Rep. Lamont J. Robinson, Jr.

Filed: 2/15/2022

 

 

 

10200HB5165ham001 LRB102 22762 RJF 36083 a
1		AMENDMENT TO HOUSE BILL 5165
2		AMENDMENT NO. ______. Amend House Bill 5165 by replacing
3		everything after the enacting clause with the following:
4		"Section 5. The Freedom of Information Act is amended by
5		changing Section 7 as follows:
6		(5 ILCS 140/7)  (from Ch. 116, par. 207)
7		Sec. 7. Exemptions.
8		(1) When a request is made to inspect or copy a public
9		record that contains information that is exempt from
10		disclosure under this Section, but also contains information
11		that is not exempt from disclosure, the public body may elect
12		to redact the information that is exempt. The public body
13		shall make the remaining information available for inspection
14		and copying. Subject to this requirement, the following shall
15		be exempt from inspection and copying:
16		(a) Information specifically prohibited from

10200HB5165ham001 - 2 - LRB102 22762 RJF 36083 a
1		disclosure by federal or State law or rules and
2		regulations implementing federal or State law.
3		(b) Private information, unless disclosure is required
4		by another provision of this Act, a State or federal law,
5		or a court order.
6		(b-5) Files, documents, and other data or databases
7		maintained by one or more law enforcement agencies and
8		specifically designed to provide information to one or
9		more law enforcement agencies regarding the physical or
10		mental status of one or more individual subjects.
11		(c) Personal information contained within public
12		records, the disclosure of which would constitute a
13		clearly unwarranted invasion of personal privacy, unless
14		the disclosure is consented to in writing by the
15		individual subjects of the information. "Unwarranted
16		invasion of personal privacy" means the disclosure of
17		information that is highly personal or objectionable to a
18		reasonable person and in which the subject's right to
19		privacy outweighs any legitimate public interest in
20		obtaining the information. The disclosure of information
21		that bears on the public duties of public employees and
22		officials shall not be considered an invasion of personal
23		privacy.
24		(d) Records in the possession of any public body
25		created in the course of administrative enforcement
26		proceedings, and any law enforcement or correctional

10200HB5165ham001 - 3 - LRB102 22762 RJF 36083 a
1		agency for law enforcement purposes, but only to the
2		extent that disclosure would:
3		(i) interfere with pending or actually and
4		reasonably contemplated law enforcement proceedings
5		conducted by any law enforcement or correctional
6		agency that is the recipient of the request;
7		(ii) interfere with active administrative
8		enforcement proceedings conducted by the public body
9		that is the recipient of the request;
10		(iii) create a substantial likelihood that a
11		person will be deprived of a fair trial or an impartial
12		hearing;
13		(iv) unavoidably disclose the identity of a
14		confidential source, confidential information
15		furnished only by the confidential source, or persons
16		who file complaints with or provide information to
17		administrative, investigative, law enforcement, or
18		penal agencies; except that the identities of
19		witnesses to traffic accidents, traffic accident
20		reports, and rescue reports shall be provided by
21		agencies of local government, except when disclosure
22		would interfere with an active criminal investigation
23		conducted by the agency that is the recipient of the
24		request;
25		(v) disclose unique or specialized investigative
26		techniques other than those generally used and known

10200HB5165ham001 - 4 - LRB102 22762 RJF 36083 a
1		or disclose internal documents of correctional
2		agencies related to detection, observation or
3		investigation of incidents of crime or misconduct, and
4		disclosure would result in demonstrable harm to the
5		agency or public body that is the recipient of the
6		request;
7		(vi) endanger the life or physical safety of law
8		enforcement personnel or any other person; or
9		(vii) obstruct an ongoing criminal investigation
10		by the agency that is the recipient of the request.
11		(d-5) A law enforcement record created for law
12		enforcement purposes and contained in a shared electronic
13		record management system if the law enforcement agency
14		that is the recipient of the request did not create the
15		record, did not participate in or have a role in any of the
16		events which are the subject of the record, and only has
17		access to the record through the shared electronic record
18		management system.
19		(d-6) Records contained in the Officer Professional
20		Conduct Database under Section 9.2 of the Illinois Police
21		Training Act, except to the extent authorized under that
22		Section. This includes the documents supplied to the
23		Illinois Law Enforcement Training Standards Board from the
24		Illinois State Police and Illinois State Police Merit
25		Board.
26		(e) Records that relate to or affect the security of

10200HB5165ham001 - 5 - LRB102 22762 RJF 36083 a
1		correctional institutions and detention facilities.
2		(e-5) Records requested by persons committed to the
3		Department of Corrections, Department of Human Services
4		Division of Mental Health, or a county jail if those
5		materials are available in the library of the correctional
6		institution or facility or jail where the inmate is
7		confined.
8		(e-6) Records requested by persons committed to the
9		Department of Corrections, Department of Human Services
10		Division of Mental Health, or a county jail if those
11		materials include records from staff members' personnel
12		files, staff rosters, or other staffing assignment
13		information.
14		(e-7) Records requested by persons committed to the
15		Department of Corrections or Department of Human Services
16		Division of Mental Health if those materials are available
17		through an administrative request to the Department of
18		Corrections or Department of Human Services Division of
19		Mental Health.
20		(e-8) Records requested by a person committed to the
21		Department of Corrections, Department of Human Services
22		Division of Mental Health, or a county jail, the
23		disclosure of which would result in the risk of harm to any
24		person or the risk of an escape from a jail or correctional
25		institution or facility.
26		(e-9) Records requested by a person in a county jail

10200HB5165ham001 - 6 - LRB102 22762 RJF 36083 a
1		or committed to the Department of Corrections or
2		Department of Human Services Division of Mental Health,
3		containing personal information pertaining to the person's
4		victim or the victim's family, including, but not limited
5		to, a victim's home address, home telephone number, work
6		or school address, work telephone number, social security
7		number, or any other identifying information, except as
8		may be relevant to a requester's current or potential case
9		or claim.
10		(e-10) Law enforcement records of other persons
11		requested by a person committed to the Department of
12		Corrections, Department of Human Services Division of
13		Mental Health, or a county jail, including, but not
14		limited to, arrest and booking records, mug shots, and
15		crime scene photographs, except as these records may be
16		relevant to the requester's current or potential case or
17		claim.
18		(f) Preliminary drafts, notes, recommendations,
19		memoranda, and other records in which opinions are
20		expressed, or policies or actions are formulated, except
21		that a specific record or relevant portion of a record
22		shall not be exempt when the record is publicly cited and
23		identified by the head of the public body. The exemption
24		provided in this paragraph (f) extends to all those
25		records of officers and agencies of the General Assembly
26		that pertain to the preparation of legislative documents.

10200HB5165ham001 - 7 - LRB102 22762 RJF 36083 a
1		(g) Trade secrets and commercial or financial
2		information obtained from a person or business where the
3		trade secrets or commercial or financial information are
4		furnished under a claim that they are proprietary,
5		privileged, or confidential, and that disclosure of the
6		trade secrets or commercial or financial information would
7		cause competitive harm to the person or business, and only
8		insofar as the claim directly applies to the records
9		requested.
10		The information included under this exemption includes
11		all trade secrets and commercial or financial information
12		obtained by a public body, including a public pension
13		fund, from a private equity fund or a privately held
14		company within the investment portfolio of a private
15		equity fund as a result of either investing or evaluating
16		a potential investment of public funds in a private equity
17		fund. The exemption contained in this item does not apply
18		to the aggregate financial performance information of a
19		private equity fund, nor to the identity of the fund's
20		managers or general partners. The exemption contained in
21		this item does not apply to the identity of a privately
22		held company within the investment portfolio of a private
23		equity fund, unless the disclosure of the identity of a
24		privately held company may cause competitive harm.
25		Nothing contained in this paragraph (g) shall be
26		construed to prevent a person or business from consenting

10200HB5165ham001 - 8 - LRB102 22762 RJF 36083 a
1		to disclosure.
2		(h) Proposals and bids for any contract, grant, or
3		agreement, including information which if it were
4		disclosed would frustrate procurement or give an advantage
5		to any person proposing to enter into a contractor
6		agreement with the body, until an award or final selection
7		is made. Information prepared by or for the body in
8		preparation of a bid solicitation shall be exempt until an
9		award or final selection is made.
10		(i) Valuable formulae, computer geographic systems,
11		designs, drawings and research data obtained or produced
12		by any public body when disclosure could reasonably be
13		expected to produce private gain or public loss. The
14		exemption for "computer geographic systems" provided in
15		this paragraph (i) does not extend to requests made by
16		news media as defined in Section 2 of this Act when the
17		requested information is not otherwise exempt and the only
18		purpose of the request is to access and disseminate
19		information regarding the health, safety, welfare, or
20		legal rights of the general public.
21		(j) The following information pertaining to
22		educational matters:
23		(i) test questions, scoring keys, and other
24		examination data used to administer an academic
25		examination;
26		(ii) information received by a primary or

10200HB5165ham001 - 9 - LRB102 22762 RJF 36083 a
1		secondary school, college, or university under its
2		procedures for the evaluation of faculty members by
3		their academic peers;
4		(iii) information concerning a school or
5		university's adjudication of student disciplinary
6		cases, but only to the extent that disclosure would
7		unavoidably reveal the identity of the student; and
8		(iv) course materials or research materials used
9		by faculty members.
10		(k) Architects' plans, engineers' technical
11		submissions, and other construction related technical
12		documents for projects not constructed or developed in
13		whole or in part with public funds and the same for
14		projects constructed or developed with public funds,
15		including, but not limited to, power generating and
16		distribution stations and other transmission and
17		distribution facilities, water treatment facilities,
18		airport facilities, sport stadiums, convention centers,
19		and all government owned, operated, or occupied buildings,
20		but only to the extent that disclosure would compromise
21		security.
22		(l) Minutes of meetings of public bodies closed to the
23		public as provided in the Open Meetings Act until the
24		public body makes the minutes available to the public
25		under Section 2.06 of the Open Meetings Act.
26		(m) Communications between a public body and an

10200HB5165ham001 - 10 - LRB102 22762 RJF 36083 a
1		attorney or auditor representing the public body that
2		would not be subject to discovery in litigation, and
3		materials prepared or compiled by or for a public body in
4		anticipation of a criminal, civil, or administrative
5		proceeding upon the request of an attorney advising the
6		public body, and materials prepared or compiled with
7		respect to internal audits of public bodies.
8		(n) Records relating to a public body's adjudication
9		of employee grievances or disciplinary cases; however,
10		this exemption shall not extend to the final outcome of
11		cases in which discipline is imposed.
12		(o) Administrative or technical information associated
13		with automated data processing operations, including, but
14		not limited to, software, operating protocols, computer
15		program abstracts, file layouts, source listings, object
16		modules, load modules, user guides, documentation
17		pertaining to all logical and physical design of
18		computerized systems, employee manuals, and any other
19		information that, if disclosed, would jeopardize the
20		security of the system or its data or the security of
21		materials exempt under this Section.
22		(p) Records relating to collective negotiating matters
23		between public bodies and their employees or
24		representatives, except that any final contract or
25		agreement shall be subject to inspection and copying.
26		(q) Test questions, scoring keys, and other

10200HB5165ham001 - 11 - LRB102 22762 RJF 36083 a
1		examination data used to determine the qualifications of
2		an applicant for a license or employment.
3		(r) The records, documents, and information relating
4		to real estate purchase negotiations until those
5		negotiations have been completed or otherwise terminated.
6		With regard to a parcel involved in a pending or actually
7		and reasonably contemplated eminent domain proceeding
8		under the Eminent Domain Act, records, documents, and
9		information relating to that parcel shall be exempt except
10		as may be allowed under discovery rules adopted by the
11		Illinois Supreme Court. The records, documents, and
12		information relating to a real estate sale shall be exempt
13		until a sale is consummated.
14		(s) Any and all proprietary information and records
15		related to the operation of an intergovernmental risk
16		management association or self-insurance pool or jointly
17		self-administered health and accident cooperative or pool.
18		Insurance or self insurance (including any
19		intergovernmental risk management association or self
20		insurance pool) claims, loss or risk management
21		information, records, data, advice or communications.
22		(t) Information contained in or related to
23		examination, operating, or condition reports prepared by,
24		on behalf of, or for the use of a public body responsible
25		for the regulation or supervision of financial
26		institutions, insurance companies, or pharmacy benefit

10200HB5165ham001 - 12 - LRB102 22762 RJF 36083 a
1		managers, unless disclosure is otherwise required by State
2		law.
3		(u) Information that would disclose or might lead to
4		the disclosure of secret or confidential information,
5		codes, algorithms, programs, or private keys intended to
6		be used to create electronic signatures under the Uniform
7		Electronic Transactions Act.
8		(v) Vulnerability assessments, security measures, and
9		response policies or plans that are designed to identify,
10		prevent, or respond to potential attacks upon a
11		community's population or systems, facilities, or
12		installations, the destruction or contamination of which
13		would constitute a clear and present danger to the health
14		or safety of the community, but only to the extent that
15		disclosure could reasonably be expected to expose the
16		vulnerability or jeopardize the effectiveness of the
17		measures, policies, or plans, or the safety of the
18		personnel who implement them or the public. Information
19		exempt under this item may include such things as details
20		pertaining to the mobilization or deployment of personnel
21		or equipment, to the operation of communication systems or
22		protocols, to cybersecurity vulnerabilities, or to
23		tactical operations.
24		(w) (Blank).
25		(x) Maps and other records regarding the location or
26		security of generation, transmission, distribution,

10200HB5165ham001 - 13 - LRB102 22762 RJF 36083 a
1		storage, gathering, treatment, or switching facilities
2		owned by a utility, by a power generator, or by the
3		Illinois Power Agency.
4		(y) Information contained in or related to proposals,
5		bids, or negotiations related to electric power
6		procurement under Section 1-75 of the Illinois Power
7		Agency Act and Section 16-111.5 of the Public Utilities
8		Act that is determined to be confidential and proprietary
9		by the Illinois Power Agency or by the Illinois Commerce
10		Commission.
11		(z) Information about students exempted from
12		disclosure under Sections 10-20.38 or 34-18.29 of the
13		School Code, and information about undergraduate students
14		enrolled at an institution of higher education exempted
15		from disclosure under Section 25 of the Illinois Credit
16		Card Marketing Act of 2009.
17		(aa) Information the disclosure of which is exempted
18		under the Viatical Settlements Act of 2009.
19		(bb) Records and information provided to a mortality
20		review team and records maintained by a mortality review
21		team appointed under the Department of Juvenile Justice
22		Mortality Review Team Act.
23		(cc) Information regarding interments, entombments, or
24		inurnments of human remains that are submitted to the
25		Cemetery Oversight Database under the Cemetery Care Act or
26		the Cemetery Oversight Act, whichever is applicable.

10200HB5165ham001 - 14 - LRB102 22762 RJF 36083 a
1		(dd) Correspondence and records (i) that may not be
2		disclosed under Section 11-9 of the Illinois Public Aid
3		Code or (ii) that pertain to appeals under Section 11-8 of
4		the Illinois Public Aid Code.
5		(ee) The names, addresses, or other personal
6		information of persons who are minors and are also
7		participants and registrants in programs of park
8		districts, forest preserve districts, conservation
9		districts, recreation agencies, and special recreation
10		associations.
11		(ff) The names, addresses, or other personal
12		information of participants and registrants in programs of
13		park districts, forest preserve districts, conservation
14		districts, recreation agencies, and special recreation
15		associations where such programs are targeted primarily to
16		minors.
17		(gg) Confidential information described in Section
18		1-100 of the Illinois Independent Tax Tribunal Act of
19		2012.
20		(hh) The report submitted to the State Board of
21		Education by the School Security and Standards Task Force
22		under item (8) of subsection (d) of Section 2-3.160 of the
23		School Code and any information contained in that report.
24		(ii) Records requested by persons committed to or
25		detained by the Department of Human Services under the
26		Sexually Violent Persons Commitment Act or committed to

10200HB5165ham001 - 15 - LRB102 22762 RJF 36083 a
1		the Department of Corrections under the Sexually Dangerous
2		Persons Act if those materials: (i) are available in the
3		library of the facility where the individual is confined;
4		(ii) include records from staff members' personnel files,
5		staff rosters, or other staffing assignment information;
6		or (iii) are available through an administrative request
7		to the Department of Human Services or the Department of
8		Corrections.
9		(jj) Confidential information described in Section
10		5-535 of the Civil Administrative Code of Illinois.
11		(kk) The public body's credit card numbers, debit card
12		numbers, bank account numbers, Federal Employer
13		Identification Number, security code numbers, passwords,
14		and similar account information, the disclosure of which
15		could result in identity theft or impression or defrauding
16		of a governmental entity or a person.
17		(ll) Records concerning the work of the threat
18		assessment team of a school district.
19		(1.5) Any information exempt from disclosure under the
20		Judicial Privacy Act shall be redacted from public records
21		prior to disclosure under this Act.
22		(2) A public record that is not in the possession of a
23		public body but is in the possession of a party with whom the
24		agency has contracted to perform a governmental function on
25		behalf of the public body, and that directly relates to the
26		governmental function and is not otherwise exempt under this

10200HB5165ham001 - 16 - LRB102 22762 RJF 36083 a
1		Act, shall be considered a public record of the public body,
2		for purposes of this Act.
3		(3) This Section does not authorize withholding of
4		information or limit the availability of records to the
5		public, except as stated in this Section or otherwise provided
6		in this Act.
7		(Source: P.A. 101-434, eff. 1-1-20; 101-452, eff. 1-1-20;
8		101-455, eff. 8-23-19; 101-652, eff. 1-1-22; 102-38, eff.
9		6-25-21; 102-558, eff. 8-20-21; 102-694, eff. 1-7-22; revised
10		2-3-22.)
11		Section 10. The Department of Innovation and Technology
12		Act is amended by adding Section 1-75 as follows:
13		(20 ILCS 1370/1-75 new)
14		Sec. 1-75. Local government cybersecurity designee. The
15		principal executive officer, or his or her designee, of each
16		municipality with a population of 35,000 or greater and of
17		each county shall designate a local official or employee as
18		the primary point of contact for local cybersecurity issues.
19		Each jurisdiction must provide the name and contact
20		information of the cybersecurity designee to the Department
21		and update the information as necessary.
22		Section 15. The Illinois Information Security Improvement
23		Act is amended by changing Section 5-25 and by adding Section

10200HB5165ham001 - 17 - LRB102 22762 RJF 36083 a
1		5-30 as follows:
2		(20 ILCS 1375/5-25)
3		Sec. 5-25. Responsibilities.
4		(a) The Secretary shall:
5		(1) appoint a Statewide Chief Information Security
6		Officer pursuant to Section 5-20;
7		(2) provide the Office with the staffing and resources
8		deemed necessary by the Secretary to fulfill the
9		responsibilities of the Office;
10		(3) oversee statewide information security policies
11		and practices, including:
12		(A) directing and overseeing the development,
13		implementation, and communication of statewide
14		information security policies, standards, and
15		guidelines;
16		(B) overseeing the education of State agency
17		personnel regarding the requirement to identify and
18		provide information security protections commensurate
19		with the risk and magnitude of the harm resulting from
20		the unauthorized access, use, disclosure, disruption,
21		modification, or destruction of information in a
22		critical information system;
23		(C) overseeing the development and implementation
24		of a statewide information security risk management
25		program;

10200HB5165ham001 - 18 - LRB102 22762 RJF 36083 a
1		(D) overseeing State agency compliance with the
2		requirements of this Section;
3		(E) coordinating Information Security policies and
4		practices with related information and personnel
5		resources management policies and procedures; and
6		(F) providing an effective and efficient process
7		to assist State agencies with complying with the
8		requirements of this Act; and .
9		(4) subject to appropriation, establish a
10		cybersecurity liaison program to advise and assist units
11		of local government in identifying cyber threats,
12		performing risk assessments, sharing best practices, and
13		responding to cyber incidents.
14		(b) The Statewide Chief Information Security Officer
15		shall:
16		(1) serve as the head of the Office and ensure the
17		execution of the responsibilities of the Office as set
18		forth in subsection (c) of Section 5-15, the Statewide
19		Chief Information Security Officer shall also oversee
20		State agency personnel with significant responsibilities
21		for information security and ensure a competent workforce
22		that keeps pace with the changing information security
23		environment;
24		(2) develop and recommend information security
25		policies, standards, procedures, and guidelines to the
26		Secretary for statewide adoption and monitor compliance

10200HB5165ham001 - 19 - LRB102 22762 RJF 36083 a
1		with these policies, standards, guidelines, and procedures
2		through periodic testing;
3		(3) develop and maintain risk-based, cost-effective
4		information security programs and control techniques to
5		address all applicable security and compliance
6		requirements throughout the life cycle of State agency
7		information systems;
8		(4) establish the procedures, processes, and
9		technologies to rapidly and effectively identify threats,
10		risks, and vulnerabilities to State information systems,
11		and ensure the prioritization of the remediation of
12		vulnerabilities that pose risk to the State;
13		(5) develop and implement capabilities and procedures
14		for detecting, reporting, and responding to information
15		security incidents;
16		(6) establish and direct a statewide information
17		security risk management program to identify information
18		security risks in State agencies and deploy risk
19		mitigation strategies, processes, and procedures;
20		(7) establish the State's capability to sufficiently
21		protect the security of data through effective information
22		system security planning, secure system development,
23		acquisition, and deployment, the application of protective
24		technologies and information system certification,
25		accreditation, and assessments;
26		(8) ensure that State agency personnel, including

10200HB5165ham001 - 20 - LRB102 22762 RJF 36083 a
1		contractors, are appropriately screened and receive
2		information security awareness training;
3		(9) convene meetings with agency heads and other State
4		officials to help ensure:
5		(A) the ongoing communication of risk and risk
6		reduction strategies,
7		(B) effective implementation of information
8		security policies and practices, and
9		(C) the incorporation of and compliance with
10		information security policies, standards, and
11		guidelines into the policies and procedures of the
12		agencies;
13		(10) provide operational and technical assistance to
14		State agencies in implementing policies, principles,
15		standards, and guidelines on information security,
16		including implementation of standards promulgated under
17		subparagraph (A) of paragraph (3) of subsection (a) of
18		this Section, and provide assistance and effective and
19		efficient means for State agencies to comply with the
20		State agency requirements under this Act;
21		(11) in coordination and consultation with the
22		Secretary and the Governor's Office of Management and
23		Budget, review State agency budget requests related to
24		Information Security systems and provide recommendations
25		to the Governor's Office of Management and Budget;
26		(12) ensure the preparation and maintenance of plans

10200HB5165ham001 - 21 - LRB102 22762 RJF 36083 a
1		and procedures to provide cyber resilience and continuity
2		of operations for critical information systems that
3		support the operations of the State; and
4		(13) take such other actions as the Secretary may
5		direct.
6		(Source: P.A. 100-611, eff. 7-20-18; 101-81, eff. 7-12-19.)
7		(20 ILCS 1375/5-30 new)
8		Sec. 5-30. Local government employee cybersecurity
9		training. Every employee of a county or municipality shall
10		annually complete a cybersecurity training program. The
11		training shall include, but need not be limited to, detecting
12		phishing scams, preventing spyware infections and identity
13		theft, and preventing and responding to data breaches. The
14		Department shall make available to each county and
15		municipality a training program for employees that complies
16		with the content requirements of this Section. A county or
17		municipality may create its own cybersecurity training
18		program.
19		Section 20. The Illinois Procurement Code is amended by
20		adding Section 25-90 as follows:
21		(30 ILCS 500/25-90 new)
22		Sec. 25-90. Cybersecurity prohibited products. State
23		agencies are prohibited from purchasing any products that, due

10200HB5165ham001 - 22 - LRB102 22762 RJF 36083 a
1		to cybersecurity risks, are prohibited for purchase by federal
2		agencies pursuant to a United States Department of Homeland
3		Security Binding Operational Directive.".