Full Text of HB3536 102nd General Assembly
HB3536 102ND GENERAL ASSEMBLY |
| | 102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022 HB3536 Introduced 2/22/2021, by Rep. Lamont J. Robinson, Jr. SYNOPSIS AS INTRODUCED: |
| |
Creates the Security of Connected Devices Act. Requires manufacturers of connected devices to equip the device with security features that are designed to protect the device and any information the device contains from unauthorized access, destruction, use, modification, or disclosure.
|
| |
| | A BILL FOR |
|
| | | HB3536 | | LRB102 12759 JLS 18098 b |
|
| 1 | | AN ACT concerning regulation.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 1. Short title. This Act may be cited as the | 5 | | Security of Connected Devices Act. | 6 | | Section 5. Definitions. As used in this Act:
| 7 | | "Authentication" means a method of verifying the authority | 8 | | of a user, process, or device to access resources in an | 9 | | information system.
| 10 | | "Connected device" means any device, or other physical | 11 | | object that is capable of connecting to the Internet and that | 12 | | is assigned an Internet Protocol address or Bluetooth address.
| 13 | | "Manufacturer" means the person who manufactures, or | 14 | | contracts with another person to manufacture on that person's | 15 | | behalf, connected devices that are sold or offered for sale in | 16 | | Illinois. A contract with another person to manufacture on the | 17 | | person's behalf does not, however, include a contract only to | 18 | | purchase a connected device, or only to purchase and brand a | 19 | | connected device.
| 20 | | "Security feature" means a feature of a device designed to | 21 | | provide security for that device.
| 22 | | "Unauthorized access, destruction, use, modification, or | 23 | | disclosure" means access, destruction, use, modification, or |
| | | HB3536 | - 2 - | LRB102 12759 JLS 18098 b |
|
| 1 | | disclosure that is not authorized by the consumer.
| 2 | | Section 10. Device requirements.
| 3 | | (a) A manufacturer of a connected device shall equip the | 4 | | device with a reasonable security feature or features that are | 5 | | all of the following:
| 6 | | (1) Appropriate to the nature and function of the | 7 | | device.
| 8 | | (2) Appropriate to the information it may collect, | 9 | | contain, or transmit.
| 10 | | (3) Designed to protect the device and any information | 11 | | contained in the device from unauthorized access, | 12 | | destruction, use, modification, or disclosure.
| 13 | | (b) Subject to all of the requirements of subsection (a), | 14 | | if a connected device is equipped with a means for | 15 | | authentication outside a local area network, it shall be | 16 | | deemed a reasonable security feature under subsection (a) if | 17 | | either of the following requirements are met:
| 18 | | (1) The preprogrammed password is unique to each | 19 | | device manufactured.
| 20 | | (2) The device contains a security feature that | 21 | | requires a user to generate a new means of authentication | 22 | | before access is granted to the device for the first time.
| 23 | | Section 15. Exceptions.
| 24 | | (a) This Act shall not be construed to impose any duty upon |
| | | HB3536 | - 3 - | LRB102 12759 JLS 18098 b |
|
| 1 | | the manufacturer of a connected device related to unaffiliated | 2 | | third-party software or applications that a user chooses to | 3 | | add to a connected device.
| 4 | | (b) This Act shall not be construed to impose any duty upon | 5 | | a provider of an electronic store, gateway, marketplace, or | 6 | | other means of purchasing or downloading software or | 7 | | applications, to review or enforce compliance with this title.
| 8 | | (c) This Act shall not be construed to impose any duty upon | 9 | | the manufacturer of a connected device to prevent a user from | 10 | | having full control over a connected device, including the | 11 | | ability to modify the software or firmware running on the | 12 | | device at the user's discretion.
| 13 | | (d) This Act does not apply to any connected device the | 14 | | functionality of which is subject to security requirements | 15 | | under federal law, regulations, or guidance promulgated by a | 16 | | federal agency pursuant to its regulatory enforcement | 17 | | authority.
| 18 | | (e) This Act shall not be construed to provide a basis for | 19 | | a private right of action. The Attorney General shall have the | 20 | | exclusive authority to enforce this Act as an unlawful | 21 | | practice under the Consumer Fraud and Deceptive Business | 22 | | Practices Act.
| 23 | | (f) The duties and obligations imposed by this Act are | 24 | | cumulative with any other duties or obligations imposed under | 25 | | other law, and shall not be construed to relieve any party from | 26 | | any duties or obligations imposed under other law.
|
| | | HB3536 | - 4 - | LRB102 12759 JLS 18098 b |
|
| 1 | | (g) This Act shall not be construed to limit the authority | 2 | | of a law enforcement agency to obtain connected device | 3 | | information from a manufacturer as authorized by law or | 4 | | pursuant to an order of a court.
| 5 | | (h) A covered entity, provider of health care, business | 6 | | associate, health care service plan, contractor, employer, or | 7 | | any other person subject to the federal Health Insurance | 8 | | Portability and Accountability Act of 1996 (Public Law | 9 | | 104-191) is not subject to this Act with respect to any | 10 | | activity regulated by that Act.
|
|