | | training. Every employee of a county or municipality shall | 4 | | annually complete a cybersecurity training program. The | 5 | | training shall include, but need not be limited to, detecting | 6 | | phishing scams, preventing spyware infections and identity | 7 | | theft, and preventing and responding to data breaches. The | 8 | | Department shall make available to each county and | 9 | | municipality a training program for employees that complies | 10 | | with the content requirements of this Section. A county or | 11 | | municipality may create its own cybersecurity training | 12 | | program. | 13 | | Section 20. The Illinois Procurement Code is amended by | 14 | | adding Section 25-90 as follows: | 15 | | (30 ILCS 500/25-90 new) | 16 | | Sec. 25-90. Cybersecurity prohibited products. State | 17 | | agencies are prohibited from purchasing any products that, due | 18 | | to cybersecurity risks, are prohibited for purchase by federal | 19 | | agencies pursuant to a United States Department of Homeland | 20 | | Security Binding Operational Directive.
|
|