[ Search ] [ Legislation ] [ Bill Summary ]
[ Home ] [ Back ] [ Bottom ]
| [ Engrossed ] | [ Enrolled ] | [ House Amendment 001 ] |
| [ Senate Amendment 002 ] |
90_HB3180
New Act
5 ILCS 70/1.15 from Ch. 1, par. 1016
5 ILCS 140/7 from Ch. 116, par. 207
15 ILCS 405/14.01 rep.
720 ILCS 5/17-3 from Ch. 38, par. 17-3
Creates the Electronic Commerce Security Act. Authorizes
the use of digital signatures and other forms of electronic
signatures in a manner designed to provide legal certainty
necessary to effect transactions over public electronic
networks. Provides that electronic records can satisfy the
legal requirement that information must be in writing. Sets
forth requirements for use of electronic signatures by State
agencies. Grants rule-making authority to the Secretary of
State regarding use by State agencies. Establishes criminal
penalties and civil remedies for violations. Amends certain
Acts to make changes accommodating the Act. Effective July
1, 1999.
LRB9009236JSmg
LRB9009236JSmg
1 AN ACT relating to electronic commerce security, amending
2 named Acts.
3 Be it enacted by the People of the State of Illinois,
4 represented in the General Assembly:
5 ARTICLE 1. SHORT TITLE; PURPOSE
6 Section 1-101. Short title. This Act may be cited as the
7 Electronic Commerce Security Act.
8 Section 1-105. Purposes and construction. This Act shall
9 be construed consistently with what is commercially
10 reasonable under the circumstances and to effectuate the
11 following purposes:
12 (1) To facilitate electronic communications by means of
13 reliable electronic records.
14 (2) To facilitate and promote electronic commerce, by
15 eliminating barriers resulting from uncertainties over
16 writing and signature requirements, and promoting the
17 development of the legal and business infrastructure
18 necessary to implement secure electronic commerce.
19 (3) To facilitate electronic filing of documents with
20 State and local government agencies, and promote efficient
21 delivery of government services by means of reliable
22 electronic records.
23 (4) To minimize the incidence of forged electronic
24 records, intentional and unintentional alteration of records,
25 and fraud in electronic commerce.
26 (5) To help to establish uniformity of rules and
27 standards regarding the authentication and integrity of
28 electronic records.
29 (6) To promote public confidence in the integrity and
30 reliability of electronic records and electronic commerce.
-2- LRB9009236JSmg
1 Section 1-110. Variation by agreement. As between parties
2 involved in generating, sending, receiving, storing, or
3 otherwise processing electronic records, the applicability of
4 provisions of this Act may be waived by agreement of the
5 parties, except for the provisions of Sections 10-140,
6 15-210, 15-215, 15-220, and subsection (b) of Section 10-130
7 of this Act.
8 ARTICLE 5. ELECTRONIC RECORDS AND SIGNATURES GENERALLY
9 Section 5-105. Definitions.
10 "Asymmetric cryptosystem" means a computer-based system
11 capable of generating and using a key pair consisting of a
12 private key for creating a digital signature and a public key
13 to verify the digital signature.
14 "Certificate" means a record that at a minimum: (a)
15 identifies the certification authority issuing it; (b) names
16 or otherwise identifies its subscriber or a device or
17 electronic agent under the control of the subscriber; (c)
18 contains a public key that corresponds to a private key under
19 the control of the subscriber; (d) specifies its operational
20 period; and (e) is digitally signed by the certification
21 authority issuing it.
22 "Certification authority" means a person who authorizes
23 and causes the issuance of a certificate.
24 "Certification practice statement" is a statement
25 published by a certification authority that specifies the
26 policies or practices that the certification authority
27 employs in issuing, managing, suspending, and revoking
28 certificates and providing access to them.
29 "Correspond", with reference to keys, means to belong to
30 the same key pair.
31 "Digital signature" means a type of electronic signature
32 created by transforming an electronic record using a message
-3- LRB9009236JSmg
1 digest function and encrypting the resulting transformation
2 with an asymmetric cryptosystem using the signer's private
3 key such that any person having the initial untransformed
4 electronic record, the encrypted transformation, and the
5 signer's corresponding public key can accurately determine
6 whether the transformation was created using the private key
7 that corresponds to the signer's public key and whether the
8 initial electronic record has been altered since the
9 transformation was made. A digital signature is a security
10 procedure.
11 "Electronic" includes electrical, digital, magnetic,
12 optical, electromagnetic, or any other form of technology
13 that entails capabilities similar to these technologies.
14 "Electronic record" means a record generated,
15 communicated, received, or stored by electronic means for use
16 in an information system or for transmission from one
17 information system to another.
18 "Electronic signature" means a signature in electronic
19 form attached to or logically associated with an electronic
20 record.
21 "Information" includes data, text, images, sound, codes,
22 computer programs, software, databases, and the like.
23 "Key pair" means, in an asymmetric cryptosystem, 2
24 mathematically related keys, referred to as a private key and
25 a public key, having the properties that (i) one key (the
26 private key) can encrypt a message that only the other key
27 (the public key) can decrypt, and (ii) even knowing one key
28 (the public key), it is computationally unfeasible to
29 discover the other key (the private key).
30 "Message digest function" means an algorithm that maps or
31 translates the sequence of bits comprising an electronic
32 record into another, generally smaller, set of bits (the
33 message digest) without requiring the use of any secret
34 information such as a key, such that an electronic record
-4- LRB9009236JSmg
1 yields the same message digest every time the algorithm is
2 executed using such record as input and it is computationally
3 unfeasible that any 2 electronic records can be found or
4 deliberately generated that would produce the same message
5 digest using the algorithm unless the 2 records are precisely
6 identical.
7 "Operational period of a certificate" begins on the date
8 and time the certificate is issued by a certification
9 authority (or on a later date and time certain if stated in
10 the certificate) and ends on the date and time it expires as
11 noted in the certificate or is earlier revoked, but does not
12 include any period during which a certificate is suspended.
13 "Person" means an individual, corporation, business
14 trust, estate, trust, partnership, limited partnership,
15 limited liability partnership, limited liability company,
16 association, joint venture, government, governmental
17 subdivision, agency, or instrumentality, or any other legal
18 or commercial entity.
19 "Private key" means the key of a key pair used to create
20 a digital signature.
21 "Public key" means the key of a key pair used to verify a
22 digital signature.
23 "Record" means information that is inscribed, stored, or
24 otherwise fixed on a tangible medium or that is stored in an
25 electronic or other medium and is retrievable in perceivable
26 form.
27 "Repository" means a system for storing and retrieving
28 certificates or other information relevant to certificates,
29 including information relating to the status of a
30 certificate.
31 "Revoke a certificate" means to permanently end the
32 operational period of a certificate from a specified time
33 forward.
34 "Rule of law" means any statute, ordinance, common law
-5- LRB9009236JSmg
1 rule, court decision, or other rule of law enacted,
2 established or promulgated by the State of Illinois, or any
3 agency, commission, department, court, other authority or
4 political subdivision of the State of Illinois.
5 "Security procedure" means a methodology or procedure
6 used for the purpose of (1) verifying that an electronic
7 record is that of a specific person and (2) detecting error
8 or alteration in the communication, content, or storage of an
9 electronic record since a specific point in time. A security
10 procedure may require the use of algorithms or codes,
11 identifying words or numbers, encryption, answer back or
12 acknowledgment procedures, or similar security devices.
13 "Signature device" means unique information, such as
14 codes, algorithms, letters, numbers, private keys, or PINs,
15 or a uniquely configured physical device, that is required,
16 alone or in conjunction with other information or devices, in
17 order to create an electronic signature attributable to a
18 specific person.
19 "Signed" or "signature" includes any symbol executed or
20 adopted, or any security procedure employed or adopted, using
21 electronic means or otherwise, by or on behalf of a person
22 with intent to authenticate a record.
23 "State agency" means and includes all officers, boards,
24 commissions, courts, and agencies created by the Illinois
25 Constitution, whether in the executive, legislative or
26 judicial branch, all officers, departments, boards,
27 commissions, agencies, institutions, authorities,
28 universities, bodies politic and corporate of the State; and
29 administrative units or corporate outgrowths of the State
30 government which are created by or pursuant to statute, other
31 than units of local government and their officers, school
32 districts and boards of election commissioners; all
33 administrative units and corporate outgrowths of the above
34 and as may be created by executive order of the Governor.
-6- LRB9009236JSmg
1 "Subscriber" means a person who is the subject named or
2 otherwise identified in a certificate, who controls a private
3 key that corresponds to the public key listed in that
4 certificate, and who is the person to whom digitally signed
5 messages verified by reference to such certificate are to be
6 attributed.
7 "Suspend a certificate" means to temporarily suspend the
8 operational period of a certificate for a specified time
9 period or from a specified time forward.
10 "Trustworthy manner" means through the use of computer
11 hardware, software, and procedures that, in the context in
12 which they are used: (a) can be shown to be reasonably
13 resistant to penetration, compromise, and misuse; (b) provide
14 a reasonable level of reliability and correct operation; (c)
15 are reasonably suited to performing their intended functions
16 or serving their intended purposes; (d) comply with
17 applicable agreements between the parties, if any; and (e)
18 adhere to generally accepted security procedures.
19 "Valid certificate" means a certificate that a
20 certification authority has issued and that the subscriber
21 listed in the certificate has accepted.
22 "Verify a digital signature " means to use the public key
23 listed in a valid certificate, along with the appropriate
24 message digest function and asymmetric cryptosystem, to
25 evaluate a digitally signed electronic record, such that the
26 result of the process concludes that the digital signature
27 was created using the private key corresponding to the public
28 key listed in the certificate and the electronic record has
29 not been altered since its digital signature was created.
30 Section 5-110. Legal recognition. Information, records,
31 and signatures shall not be denied legal effect, validity, or
32 enforceability solely on the grounds that they are in
33 electronic form.
-7- LRB9009236JSmg
1 Section 5-115. Electronic records.
2 (a) Where a rule of law requires information to be
3 "written" or "in writing", or provides for certain
4 consequences if it is not, an electronic record satisfies
5 that rule of law.
6 (b) The provisions of this Section shall not apply:
7 (1) when its application would involve a
8 construction of a rule of law that is clearly
9 inconsistent with the manifest intent of the lawmaking
10 body or repugnant to the context of the same rule of law,
11 provided that the mere requirement that information be
12 "in writing", "written", or "printed" shall not by itself
13 be sufficient to establish such intent;
14 (2) to any rule of law governing the creation or
15 execution of a will or trust, living will, or healthcare
16 power of attorney; and
17 (3) to any record that serves as a unique and
18 transferable instrument of rights and obligations
19 including, without limitation, negotiable instruments and
20 other instruments of title wherein possession of the
21 instrument is deemed to confer title, unless an
22 electronic version of such record is created, stored, and
23 transferred in a manner that allows for the existence of
24 only one unique, identifiable, and unalterable original
25 with the functional attributes of an equivalent physical
26 instrument, that can be possessed by only one person, and
27 which cannot be copied except in a form that is readily
28 identifiable as a copy.
29 Section 5-120. Electronic signatures.
30 (a) Where a rule of law requires a signature, or
31 provides for certain consequences if a document is not
32 signed, an electronic signature satisfies that rule of law.
33 (b) An electronic signature may be proved in any manner,
-8- LRB9009236JSmg
1 including by showing that a procedure existed by which a
2 party must of necessity have executed a symbol or security
3 procedure for the purpose of verifying that an electronic
4 record is that of such party in order to proceed further with
5 a transaction.
6 (c) The provisions of this Section shall not apply:
7 (1) when its application would involve a
8 construction of a rule of law that is clearly
9 inconsistent with the manifest intent of the lawmaking
10 body or repugnant to the context of the same rule of law,
11 provided that the mere requirement of a "signature" or
12 that a record be "signed" shall not by itself be
13 sufficient to establish such intent;
14 (2) to any rule of law governing the creation or
15 execution of a will or trust, living will, or healthcare
16 power of attorney; and
17 (3) to any record that serves as a unique and
18 transferable instrument of rights and obligations
19 including, without limitation, negotiable instruments and
20 other instruments of title wherein possession of the
21 instrument is deemed to confer title, unless an
22 electronic version of such record is created, stored, and
23 transferred in a manner that allows for the existence of
24 only one unique, identifiable, and unalterable original
25 with the functional attributes of an equivalent physical
26 instrument, that can be possessed by only one person, and
27 which cannot be copied except in a form that is readily
28 identifiable as a copy.
29 Section 5-125. Original.
30 (a) Where a rule of law requires information to be
31 presented or retained in its original form, or provides
32 consequences for the information not being presented or
33 retained in its original form, that rule of law is satisfied
-9- LRB9009236JSmg
1 by an electronic record if there exists reliable assurance as
2 to the integrity of the information from the time when it was
3 first generated in its final form, as an electronic record or
4 otherwise.
5 (b) The criteria for assessing integrity shall be
6 whether the information has remained complete and unaltered,
7 apart from the addition of any endorsement or other
8 information that arises in the normal course of
9 communication, storage and display. The standard of
10 reliability required shall be assessed in the light of the
11 purpose for which the information was generated and in the
12 light of all the relevant circumstances.
13 (c) The provisions of this Section do not apply to any
14 record that serves as a unique and transferable instrument of
15 rights and obligations including, without limitation,
16 negotiable instruments and other instruments of title wherein
17 possession of the instrument is deemed to confer title,
18 unless an electronic version of such record is created,
19 stored, and transferred in a manner that allows for the
20 existence of only one unique, identifiable, and unalterable
21 original with the functional attributes of an equivalent
22 physical instrument, that can be possessed by only one
23 person, and which cannot be copied except in a form that is
24 readily identifiable as a copy.
25 Section 5-130. Admissibility into evidence.
26 (a) In any legal proceeding, nothing in the application
27 of the rules of evidence shall apply so as to deny the
28 admissibility of an electronic record or electronic signature
29 into evidence:
30 (1) on the sole ground that it is an electronic
31 record or electronic signature; or
32 (2) on the grounds that it is not in its original
33 form or is not an original.
-10- LRB9009236JSmg
1 (b) Information in the form of an electronic record
2 shall be given due evidentiary weight by the trier of fact.
3 In assessing the evidential weight of an electronic record or
4 electronic signature where its authenticity is in issue, the
5 trier of fact may consider the manner in which it was
6 generated, stored or communicated, the reliability of the
7 manner in which its integrity was maintained, the manner in
8 which its originator was identified or the electronic record
9 was signed, and any other relevant information or
10 circumstances.
11 Section 5-135. Retention of electronic records.
12 (a) Where a rule of law requires that certain documents,
13 records or information be retained, that requirement is met
14 by retaining electronic records of such information in a
15 trustworthy manner, provided that the following conditions
16 are satisfied:
17 (1) the electronic record and the information
18 contained therein are accessible so as to be usable for
19 subsequent reference at all times when such information
20 must be retained;
21 (2) the information is retained in the format in
22 which it was originally generated, sent, or received or
23 in a format that can be demonstrated to represent
24 accurately the information originally generated, sent or
25 received;
26 (3) such data as enables the identification of the
27 origin and destination of the information, the
28 authenticity and integrity of the information, and the
29 date and time when it was sent or received, if any, is
30 retained.
31 (b) An obligation to retain documents, records or
32 information in accordance with subsection (a) does not extend
33 to any data the sole purpose of which is to enable the record
-11- LRB9009236JSmg
1 to be sent or received.
2 (c) Nothing in this Section shall preclude any State
3 agency from specifying additional requirements for the
4 retention of records that are subject to the jurisdiction of
5 such agency.
6 Section 5-140. Electronic use not required. Nothing in
7 this Act shall be construed to:
8 (1) require any person to create, store, transmit,
9 accept, or otherwise use or communicate information,
10 records, or signatures by electronic means or in
11 electronic form; or
12 (2) prohibit any person engaging in a transaction
13 from establishing reasonable requirements regarding the
14 medium on which it will accept records or the method and
15 type of symbol or security procedure it will accept as a
16 signature.
17 ARTICLE 10. SECURE ELECTRONIC RECORDS AND SIGNATURES
18 Section 10-105. Secure electronic record.
19 (a) If, through the use of a qualified security
20 procedure, it can be verified that an electronic record has
21 not been altered since a specified point in time, then such
22 electronic record shall be considered to be a secure
23 electronic record from such specified point in time to the
24 time of verification, if the relying party establishes that
25 the qualified security procedure was:
26 (1) commercially reasonable under the
27 circumstances;
28 (2) applied by the relying party in a trustworthy
29 manner; and
30 (3) reasonably and in good faith relied upon by the
31 relying party.
-12- LRB9009236JSmg
1 (b) A qualified security procedure for purposes of this
2 Section is a security procedure to detect changes in the
3 content of an electronic record that is:
4 (1) previously agreed to by the parties; or
5 (2) certified by the Secretary of State in
6 accordance with Section 10-135 as being capable of
7 providing reliable evidence that an electronic record has
8 not been altered.
9 Section 10-110. Secure electronic signature.
10 (a) If, through the use of a qualified security
11 procedure, it can be verified that an electronic signature is
12 the signature of a specific person, then such electronic
13 signature shall be considered to be a secure electronic
14 signature at the time of verification, if the relying party
15 establishes that the qualified security procedure was:
16 (1) commercially reasonable under the
17 circumstances;
18 (2) applied by the relying party in a trustworthy
19 manner; and
20 (3) reasonably and in good faith relied upon by the
21 relying party.
22 (b) A qualified security procedure for purposes of this
23 Section is a security procedure for identifying a person that
24 is:
25 (1) previously agreed to by the parties; or
26 (2) certified by the Secretary of State in
27 accordance with Section 10-135 as being capable of
28 creating, in a trustworthy manner, an electronic
29 signature that:
30 (A) is unique to the signer within the context
31 in which it is used;
32 (B) can be used to objectively identify the
33 person signing the electronic record;
-13- LRB9009236JSmg
1 (C) was reliably created by such identified
2 person, (e.g., because some aspect of the procedure
3 involves the use of a signature device or other
4 means or method that is under the sole control of
5 such person), and that cannot be readily duplicated
6 or compromised; and
7 (D) is created, and is linked to the
8 electronic record to which it relates, in a manner
9 such that if the record or the signature is
10 intentionally or unintentionally changed after
11 signing the electronic signature is invalidated.
12 Section 10-115. Commercially reasonable; reliance.
13 (a) The commercial reasonableness of a security
14 procedure is to be determined by the court in light of the
15 purposes of the procedure and the commercial circumstances at
16 the time the procedure was used, including the nature of the
17 transaction, sophistication of the parties, volume of similar
18 transactions engaged in by either or both of the parties,
19 availability of alternatives offered to but rejected by
20 either of the parties, cost of alternative procedures, and
21 procedures in general use for similar types of transactions.
22 (b) Whether reliance on a security procedure was
23 reasonable and in good faith is to be determined in light of
24 all the circumstances known to the relying party at the time
25 of the reliance, having due regard to the:
26 (1) information that the relying party knew or
27 should have known of at the time of reliance that would
28 suggest that reliance was or was not reasonable;
29 (2) the value or importance of the electronic
30 record, if known;
31 (3) any course of dealing between the relying party
32 and the purported sender and the available indicia of
33 reliability or unreliability apart from the security
-14- LRB9009236JSmg
1 procedure;
2 (4) any usage of trade, particularly trade
3 conducted by trustworthy systems or other computer-based
4 means; and
5 (5) whether the verification was performed with the
6 assistance of an independent third party.
7 Section 10-120. Presumptions.
8 (a) In resolving a civil dispute involving a secure
9 electronic record, it shall be rebuttably presumed that the
10 electronic record has not been altered since the specific
11 point in time to which the secure status relates.
12 (b) In resolving a civil dispute involving a secure
13 electronic signature, it shall be rebuttably presumed that
14 the secure electronic signature is the signature of the
15 person to whom it correlates.
16 (c) The effect of presumptions provided in this Section
17 is to place on the party challenging the integrity of a
18 secure electronic record or challenging the genuineness of a
19 secure electronic signature both the burden of going forward
20 with evidence to rebut the presumption and the burden of
21 persuading the trier of fact that the nonexistence of the
22 presumed fact is more probable than its existence.
23 (d) In the absence of a secure electronic record or a
24 secure electronic signature, nothing in this Act shall change
25 existing rules regarding legal or evidentiary rules regarding
26 the burden of proving the authenticity and integrity of an
27 electronic record or an electronic signature.
28 Section 10-125. Creation and control of signature
29 devices. Except as otherwise provided by another applicable
30 rule of law, whenever the creation, validity, or reliability
31 of an electronic signature created by a qualified security
32 procedure under Section 10-105 or 10-110 is dependent upon
-15- LRB9009236JSmg
1 the secrecy or control of a signature device of the signer:
2 (1) the person generating or creating the signature
3 device must do so in a trustworthy manner;
4 (2) the signer and all other persons that rightfully
5 have access to such signature device must exercise reasonable
6 care to retain control and maintain the secrecy of the
7 signature device, and to protect it from any unauthorized
8 access, disclosure, or use, during the period when reliance
9 on a signature created by such device is reasonable;
10 (3) in the event that the signer, or any other person
11 that rightfully has access to such signature device, knows or
12 has reason to know that the secrecy or control of any such
13 signature device has been compromised, such person must make
14 a reasonable effort to promptly notify all persons that such
15 person knows might foreseeably be damaged as a result of such
16 compromise, or where an appropriate publication mechanism is
17 available, to publish notice of the compromise and a
18 disavowal of any signatures created thereafter.
19 Section 10-130. Attribution of signature.
20 (a) Except as provided by another applicable rule of
21 law, a secure electronic signature is attributable to the
22 person to whom it correlates, whether or not authorized, if:
23 (1) the electronic signature resulted from acts of
24 a person that obtained the signature device or other
25 information necessary to create the signature from a
26 source under the control of the alleged signer, creating
27 the appearance that it came from that party;
28 (2) the access or use occurred under circumstances
29 constituting a failure to exercise reasonable care by the
30 alleged signer; and
31 (3) the relying party relied reasonably and in good
32 faith to its detriment on the apparent source of the
33 electronic record.
-16- LRB9009236JSmg
1 (b) The provisions of this Section shall not apply to
2 transactions intended primarily for personal, family, or
3 household use, or otherwise defined as consumer transactions
4 by applicable law including, but not limited to, credit card
5 and automated teller machine transactions except to the
6 extent allowed by applicable consumer law.
7 Section 10-135. Secretary of State authority to certify
8 security procedures.
9 (a) A security procedure may be certified by the
10 Secretary of State, as a qualified security procedure for
11 purposes of Sections 10-105 or 10-110, following an
12 appropriate investigation or review, if:
13 (1) the security procedure (including any
14 technology and algorithms it employs) is completely open
15 and fully disclosed to the public, and has been so for a
16 sufficient length of time, so as to facilitate a
17 comprehensive review and evaluation of its suitability
18 for the intended purpose by the applicable information
19 security or scientific community; and
20 (2) the security procedure (including any
21 technology and algorithms it employs) has been generally
22 accepted in the applicable information security or
23 scientific community as being capable of satisfying the
24 requirements of Section 10-105 or 10-110, as applicable,
25 in a trustworthy manner.
26 (b) In making a determination regarding whether the
27 security procedure (including any technology and algorithms
28 it employs) has been generally accepted in the applicable
29 information security or scientific community, the Secretary
30 of State shall consider the opinion of independent experts in
31 the applicable field and the published findings of such
32 community, including applicable standards organizations such
33 as the American National Standards Institute (ANSI),
-17- LRB9009236JSmg
1 International Standards Organization (ISO), International
2 Telecommunications Union (ITU), and the National Institute of
3 Standards and Technology (NIST).
4 (c) Such certification shall be done through the
5 adoption of rules in accordance with the provisions of the
6 Illinois Administrative Procedure Act and shall specify a
7 full and complete identification of the security procedure,
8 including requirements as to how it is to be implemented, if
9 appropriate.
10 (d) The Secretary of State may also decertify a security
11 procedure as a qualified security procedure for purposes of
12 Sections 10-105 or 10-110 following an appropriate
13 investigation or review and the adoption of rules in
14 accordance with the provisions of the Illinois Administrative
15 Procedure Act if subsequent developments establish that the
16 security procedure is no longer sufficiently trustworthy or
17 reliable for its intended purpose, or for any other reason no
18 longer meets the requirements for certification.
19 (e) The Secretary of State shall have exclusive
20 authority to certify security procedures under this Section.
21 Section 10-140. Unauthorized use of signature device.
22 (a) No person shall knowingly or intentionally access,
23 copy, or otherwise obtain possession of or recreate the
24 signature device of another person without authorization for
25 the purpose of creating, or allowing or causing another
26 person to create, an unauthorized electronic signature using
27 such signature device. A person convicted of a violation of
28 this subsection shall be guilty of a Class A misdemeanor.
29 (b) No person shall knowingly alter, disclose, or use
30 the signature device of another person without authorization,
31 or in excess of lawful authorization, for the purpose of
32 creating, or allowing or causing another person to create, an
33 unauthorized electronic signature using such signature
-18- LRB9009236JSmg
1 device. A person convicted of a violation of this subsection
2 shall be guilty of a Class 4 felony. A person convicted of a
3 violation of this subsection who has previously been
4 convicted of a violation of this subsection or Section 15-210
5 shall be guilty of a Class 3 felony. A person who violates
6 this Section in furtherance of any scheme or artifice to
7 defraud in excess of $50,000 shall be guilty of a Class 2
8 felony.
9 ARTICLE 15. EFFECT OF A DIGITAL SIGNATURE
10 Section 15-101. Secure electronic record. A digital
11 signature that is created using an asymmetric algorithm
12 certified by the Secretary of State under item (2) of
13 subsection (b) of Section 10-105 shall be considered to be a
14 qualified security procedure for purposes of detecting
15 changes in the content of an electronic record under Section
16 10-105 if the digital signature was created during the
17 operational period of a valid certificate, and is verified
18 by reference to the public key listed in such certificate.
19 Section 15-105. Secure electronic signature. A digital
20 signature that is created using an asymmetric algorithm
21 certified by the Secretary of State under item (2) of
22 subsection (b) of Section 10-110 shall be considered to be a
23 qualified security procedure for purposes of identifying a
24 person under Section 10-110 if:
25 (1) the digital signature was created during the
26 operational period of a valid certificate, was used
27 within the scope of any other restrictions specified or
28 incorporated by reference in the certificate, if any, and
29 can be verified by reference to the public key listed in
30 the certificate; and
31 (2) the certificate is considered trustworthy
-19- LRB9009236JSmg
1 (i.e., an accurate binding of a public key to a person's
2 identity) because the certificate was issued by a
3 certification authority in accordance with standards,
4 procedures, and other requirements specified by the
5 Secretary of State, or the trier of fact independently
6 finds that the certificate was issued in a trustworthy
7 manner by a certification authority that properly
8 authenticated the subscriber and the subscriber's public
9 key, or otherwise finds that the material information set
10 forth in the certificate is true.
11 Section 15-115. Secretary of State authority to adopt
12 rules.
13 (a) The Secretary of State may adopt rules applicable to
14 both the public and private sectors for the purpose of
15 defining when a certificate is considered sufficiently
16 trustworthy under Section 15-105 such that a digital
17 signature verified by reference to such a certificate will be
18 considered a qualified security procedure under Section
19 10-110. The rules may include (1) establishing or adopting
20 standards applicable to certification authorities or
21 certificates, compliance with which may be measured by
22 becoming certified by the Secretary of State, becoming
23 accredited by one or more independent accrediting entities
24 recognized by the Secretary of State, or by other appropriate
25 means and (2) where appropriate, establishing fees to be
26 charged by the Secretary of State to recover all or a portion
27 of its costs in connection therewith.
28 (b) In developing the rules, the Secretary of State
29 shall endeavor to do so in a manner that will provide
30 maximum flexibility to the implementation of digital
31 signature technology and the business models necessary to
32 support it, that will provide a clear basis for the
33 recognition of certificates issued by foreign certification
-20- LRB9009236JSmg
1 authorities, and, to the extent reasonably possible, that
2 will maximize the opportunities for uniformity with the laws
3 of other jurisdictions (both within the United States and
4 internationally).
5 (c) The Secretary of State shall have exclusive
6 authority to adopt rules authorized by this Section.
7 Section 15-201. Reliance on certificates foreseeable.
8 It is foreseeable that persons relying on a digital signature
9 will also rely on a valid certificate containing the public
10 key by which the digital signature can be verified, during
11 the operational period of such certificate and within any
12 limits specified in such certificate.
13 Section 15-205. Restrictions on publication of
14 certificate. No person may publish a certificate, or
15 otherwise knowingly make it available to anyone likely to
16 rely on the certificate or on a digital signature that is
17 verifiable with reference to the public key listed in the
18 certificate, if such person knows that:
19 (1) the certification authority listed in the
20 certificate has not issued it;
21 (2) the subscriber listed in the certificate has
22 not accepted it; or
23 (3) the certificate has been revoked or suspended,
24 unless such publication is for the purpose of verifying a
25 digital signature created prior to such revocation or
26 suspension, or giving notice of revocation or suspension.
27 Section 15-210. Fraudulent use. No person shall
28 knowingly create, publish, alter, or otherwise use a
29 certificate for any fraudulent or other unlawful purpose. A
30 person convicted of a violation of this Section shall be
31 guilty of a Class 4 felony. A person convicted of a violation
-21- LRB9009236JSmg
1 of this Section who previously has been convicted of a
2 violation of this Section or Section 10-140 shall be guilty
3 of a Class 3 felony. A person who violates this Section in
4 furtherance of any scheme or artifice to defraud in excess of
5 $50,000 shall be guilty of a Class 2 felony.
6 Section 15-215. False or unauthorized request. No
7 person shall knowingly misrepresent his or her identity or
8 authorization in requesting or accepting a certificate or in
9 requesting suspension or revocation of a certificate. A
10 person convicted of a violation of this Section shall be
11 guilty of a Class A misdemeanor. A person who violates this
12 Section 10 times within one year, or in furtherance of any
13 scheme or artifice to defraud, shall be guilty of a Class 4
14 felony. A person who violates this Section in furtherance of
15 any scheme or artifice to defraud in excess of $50,000 shall
16 be guilty of a Class 2 felony.
17 Section 15-220. Unauthorized use of signature device. No
18 person shall knowingly access, alter, disclose, or use the
19 signature device of a certification authority used to issue
20 certificates without authorization, or in excess of lawful
21 authorization, for the purpose of creating, or allowing or
22 causing another person to create, an unauthorized electronic
23 signature using such signature device. A person convicted of
24 a violation of this Section shall be guilty of a Class 3
25 felony. A person who violates this Section in furtherance of
26 any scheme or artifice to defraud shall be guilty of a Class
27 2 felony.
28 Section 15-301. Trustworthy services. Except as
29 conspicuously set forth in its certification practice
30 statement, a certification authority and a person maintaining
31 a repository must maintain its operations and perform its
-22- LRB9009236JSmg
1 services in a trustworthy manner.
2 Section 15-305. Disclosure.
3 (a) For each certificate issued by a certification
4 authority with the intention that it will be relied upon by
5 third parties to verify digital signatures created by
6 subscribers, a certification authority must publish or
7 otherwise make available to the subscriber and all such
8 relying parties:
9 (1) its certification practice statement, if any,
10 applicable thereto; and
11 (2) its certificate that identifies the
12 certification authority as a subscriber and that contains
13 the public key corresponding to the private key used by
14 the certification authority to digitally sign the
15 certificate (its "certification authority certificate").
16 (b) In the event of an occurrence that materially and
17 adversely affects a certification authority's operations or
18 system, its certification authority certificate, or any other
19 aspect of its ability to operate in a trustworthy manner, the
20 certification authority must act in accordance with
21 procedures governing such an occurrence specified in its
22 certification practice statement, or in the absence of such
23 procedures, must use reasonable efforts to notify any persons
24 that the certification authority knows might foreseeably be
25 damaged as a result of such occurrence.
26 Section 15-310. Issuance of a certificate. A
27 certification authority may issue a certificate to a
28 prospective subscriber for the purpose of allowing third
29 parties to verify digital signatures created by the
30 subscriber only after:
31 (1) the certification authority has received a request
32 for issuance from the prospective subscriber; and
-23- LRB9009236JSmg
1 (2) the certification authority has:
2 (A) complied with all of the relevant practices and
3 procedures set forth in its applicable certification
4 practice statement, if any; or
5 (B) in the absence of a certification practice
6 statement addressing these issues, confirmed in a
7 trustworthy manner that:
8 (i) the prospective subscriber is the person
9 to be listed in the certificate to be issued;
10 (ii) the information in the certificate to be
11 issued is accurate;
12 (iii) the prospective subscriber rightfully
13 holds a private key capable of creating a digital
14 signature, and the public key to be listed in the
15 certificate can be used to verify a digital
16 signature affixed by such private key.
17 Section 15-315. Representations upon issuance of
18 certificate.
19 (a) By issuing a certificate with the intention that it
20 will be relied upon by third parties to verify digital
21 signatures created by the subscriber, a certification
22 authority represents to the subscriber, and to any person who
23 reasonably relies on information contained in the
24 certificate, in good faith and during its operational period,
25 that:
26 (1) the certification authority has processed,
27 approved, and issued, and will manage and revoke if
28 necessary, the certificate in accordance with its
29 applicable certification practice statement stated or
30 incorporated by reference in the certificate or of which
31 such person has notice, or in lieu thereof, in accordance
32 with this Act or the law of the jurisdiction governing
33 issuance of the certificate;
-24- LRB9009236JSmg
1 (2) the certification authority has verified the
2 identity of the subscriber to the extent stated in the
3 certificate or its applicable certification practice
4 statement, or in lieu thereof, that the certification
5 authority has verified the identity of the subscriber in
6 a trustworthy manner;
7 (3) the certification authority has verified that
8 the person requesting the certificate holds the private
9 key corresponding to the public key listed in the
10 certificate; and
11 (4) except as conspicuously set forth in the
12 certificate or its applicable certification practice
13 statement, to the certification authority's knowledge as
14 of the date the certificate was issued, all other
15 information in the certificate is accurate, and not
16 materially misleading.
17 (b) If a certification authority issued the certificate
18 subject to the laws of another jurisdiction, the
19 certification authority also makes all warranties and
20 representations, if any, otherwise applicable under the law
21 governing its issuance.
22 Section 15-320. Revocation of a certificate.
23 (a) During the operational period of a certificate, the
24 certification authority that issued the certificate must
25 revoke the certificate in accordance with the policies and
26 procedures governing revocation specified in its applicable
27 certification practice statement, or in the absence of such
28 policies and procedures, as soon as possible after:
29 (1) receiving a request for revocation by the
30 subscriber named in the certificate, and confirming that
31 the person requesting revocation is the subscriber, or is
32 an agent of the subscriber with authority to request the
33 revocation;
-25- LRB9009236JSmg
1 (2) receiving a certified copy of an individual
2 subscriber's death certificate, or upon confirming by
3 other reliable evidence that the subscriber is dead;
4 (3) being presented with documents effecting a
5 dissolution of a corporate subscriber, or confirmation by
6 other evidence that the subscriber has been dissolved or
7 has ceased to exist;
8 (4) being served with an order requiring revocation
9 that was issued by a court of competent jurisdiction; or
10 (5) confirmation by the certification authority
11 that:
12 (A) a material fact represented in the
13 certificate is false;
14 (B) a material prerequisite to issuance of the
15 certificate was not satisfied;
16 (C) the certification authority's private key
17 or system operations were compromised in a manner
18 materially affecting the certificate's reliability;
19 or
20 (D) the subscriber's private key was
21 compromised.
22 (b) Upon effecting such a revocation, the certification
23 authority must notify the subscriber and relying parties in
24 accordance with the policies and procedures governing notice
25 of revocation specified in its applicable certification
26 practice statement, or in the absence of such policies and
27 procedures, promptly notify the subscriber, promptly publish
28 notice of the revocation in all repositories where the
29 certification authority previously caused publication of the
30 certificate, and otherwise disclose the fact of revocation on
31 inquiry by a relying party.
32 ARTICLE 20. DUTIES OF SUBSCRIBERS
-26- LRB9009236JSmg
1 Section 20-101. Obtaining a certificate. All material
2 representations knowingly made by a person to a certification
3 authority for purposes of obtaining a certificate naming such
4 person as a subscriber must be accurate and complete to the
5 best of such person's knowledge and belief.
6 Section 20-105. Acceptance of a certificate.
7 (a) A person accepts a certificate that names such
8 person as a subscriber by publishing or approving publication
9 of it to one or more persons, or in a repository, or
10 otherwise demonstrating approval of it, while knowing or
11 having notice of its contents.
12 (b) By accepting a certificate, the subscriber listed in
13 the certificate represents to any person who reasonably
14 relies on information contained in the certificate, in good
15 faith and during its operational period, that:
16 (1) the subscriber rightfully holds the private key
17 corresponding to the public key listed in the
18 certificate;
19 (2) all representations made by the subscriber to
20 the certification authority and material to the
21 information listed in the certificate are true; and
22 (3) all information in the certificate that is
23 within the knowledge of the subscriber is true.
24 Section 20-110. Revocation of certificate. Except as
25 otherwise provided by another applicable rule of law, if the
26 private key corresponding to the public key listed in a valid
27 certificate is lost, stolen, accessible to an unauthorized
28 person, or otherwise compromised during the operational
29 period of the certificate, a subscriber who has learned of
30 the compromise must promptly request the issuing
31 certification authority to revoke the certificate and publish
32 notice of revocation in all repositories in which the
-27- LRB9009236JSmg
1 subscriber previously authorized the certificate to be
2 published, or otherwise provide reasonable notice of the
3 revocation.
4 ARTICLE 25. STATE AGENCY USE OF
5 ELECTRONIC RECORDS AND SIGNATURES
6 Section 25-101. State agency use of electronic records.
7 (a) Each State agency shall determine if, and the extent
8 to which, it will send and receive electronic records and
9 electronic signatures to and from other persons and otherwise
10 create, use, store, and rely upon electronic records and
11 electronic signatures.
12 (b) In any case where a State agency decides to send or
13 receive electronic records, or to accept document filings by
14 electronic records, the State agency may, by appropriate
15 agency rule (or court rule where appropriate), giving due
16 consideration to security, specify:
17 (1) the manner and format in which such electronic
18 records must be created, sent, received, and stored;
19 (2) if such electronic records must be signed, the
20 type of electronic signature required, the manner and
21 format in which such signature must be affixed to the
22 electronic record, and the identity of, or criteria that
23 must be met by, any third party used by the person filing
24 the document to facilitate the process;
25 (3) control processes and procedures as appropriate
26 to ensure adequate integrity, security, confidentiality,
27 and auditability of such electronic records; and
28 (4) any other required attributes for such
29 electronic records that are currently specified for
30 corresponding paper documents, or reasonably necessary
31 under the circumstances.
32 (c) All rules adopted by a State agency shall include
-28- LRB9009236JSmg
1 the relevant minimum security requirements established by the
2 Secretary of State, if any.
3 (d) Whenever any rule of law requires or authorizes the
4 filing of any information, notice, lien, or other document or
5 record with any State agency, a filing made by an electronic
6 record shall have the same force and effect as a filing made
7 on paper in all cases where the State agency has authorized
8 or agreed to such electronic filing and the filing is made in
9 accordance with applicable rules or agreement.
10 (e) Nothing in this Act shall be construed to require
11 any State agency to use or to permit the use of electronic
12 records or electronic signatures.
13 Section 25-105. Secretary of State to adopt State
14 standards.
15 (a) The Secretary of State may adopt rules setting forth
16 minimum security requirements for the use of electronic
17 records and electronic signatures by State agencies.
18 (b) The Secretary of State shall specify appropriate
19 minimum security requirements to be implemented and followed
20 by State agencies for (1) the generation, use, and storage of
21 key pairs, (2) the issuance, acceptance, use, suspension, and
22 revocation of certificates, and (3) the use of digital
23 signatures.
24 (c) Each State agency shall have the authority to issue,
25 or contract for the issuance of, certificates to (i) its
26 employees and agents and (ii) persons conducting business or
27 other transactions with such State agency and to take other
28 actions consistent therewith, including the establishment of
29 repositories and the suspension or revocation of certificates
30 so issued, provided that the foregoing is conducted in
31 accordance with all the rules, procedures, and policies
32 specified by the Secretary of State. The Secretary of State
33 shall have the authority to specify the rules, procedures,
-29- LRB9009236JSmg
1 and policies whereby State agencies may issue or contract for
2 the issuance of certificates.
3 (d) The Secretary of State may specify appropriate
4 minimum standards and requirements that must be satisfied by
5 a certification authority before:
6 (1) its services are used by any State agency for
7 the issuance, publication, revocation, and suspension of
8 certificates to such agency, or its employees or agents
9 (for official use); or
10 (2) the certificates it issues will be accepted for
11 purposes of verifying digitally signed electronic records
12 sent to any State agency by any person.
13 (e) Where appropriate, the rules adopted by the
14 Secretary of State pursuant to this Section shall specify
15 differing levels of minimum standards from which implementing
16 State agencies can select the standard most appropriate for a
17 particular application.
18 (f) Except as provided in Section 25-101, the Secretary
19 of State shall have exclusive authority to adopt rules
20 authorized by this Section.
21 Section 25-115. Interoperability. To the extent
22 reasonable under the circumstances, rules adopted by the
23 Secretary of State or a State agency relating to the use of
24 electronic records or electronic signatures shall be drafted
25 in a manner designed to encourage and promote consistency and
26 interoperability with similar requirements adopted by
27 government agencies of other states and the federal
28 government.
29 ARTICLE 30. ENFORCEMENT; CIVIL REMEDY; SEVERABILITY
30 Section 30-1. Enforcement. The Secretary of State may
31 investigate complaints or other information indicating
-30- LRB9009236JSmg
1 violations of rules adopted by the Secretary of State under
2 this Act or otherwise indicating fraudulent or unlawful
3 conduct under this Act. The Secretary of State shall certify
4 to the Attorney General, for such action as the Attorney
5 General may deem appropriate, all information he or she
6 obtains that discloses a violation of any provision of this
7 Act or the rules adopted by the Secretary of State under this
8 Act.
9 Section 30-5. Civil remedy. Whoever suffers loss by
10 reason of a violation of Section 10-140, 15-210, 15-215, or
11 15-220 of this Act or Section 17-3 of the Criminal Code of
12 1961 may, in a civil action against the violator, obtain
13 appropriate relief. In a civil action under this Section,
14 the court may award to the prevailing party reasonable
15 attorneys fees and other litigation expenses.
16 Section 30-110. Severability. The provisions of this
17 Act are severable under Section 1.31 of the Statute on
18 Statutes.
19 ARTICLE 95. AMENDATORY PROVISIONS
20 Section 95-1. The Statute on Statutes is amended by
21 changing Section 1.15 as follows:
22 (5 ILCS 70/1.15) (from Ch. 1, par. 1016)
23 Sec. 1.15. "Written" and "in writing" may include
24 printing, electronic, and any other mode of representing
25 words and letters; but when the written signature of any
26 person is required by law to any official or public writing
27 or bond, required by law, it shall be in the proper
28 handwriting of such person or, in case he is unable to write,
29 his proper mark, except as otherwise provided by law.
-31- LRB9009236JSmg
1 (Source: P.A. 88-672, eff. 12-14-94.)
2 Section 95-5. The Freedom of Information Act is amended
3 by changing Section 7 as follows:
4 (5 ILCS 140/7) (from Ch. 116, par. 207)
5 Sec. 7. Exemptions.
6 (1) The following shall be exempt from inspection and
7 copying:
8 (a) Information specifically prohibited from
9 disclosure by federal or State law or rules and
10 regulations adopted under federal or State law.
11 (b) Information that, if disclosed, would
12 constitute a clearly unwarranted invasion of personal
13 privacy, unless the disclosure is consented to in writing
14 by the individual subjects of the information. The
15 disclosure of information that bears on the public duties
16 of public employees and officials shall not be considered
17 an invasion of personal privacy. Information exempted
18 under this subsection (b) shall include but is not
19 limited to:
20 (i) files and personal information maintained
21 with respect to clients, patients, residents,
22 students or other individuals receiving social,
23 medical, educational, vocational, financial,
24 supervisory or custodial care or services directly
25 or indirectly from federal agencies or public
26 bodies;
27 (ii) personnel files and personal information
28 maintained with respect to employees, appointees or
29 elected officials of any public body or applicants
30 for those positions;
31 (iii) files and personal information
32 maintained with respect to any applicant, registrant
-32- LRB9009236JSmg
1 or licensee by any public body cooperating with or
2 engaged in professional or occupational
3 registration, licensure or discipline;
4 (iv) information required of any taxpayer in
5 connection with the assessment or collection of any
6 tax unless disclosure is otherwise required by State
7 statute; and
8 (v) information revealing the identity of
9 persons who file complaints with or provide
10 information to administrative, investigative, law
11 enforcement or penal agencies; provided, however,
12 that identification of witnesses to traffic
13 accidents, traffic accident reports, and rescue
14 reports may be provided by agencies of local
15 government, except in a case for which a criminal
16 investigation is ongoing, without constituting a
17 clearly unwarranted per se invasion of personal
18 privacy under this subsection.
19 (c) Records compiled by any public body for
20 administrative enforcement proceedings and any law
21 enforcement or correctional agency for law enforcement
22 purposes or for internal matters of a public body, but
23 only to the extent that disclosure would:
24 (i) interfere with pending or actually and
25 reasonably contemplated law enforcement proceedings
26 conducted by any law enforcement or correctional
27 agency;
28 (ii) interfere with pending administrative
29 enforcement proceedings conducted by any public
30 body;
31 (iii) deprive a person of a fair trial or an
32 impartial hearing;
33 (iv) unavoidably disclose the identity of a
34 confidential source or confidential information
-33- LRB9009236JSmg
1 furnished only by the confidential source;
2 (v) disclose unique or specialized
3 investigative techniques other than those generally
4 used and known or disclose internal documents of
5 correctional agencies related to detection,
6 observation or investigation of incidents of crime
7 or misconduct;
8 (vi) constitute an invasion of personal
9 privacy under subsection (b) of this Section;
10 (vii) endanger the life or physical safety of
11 law enforcement personnel or any other person; or
12 (viii) obstruct an ongoing criminal
13 investigation.
14 (d) Criminal history record information maintained
15 by State or local criminal justice agencies, except the
16 following which shall be open for public inspection and
17 copying:
18 (i) chronologically maintained arrest
19 information, such as traditional arrest logs or
20 blotters;
21 (ii) the name of a person in the custody of a
22 law enforcement agency and the charges for which
23 that person is being held;
24 (iii) court records that are public;
25 (iv) records that are otherwise available
26 under State or local law; or
27 (v) records in which the requesting party is
28 the individual identified, except as provided under
29 part (vii) of paragraph (c) of subsection (1) of
30 this Section.
31 "Criminal history record information" means data
32 identifiable to an individual and consisting of
33 descriptions or notations of arrests, detentions,
34 indictments, informations, pre-trial proceedings, trials,
-34- LRB9009236JSmg
1 or other formal events in the criminal justice system or
2 descriptions or notations of criminal charges (including
3 criminal violations of local municipal ordinances) and
4 the nature of any disposition arising therefrom,
5 including sentencing, court or correctional supervision,
6 rehabilitation and release. The term does not apply to
7 statistical records and reports in which individuals are
8 not identified and from which their identities are not
9 ascertainable, or to information that is for criminal
10 investigative or intelligence purposes.
11 (e) Records that relate to or affect the security
12 of correctional institutions and detention facilities.
13 (f) Preliminary drafts, notes, recommendations,
14 memoranda and other records in which opinions are
15 expressed, or policies or actions are formulated, except
16 that a specific record or relevant portion of a record
17 shall not be exempt when the record is publicly cited and
18 identified by the head of the public body. The exemption
19 provided in this paragraph (f) extends to all those
20 records of officers and agencies of the General Assembly
21 that pertain to the preparation of legislative documents.
22 (g) Trade secrets and commercial or financial
23 information obtained from a person or business where the
24 trade secrets or information are proprietary, privileged
25 or confidential, or where disclosure of the trade secrets
26 or information may cause competitive harm, including all
27 information determined to be confidential under Section
28 4002 of the Technology Advancement and Development Act.
29 Nothing contained in this paragraph (g) shall be
30 construed to prevent a person or business from consenting
31 to disclosure.
32 (h) Proposals and bids for any contract, grant, or
33 agreement, including information which if it were
34 disclosed would frustrate procurement or give an
-35- LRB9009236JSmg
1 advantage to any person proposing to enter into a
2 contractor agreement with the body, until an award or
3 final selection is made. Information prepared by or for
4 the body in preparation of a bid solicitation shall be
5 exempt until an award or final selection is made.
6 (i) Valuable formulae, designs, drawings and
7 research data obtained or produced by any public body
8 when disclosure could reasonably be expected to produce
9 private gain or public loss.
10 (j) Test questions, scoring keys and other
11 examination data used to administer an academic
12 examination or determined the qualifications of an
13 applicant for a license or employment.
14 (k) Architects' plans and engineers' technical
15 submissions for projects not constructed or developed in
16 whole or in part with public funds and for projects
17 constructed or developed with public funds, to the extent
18 that disclosure would compromise security.
19 (l) Library circulation and order records
20 identifying library users with specific materials.
21 (m) Minutes of meetings of public bodies closed to
22 the public as provided in the Open Meetings Act until the
23 public body makes the minutes available to the public
24 under Section 2.06 of the Open Meetings Act.
25 (n) Communications between a public body and an
26 attorney or auditor representing the public body that
27 would not be subject to discovery in litigation, and
28 materials prepared or compiled by or for a public body in
29 anticipation of a criminal, civil or administrative
30 proceeding upon the request of an attorney advising the
31 public body, and materials prepared or compiled with
32 respect to internal audits of public bodies.
33 (o) Information received by a primary or secondary
34 school, college or university under its procedures for
-36- LRB9009236JSmg
1 the evaluation of faculty members by their academic
2 peers.
3 (p) Administrative or technical information
4 associated with automated data processing operations,
5 including but not limited to software, operating
6 protocols, computer program abstracts, file layouts,
7 source listings, object modules, load modules, user
8 guides, documentation pertaining to all logical and
9 physical design of computerized systems, employee
10 manuals, and any other information that, if disclosed,
11 would jeopardize the security of the system or its data
12 or the security of materials exempt under this Section.
13 (q) Documents or materials relating to collective
14 negotiating matters between public bodies and their
15 employees or representatives, except that any final
16 contract or agreement shall be subject to inspection and
17 copying.
18 (r) Drafts, notes, recommendations and memoranda
19 pertaining to the financing and marketing transactions of
20 the public body. The records of ownership, registration,
21 transfer, and exchange of municipal debt obligations, and
22 of persons to whom payment with respect to these
23 obligations is made.
24 (s) The records, documents and information relating
25 to real estate purchase negotiations until those
26 negotiations have been completed or otherwise terminated.
27 With regard to a parcel involved in a pending or actually
28 and reasonably contemplated eminent domain proceeding
29 under Article VII of the Code of Civil Procedure,
30 records, documents and information relating to that
31 parcel shall be exempt except as may be allowed under
32 discovery rules adopted by the Illinois Supreme Court.
33 The records, documents and information relating to a real
34 estate sale shall be exempt until a sale is consummated.
-37- LRB9009236JSmg
1 (t) Any and all proprietary information and records
2 related to the operation of an intergovernmental risk
3 management association or self-insurance pool or jointly
4 self-administered health and accident cooperative or
5 pool.
6 (u) Information concerning a university's
7 adjudication of student or employee grievance or
8 disciplinary cases, to the extent that disclosure would
9 reveal the identity of the student or employee and
10 information concerning any public body's adjudication of
11 student or employee grievances or disciplinary cases,
12 except for the final outcome of the cases.
13 (v) Course materials or research materials used by
14 faculty members.
15 (w) Information related solely to the internal
16 personnel rules and practices of a public body.
17 (x) Information contained in or related to
18 examination, operating, or condition reports prepared by,
19 on behalf of, or for the use of a public body responsible
20 for the regulation or supervision of financial
21 institutions or insurance companies, unless disclosure is
22 otherwise required by State law.
23 (y) Information the disclosure of which is
24 restricted under Section 5-108 of the Public Utilities
25 Act.
26 (z) Manuals or instruction to staff that relate to
27 establishment or collection of liability for any State
28 tax or that relate to investigations by a public body to
29 determine violation of any criminal law.
30 (aa) Applications, related documents, and medical
31 records received by the Experimental Organ
32 Transplantation Procedures Board and any and all
33 documents or other records prepared by the Experimental
34 Organ Transplantation Procedures Board or its staff
-38- LRB9009236JSmg
1 relating to applications it has received.
2 (bb) Insurance or self insurance (including any
3 intergovernmental risk management association or self
4 insurance pool) claims, loss or risk management
5 information, records, data, advice or communications.
6 (cc) Information and records held by the Department
7 of Public Health and its authorized representatives
8 relating to known or suspected cases of sexually
9 transmissible disease or any information the disclosure
10 of which is restricted under the Illinois Sexually
11 Transmissible Disease Control Act.
12 (dd) Information the disclosure of which is
13 exempted under Section 30 of the Radon Industry Licensing
14 Act.
15 (ee) Firm performance evaluations under Section 55
16 of the Architectural, Engineering, and Land Surveying
17 Qualifications Based Selection Act.
18 (ff) Security portions of system safety program
19 plans, investigation reports, surveys, schedules, lists,
20 data, or information compiled, collected, or prepared by
21 or for the Regional Transportation Authority under
22 Section 2.11 of the Regional Transportation Authority Act
23 or the State of Missouri under the Bi-State Transit
24 Safety Act.
25 (gg) (ff) Information the disclosure of which is
26 restricted and exempted under Section 50 of the Illinois
27 Prepaid Tuition Act.
28 (hh) Information that would disclose or might lead
29 to the disclosure of secret or confidential information,
30 codes, algorithms, programs, or private keys intended to
31 be used to create electronic or digital signatures under
32 the Electronic Commerce Security Act.
33 (2) This Section does not authorize withholding of
34 information or limit the availability of records to the
-39- LRB9009236JSmg
1 public, except as stated in this Section or otherwise
2 provided in this Act.
3 (Source: P.A. 90-262, eff. 7-30-97; 90-273, eff. 7-30-97;
4 90-546, eff. 12-1-97; revised 12-24-97.)
5 (15 ILCS 405/14.01 rep.)
6 Section 95-10. The State Comptroller Act is amended by
7 repealing Section 14.01.
8 Section 95-15. The Criminal Code of 1961 is amended by
9 changing Section 17-3 as follows:
10 (720 ILCS 5/17-3) (from Ch. 38, par. 17-3)
11 Sec. 17-3. Forgery.
12 (a) A person commits forgery when, with intent to
13 defraud, he knowingly:
14 (1) makes or alters any document apparently capable
15 of defrauding another in such manner that it purports to
16 have been made by another or at another time, or with
17 different provisions, or by authority of one who did not
18 give such authority; or
19 (2) issues or delivers such document knowing it to
20 have been thus made or altered; or
21 (3) possesses, with intent to issue or deliver, any
22 such document knowing it to have been thus made or
23 altered; or.
24 (4) unlawfully uses the signature device of another
25 to create an electronic signature of that other person,
26 as those terms are defined in the Electronic Commerce
27 Security Act.
28 (b) An intent to defraud means an intention to cause
29 another to assume, create, transfer, alter or terminate any
30 right, obligation or power with reference to any person or
31 property.
-40- LRB9009236JSmg
1 (c) A document apparently capable of defrauding another
2 includes, but is not limited to, one by which any right,
3 obligation or power with reference to any person or property
4 may be created, transferred, altered or terminated. A
5 document includes any record or electronic record as those
6 terms are defined in the Electronic Commerce Security Act.
7 (d) Sentence.
8 Forgery is a Class 3 felony.
9 (Source: P.A. 77-2638.)
10 ARTICLE 99. EFFECTIVE DATE
11 Section 99-1. Effective date. This Act takes effect
12 July 1, 1999.