[ Search ] [ Legislation ] [ Bill Summary ]
[ Home ] [ Back ] [ Bottom ]
| [ Introduced ] | [ Engrossed ] | [ House Amendment 001 ] |
| [ Senate Amendment 002 ] |
90_HB3180enr
New Act
5 ILCS 70/1.15 from Ch. 1, par. 1016
5 ILCS 140/7 from Ch. 116, par. 207
15 ILCS 405/14.01 rep.
720 ILCS 5/17-3 from Ch. 38, par. 17-3
Creates the Electronic Commerce Security Act. Authorizes
the use of digital signatures and other forms of electronic
signatures in a manner designed to provide legal certainty
necessary to effect transactions over public electronic
networks. Provides that electronic records can satisfy the
legal requirement that information must be in writing. Sets
forth requirements for use of electronic signatures by State
agencies. Grants rule-making authority to the Secretary of
State regarding use by State agencies. Establishes criminal
penalties and civil remedies for violations. Amends certain
Acts to make changes accommodating the Act. Effective July
1, 1999.
LRB9009236JSmg
HB3180 Enrolled LRB9009236JSmg
1 AN ACT relating to electronic commerce security, amending
2 named Acts.
3 Be it enacted by the People of the State of Illinois,
4 represented in the General Assembly:
5 ARTICLE 1. SHORT TITLE; PURPOSE
6 Section 1-101. Short title. This Act may be cited as the
7 Electronic Commerce Security Act.
8 Section 1-105. Purposes and construction. This Act shall
9 be construed consistently with what is commercially
10 reasonable under the circumstances and to effectuate the
11 following purposes:
12 (1) To facilitate electronic communications by means of
13 reliable electronic records.
14 (2) To facilitate and promote electronic commerce, by
15 eliminating barriers resulting from uncertainties over
16 writing and signature requirements, and promoting the
17 development of the legal and business infrastructure
18 necessary to implement secure electronic commerce.
19 (3) To facilitate electronic filing of documents with
20 State and local government agencies, and promote efficient
21 delivery of government services by means of reliable
22 electronic records.
23 (4) To minimize the incidence of forged electronic
24 records, intentional and unintentional alteration of records,
25 and fraud in electronic commerce.
26 (5) To help to establish uniformity of rules and
27 standards regarding the authentication and integrity of
28 electronic records.
29 (6) To promote public confidence in the integrity and
30 reliability of electronic records and electronic commerce.
HB3180 Enrolled -2- LRB9009236JSmg
1 Section 1-110. Variation by agreement. As between parties
2 involved in generating, sending, receiving, storing, or
3 otherwise processing electronic records, the applicability of
4 provisions of this Act may be waived by agreement of the
5 parties, except for the provisions of Sections 10-140,
6 15-210, 15-215, 15-220, and subsection (b) of Section 10-130
7 of this Act.
8 ARTICLE 5. ELECTRONIC RECORDS AND SIGNATURES GENERALLY
9 Section 5-105. Definitions.
10 "Asymmetric cryptosystem" means a computer-based system
11 capable of generating and using a key pair consisting of a
12 private key for creating a digital signature and a public key
13 to verify the digital signature.
14 "Certificate" means a record that at a minimum: (a)
15 identifies the certification authority issuing it; (b) names
16 or otherwise identifies its subscriber or a device or
17 electronic agent under the control of the subscriber; (c)
18 contains a public key that corresponds to a private key under
19 the control of the subscriber; (d) specifies its operational
20 period; and (e) is digitally signed by the certification
21 authority issuing it.
22 "Certification authority" means a person who authorizes
23 and causes the issuance of a certificate.
24 "Certification practice statement" is a statement
25 published by a certification authority that specifies the
26 policies or practices that the certification authority
27 employs in issuing, managing, suspending, and revoking
28 certificates and providing access to them.
29 "Correspond", with reference to keys, means to belong to
30 the same key pair.
31 "Digital signature" means a type of electronic signature
32 created by transforming an electronic record using a message
HB3180 Enrolled -3- LRB9009236JSmg
1 digest function and encrypting the resulting transformation
2 with an asymmetric cryptosystem using the signer's private
3 key such that any person having the initial untransformed
4 electronic record, the encrypted transformation, and the
5 signer's corresponding public key can accurately determine
6 whether the transformation was created using the private key
7 that corresponds to the signer's public key and whether the
8 initial electronic record has been altered since the
9 transformation was made. A digital signature is a security
10 procedure.
11 "Electronic" includes electrical, digital, magnetic,
12 optical, electromagnetic, or any other form of technology
13 that entails capabilities similar to these technologies.
14 "Electronic record" means a record generated,
15 communicated, received, or stored by electronic means for use
16 in an information system or for transmission from one
17 information system to another.
18 "Electronic signature" means a signature in electronic
19 form attached to or logically associated with an electronic
20 record.
21 "Information" includes data, text, images, sound, codes,
22 computer programs, software, databases, and the like.
23 "Key pair" means, in an asymmetric cryptosystem, 2
24 mathematically related keys, referred to as a private key and
25 a public key, having the properties that (i) one key (the
26 private key) can encrypt a message that only the other key
27 (the public key) can decrypt, and (ii) even knowing one key
28 (the public key), it is computationally unfeasible to
29 discover the other key (the private key).
30 "Message digest function" means an algorithm that maps or
31 translates the sequence of bits comprising an electronic
32 record into another, generally smaller, set of bits (the
33 message digest) without requiring the use of any secret
34 information such as a key, such that an electronic record
HB3180 Enrolled -4- LRB9009236JSmg
1 yields the same message digest every time the algorithm is
2 executed using such record as input and it is computationally
3 unfeasible that any 2 electronic records can be found or
4 deliberately generated that would produce the same message
5 digest using the algorithm unless the 2 records are precisely
6 identical.
7 "Operational period of a certificate" begins on the date
8 and time the certificate is issued by a certification
9 authority (or on a later date and time certain if stated in
10 the certificate) and ends on the date and time it expires as
11 noted in the certificate or is earlier revoked, but does not
12 include any period during which a certificate is suspended.
13 "Person" means an individual, corporation, business
14 trust, estate, trust, partnership, limited partnership,
15 limited liability partnership, limited liability company,
16 association, joint venture, government, governmental
17 subdivision, agency, or instrumentality, or any other legal
18 or commercial entity.
19 "Private key" means the key of a key pair used to create
20 a digital signature.
21 "Public key" means the key of a key pair used to verify a
22 digital signature.
23 "Record" means information that is inscribed, stored, or
24 otherwise fixed on a tangible medium or that is stored in an
25 electronic or other medium and is retrievable in perceivable
26 form.
27 "Repository" means a system for storing and retrieving
28 certificates or other information relevant to certificates,
29 including information relating to the status of a
30 certificate.
31 "Revoke a certificate" means to permanently end the
32 operational period of a certificate from a specified time
33 forward.
34 "Rule of law" means any statute, ordinance, common law
HB3180 Enrolled -5- LRB9009236JSmg
1 rule, court decision, or other rule of law enacted,
2 established or promulgated by the State of Illinois, or any
3 agency, commission, department, court, other authority or
4 political subdivision of the State of Illinois.
5 "Security procedure" means a methodology or procedure
6 used for the purpose of (1) verifying that an electronic
7 record is that of a specific person or (2) detecting error or
8 alteration in the communication, content, or storage of an
9 electronic record since a specific point in time. A security
10 procedure may require the use of algorithms or codes,
11 identifying words or numbers, encryption, answer back or
12 acknowledgment procedures, or similar security devices.
13 "Signature device" means unique information, such as
14 codes, algorithms, letters, numbers, private keys, or
15 personal identification numbers (PINs), or a uniquely
16 configured physical device, that is required, alone or in
17 conjunction with other information or devices, in order to
18 create an electronic signature attributable to a specific
19 person.
20 "Signed" or "signature" includes any symbol executed or
21 adopted, or any security procedure employed or adopted, using
22 electronic means or otherwise, by or on behalf of a person
23 with intent to authenticate a record.
24 "State agency" means and includes all officers, boards,
25 commissions, courts, and agencies created by the Illinois
26 Constitution, whether in the executive, legislative or
27 judicial branch, all officers, departments, boards,
28 commissions, agencies, institutions, authorities,
29 universities, bodies politic and corporate of the State; and
30 administrative units or corporate outgrowths of the State
31 government which are created by or pursuant to statute, other
32 than units of local government and their officers, school
33 districts and boards of election commissioners; all
34 administrative units and corporate outgrowths of the above
HB3180 Enrolled -6- LRB9009236JSmg
1 and as may be created by executive order of the Governor.
2 "Subscriber" means a person who is the subject named or
3 otherwise identified in a certificate, who controls a private
4 key that corresponds to the public key listed in that
5 certificate, and who is the person to whom digitally signed
6 messages verified by reference to such certificate are to be
7 attributed.
8 "Suspend a certificate" means to temporarily suspend the
9 operational period of a certificate for a specified time
10 period or from a specified time forward.
11 "Trustworthy manner" means through the use of computer
12 hardware, software, and procedures that, in the context in
13 which they are used: (a) can be shown to be reasonably
14 resistant to penetration, compromise, and misuse; (b) provide
15 a reasonable level of reliability and correct operation; (c)
16 are reasonably suited to performing their intended functions
17 or serving their intended purposes; (d) comply with
18 applicable agreements between the parties, if any; and (e)
19 adhere to generally accepted security procedures.
20 "Valid certificate" means a certificate that a
21 certification authority has issued and that the subscriber
22 listed in the certificate has accepted.
23 "Verify a digital signature" means to use the public key
24 listed in a valid certificate, along with the appropriate
25 message digest function and asymmetric cryptosystem, to
26 evaluate a digitally signed electronic record, such that the
27 result of the process concludes that the digital signature
28 was created using the private key corresponding to the public
29 key listed in the certificate and the electronic record has
30 not been altered since its digital signature was created.
31 Section 5-110. Legal recognition. Information, records,
32 and signatures shall not be denied legal effect, validity, or
33 enforceability solely on the grounds that they are in
HB3180 Enrolled -7- LRB9009236JSmg
1 electronic form.
2 Section 5-115. Electronic records.
3 (a) Where a rule of law requires information to be
4 "written" or "in writing", or provides for certain
5 consequences if it is not, an electronic record satisfies
6 that rule of law.
7 (b) The provisions of this Section shall not apply:
8 (1) when its application would involve a
9 construction of a rule of law that is clearly
10 inconsistent with the manifest intent of the lawmaking
11 body or repugnant to the context of the same rule of law,
12 provided that the mere requirement that information be
13 "in writing", "written", or "printed" shall not by itself
14 be sufficient to establish such intent;
15 (2) to any rule of law governing the creation or
16 execution of a will or trust, living will, or healthcare
17 power of attorney; and
18 (3) to any record that serves as a unique and
19 transferable instrument of rights and obligations
20 including, without limitation, negotiable instruments and
21 other instruments of title wherein possession of the
22 instrument is deemed to confer title, unless an
23 electronic version of such record is created, stored, and
24 transferred in a manner that allows for the existence of
25 only one unique, identifiable, and unalterable original
26 with the functional attributes of an equivalent physical
27 instrument, that can be possessed by only one person, and
28 which cannot be copied except in a form that is readily
29 identifiable as a copy.
30 Section 5-120. Electronic signatures.
31 (a) Where a rule of law requires a signature, or
32 provides for certain consequences if a document is not
HB3180 Enrolled -8- LRB9009236JSmg
1 signed, an electronic signature satisfies that rule of law.
2 (b) An electronic signature may be proved in any manner,
3 including by showing that a procedure existed by which a
4 party must of necessity have executed a symbol or security
5 procedure for the purpose of verifying that an electronic
6 record is that of such party in order to proceed further with
7 a transaction.
8 (c) The provisions of this Section shall not apply:
9 (1) when its application would involve a
10 construction of a rule of law that is clearly
11 inconsistent with the manifest intent of the lawmaking
12 body or repugnant to the context of the same rule of law,
13 provided that the mere requirement of a "signature" or
14 that a record be "signed" shall not by itself be
15 sufficient to establish such intent;
16 (2) to any rule of law governing the creation or
17 execution of a will or trust, living will, or healthcare
18 power of attorney; and
19 (3) to any record that serves as a unique and
20 transferable instrument of rights and obligations
21 including, without limitation, negotiable instruments and
22 other instruments of title wherein possession of the
23 instrument is deemed to confer title, unless an
24 electronic version of such record is created, stored, and
25 transferred in a manner that allows for the existence of
26 only one unique, identifiable, and unalterable original
27 with the functional attributes of an equivalent physical
28 instrument, that can be possessed by only one person, and
29 which cannot be copied except in a form that is readily
30 identifiable as a copy.
31 Section 5-125. Original.
32 (a) Where a rule of law requires information to be
33 presented or retained in its original form, or provides
HB3180 Enrolled -9- LRB9009236JSmg
1 consequences for the information not being presented or
2 retained in its original form, that rule of law is satisfied
3 by an electronic record if there exists reliable assurance as
4 to the integrity of the information from the time when it was
5 first generated in its final form, as an electronic record or
6 otherwise.
7 (b) The criteria for assessing integrity shall be
8 whether the information has remained complete and unaltered,
9 apart from the addition of any endorsement or other
10 information that arises in the normal course of
11 communication, storage and display. The standard of
12 reliability required to ensure that information has remained
13 complete and unaltered shall be assessed in the light of the
14 purpose for which the information was generated and in the
15 light of all the relevant circumstances.
16 (c) The provisions of this Section do not apply to any
17 record that serves as a unique and transferable instrument of
18 rights and obligations including, without limitation,
19 negotiable instruments and other instruments of title wherein
20 possession of the instrument is deemed to confer title,
21 unless an electronic version of such record is created,
22 stored, and transferred in a manner that allows for the
23 existence of only one unique, identifiable, and unalterable
24 original with the functional attributes of an equivalent
25 physical instrument, that can be possessed by only one
26 person, and which cannot be copied except in a form that is
27 readily identifiable as a copy.
28 Section 5-130. Admissibility into evidence.
29 (a) In any legal proceeding, nothing in the application
30 of the rules of evidence shall apply so as to deny the
31 admissibility of an electronic record or electronic signature
32 into evidence:
33 (1) on the sole ground that it is an electronic
HB3180 Enrolled -10- LRB9009236JSmg
1 record or electronic signature; or
2 (2) on the grounds that it is not in its original
3 form or is not an original.
4 (b) Information in the form of an electronic record
5 shall be given due evidentiary weight by the trier of fact.
6 In assessing the evidential weight of an electronic record or
7 electronic signature where its authenticity is in issue, the
8 trier of fact may consider the manner in which it was
9 generated, stored or communicated, the reliability of the
10 manner in which its integrity was maintained, the manner in
11 which its originator was identified or the electronic record
12 was signed, and any other relevant information or
13 circumstances.
14 Section 5-135. Retention of electronic records.
15 (a) Where a rule of law requires that certain documents,
16 records or information be retained, that requirement is met
17 by retaining electronic records of such information in a
18 trustworthy manner, provided that the following conditions
19 are satisfied:
20 (1) the electronic record and the information
21 contained therein are accessible so as to be usable for
22 subsequent reference at all times when such information
23 must be retained;
24 (2) the information is retained in the format in
25 which it was originally generated, sent, or received or
26 in a format that can be demonstrated to represent
27 accurately the information originally generated, sent or
28 received; and
29 (3) such data as enables the identification of the
30 origin and destination of the information, the
31 authenticity and integrity of the information, and the
32 date and time when it was sent or received, if any, is
33 retained.
HB3180 Enrolled -11- LRB9009236JSmg
1 (b) An obligation to retain documents, records or
2 information in accordance with subsection (a) does not extend
3 to any data the sole purpose of which is to enable the record
4 to be sent or received.
5 (c) Nothing in this Section shall preclude any State
6 agency from specifying additional requirements for the
7 retention of records that are subject to the jurisdiction of
8 such agency.
9 Section 5-140. Electronic use not required. Nothing in
10 this Act shall be construed to:
11 (1) require any person to create, store, transmit,
12 accept, or otherwise use or communicate information,
13 records, or signatures by electronic means or in
14 electronic form; or
15 (2) prohibit any person engaging in an electronic
16 transaction from establishing reasonable requirements
17 regarding the medium on which it will accept records or
18 the method and type of symbol or security procedure it
19 will accept as a signature.
20 Section 5-145. Applicability of other statutes or rules.
21 Notwithstanding any provisions of this Act, if any other
22 statute or rule requires approval by a State agency prior to
23 the use or retention of electronic records or the use of
24 electronic signatures, the provisions of that other statute
25 or rule shall also apply.
26 ARTICLE 10. SECURE ELECTRONIC RECORDS AND SIGNATURES
27 Section 10-105. Secure electronic record.
28 (a) If, through the use of a qualified security
29 procedure, it can be verified that an electronic record has
30 not been altered since a specified point in time, then such
HB3180 Enrolled -12- LRB9009236JSmg
1 electronic record shall be considered to be a secure
2 electronic record from such specified point in time to the
3 time of verification, if the relying party establishes that
4 the qualified security procedure was:
5 (1) commercially reasonable under the
6 circumstances;
7 (2) applied by the relying party in a trustworthy
8 manner; and
9 (3) reasonably and in good faith relied upon by the
10 relying party.
11 (b) A qualified security procedure for purposes of this
12 Section is a security procedure to detect changes in the
13 content of an electronic record that is:
14 (1) previously agreed to by the parties; or
15 (2) certified by the Secretary of State in
16 accordance with Section 10-135 as being capable of
17 providing reliable evidence that an electronic record has
18 not been altered.
19 Section 10-110. Secure electronic signature.
20 (a) If, through the use of a qualified security
21 procedure, it can be verified that an electronic signature is
22 the signature of a specific person, then such electronic
23 signature shall be considered to be a secure electronic
24 signature at the time of verification, if the relying party
25 establishes that the qualified security procedure was:
26 (1) commercially reasonable under the
27 circumstances;
28 (2) applied by the relying party in a trustworthy
29 manner; and
30 (3) reasonably and in good faith relied upon by the
31 relying party.
32 (b) A qualified security procedure for purposes of this
33 Section is a security procedure for identifying a person that
HB3180 Enrolled -13- LRB9009236JSmg
1 is:
2 (1) previously agreed to by the parties; or
3 (2) certified by the Secretary of State in
4 accordance with Section 10-135 as being capable of
5 creating, in a trustworthy manner, an electronic
6 signature that:
7 (A) is unique to the signer within the context
8 in which it is used;
9 (B) can be used to objectively identify the
10 person signing the electronic record;
11 (C) was reliably created by such identified
12 person, (e.g., because some aspect of the procedure
13 involves the use of a signature device or other
14 means or method that is under the sole control of
15 such person), and that cannot be readily duplicated
16 or compromised; and
17 (D) is created, and is linked to the
18 electronic record to which it relates, in a manner
19 such that if the record or the signature is
20 intentionally or unintentionally changed after
21 signing the electronic signature is invalidated.
22 Section 10-115. Commercially reasonable; reliance.
23 (a) The commercial reasonableness of a security
24 procedure is a question of law to be determined in light of
25 the purposes of the procedure and the commercial
26 circumstances at the time the procedure was used, including
27 the nature of the transaction, sophistication of the parties,
28 volume of similar transactions engaged in by either or both
29 of the parties, availability of alternatives offered to but
30 rejected by either of the parties, cost of alternative
31 procedures, and procedures in general use for similar types
32 of transactions.
33 (b) Whether reliance on a security procedure was
HB3180 Enrolled -14- LRB9009236JSmg
1 reasonable and in good faith is to be determined in light of
2 all the circumstances known to the relying party at the time
3 of the reliance, having due regard to the:
4 (1) information that the relying party knew or
5 should have known of at the time of reliance that would
6 suggest that reliance was or was not reasonable;
7 (2) the value or importance of the electronic
8 record, if known;
9 (3) any course of dealing between the relying party
10 and the purported sender and the available indicia of
11 reliability or unreliability apart from the security
12 procedure;
13 (4) any usage of trade, particularly trade
14 conducted by trustworthy systems or other computer-based
15 means; and
16 (5) whether the verification was performed with the
17 assistance of an independent third party.
18 Section 10-120. Presumptions.
19 (a) In resolving a civil dispute involving a secure
20 electronic record, it shall be rebuttably presumed that the
21 electronic record has not been altered since the specific
22 point in time to which the secure status relates.
23 (b) In resolving a civil dispute involving a secure
24 electronic signature, it shall be rebuttably presumed that
25 the secure electronic signature is the signature of the
26 person to whom it correlates.
27 (c) The effect of presumptions provided in this Section
28 is to place on the party challenging the integrity of a
29 secure electronic record or challenging the genuineness of a
30 secure electronic signature both the burden of going forward
31 with evidence to rebut the presumption and the burden of
32 persuading the trier of fact that the nonexistence of the
33 presumed fact is more probable than its existence.
HB3180 Enrolled -15- LRB9009236JSmg
1 (d) In the absence of a secure electronic record or a
2 secure electronic signature, nothing in this Act shall change
3 existing rules regarding legal or evidentiary rules regarding
4 the burden of proving the authenticity and integrity of an
5 electronic record or an electronic signature.
6 Section 10-125. Creation and control of signature
7 devices. Except as otherwise provided by another applicable
8 rule of law, whenever the creation, validity, or reliability
9 of an electronic signature created by a qualified security
10 procedure under Section 10-105 or 10-110 is dependent upon
11 the secrecy or control of a signature device of the signer:
12 (1) the person generating or creating the signature
13 device must do so in a trustworthy manner;
14 (2) the signer and all other persons that rightfully
15 have access to such signature device must exercise reasonable
16 care to retain control and maintain the secrecy of the
17 signature device, and to protect it from any unauthorized
18 access, disclosure, or use, during the period when reliance
19 on a signature created by such device is reasonable;
20 (3) in the event that the signer, or any other person
21 that rightfully has access to such signature device, knows or
22 has reason to know that the secrecy or control of any such
23 signature device has been compromised, such person must make
24 a reasonable effort to promptly notify all persons that such
25 person knows might foreseeably be damaged as a result of such
26 compromise, or where an appropriate publication mechanism is
27 available (which, for State agencies, may include the
28 official newspaper designated pursuant to Section 4 of the
29 Illinois Purchasing Act where appropriate), to publish notice
30 of the compromise and a disavowal of any signatures created
31 thereafter.
32 Section 10-130. Attribution of signature.
HB3180 Enrolled -16- LRB9009236JSmg
1 (a) Except as provided by another applicable rule of
2 law, a secure electronic signature is attributable to the
3 person to whom it correlates, whether or not authorized, if:
4 (1) the electronic signature resulted from acts of
5 a person that obtained the signature device or other
6 information necessary to create the signature from a
7 source under the control of the alleged signer, creating
8 the appearance that it came from that party;
9 (2) the access or use occurred under circumstances
10 constituting a failure to exercise reasonable care by the
11 alleged signer; and
12 (3) the relying party relied reasonably and in good
13 faith to its detriment on the apparent source of the
14 electronic record.
15 (b) The provisions of this Section shall not apply to
16 transactions intended primarily for personal, family, or
17 household use, or otherwise defined as consumer transactions
18 by applicable law including, but not limited to, credit card
19 and automated teller machine transactions except to the
20 extent allowed by applicable consumer law.
21 Section 10-135. Secretary of State authority to certify
22 security procedures.
23 (a) A security procedure may be certified by the
24 Secretary of State, as a qualified security procedure for
25 purposes of Sections 10-105 or 10-110, following an
26 appropriate investigation or review, if:
27 (1) the security procedure (including any
28 technology and algorithms it employs) is completely open
29 and fully disclosed to the public, and has been so for a
30 sufficient length of time, so as to facilitate a
31 comprehensive review and evaluation of its suitability
32 for the intended purpose by the applicable information
33 security or scientific community; and
HB3180 Enrolled -17- LRB9009236JSmg
1 (2) the security procedure (including any
2 technology and algorithms it employs) has been generally
3 accepted in the applicable information security or
4 scientific community as being capable of satisfying the
5 requirements of Section 10-105 or 10-110, as applicable,
6 in a trustworthy manner.
7 (b) In making a determination regarding whether the
8 security procedure (including any technology and algorithms
9 it employs) has been generally accepted in the applicable
10 information security or scientific community, the Secretary
11 of State shall consider the opinion of independent experts in
12 the applicable field and the published findings of such
13 community, including applicable standards organizations such
14 as the American National Standards Institute (ANSI),
15 International Standards Organization (ISO), International
16 Telecommunications Union (ITU), and the National Institute of
17 Standards and Technology (NIST).
18 (c) Such certification shall be done through the
19 adoption of rules in accordance with the provisions of the
20 Illinois Administrative Procedure Act and shall specify a
21 full and complete identification of the security procedure,
22 including requirements as to how it is to be implemented, if
23 appropriate.
24 (d) The Secretary of State may also decertify a security
25 procedure as a qualified security procedure for purposes of
26 Sections 10-105 or 10-110 following an appropriate
27 investigation or review and the adoption of rules in
28 accordance with the provisions of the Illinois Administrative
29 Procedure Act if subsequent developments establish that the
30 security procedure is no longer sufficiently trustworthy or
31 reliable for its intended purpose, or for any other reason no
32 longer meets the requirements for certification.
33 (e) The Secretary of State shall have exclusive
34 authority to certify security procedures under this Section.
HB3180 Enrolled -18- LRB9009236JSmg
1 Section 10-140. Unauthorized use of signature device.
2 (a) No person shall knowingly or intentionally access,
3 copy, or otherwise obtain possession of or recreate the
4 signature device of another person without authorization for
5 the purpose of creating, or allowing or causing another
6 person to create, an unauthorized electronic signature using
7 such signature device. A person convicted of a violation of
8 this subsection shall be guilty of a Class A misdemeanor.
9 (b) No person shall knowingly alter, disclose, or use
10 the signature device of another person without authorization,
11 or in excess of lawful authorization, for the purpose of
12 creating, or allowing or causing another person to create, an
13 unauthorized electronic signature using such signature
14 device. A person convicted of a violation of this subsection
15 shall be guilty of a Class 4 felony. A person convicted of a
16 violation of this subsection who has previously been
17 convicted of a violation of this subsection or Section 15-210
18 shall be guilty of a Class 3 felony. A person who violates
19 this Section in furtherance of any scheme or artifice to
20 defraud in excess of $50,000 shall be guilty of a Class 2
21 felony.
22 ARTICLE 15. EFFECT OF A DIGITAL SIGNATURE
23 Section 15-101. Secure electronic record. A digital
24 signature that is created using an asymmetric algorithm
25 certified by the Secretary of State under item (2) of
26 subsection (b) of Section 10-105 shall be considered to be a
27 qualified security procedure for purposes of detecting
28 changes in the content of an electronic record under Section
29 10-105 if the digital signature was created during the
30 operational period of a valid certificate, and is verified
31 by reference to the public key listed in such certificate.
HB3180 Enrolled -19- LRB9009236JSmg
1 Section 15-105. Secure electronic signature. A digital
2 signature that is created using an asymmetric algorithm
3 certified by the Secretary of State under item (2) of
4 subsection (b) of Section 10-110 shall be considered to be a
5 qualified security procedure for purposes of identifying a
6 person under Section 10-110 if:
7 (1) the digital signature was created during the
8 operational period of a valid certificate, was used
9 within the scope of any other restrictions specified or
10 incorporated by reference in the certificate, if any, and
11 can be verified by reference to the public key listed in
12 the certificate; and
13 (2) the certificate is considered trustworthy
14 (i.e., an accurate binding of a public key to a person's
15 identity) because the certificate was issued by a
16 certification authority in accordance with standards,
17 procedures, and other requirements specified by the
18 Secretary of State, or the trier of fact independently
19 finds that the certificate was issued in a trustworthy
20 manner by a certification authority that properly
21 authenticated the subscriber and the subscriber's public
22 key, or otherwise finds that the material information set
23 forth in the certificate is true.
24 Section 15-115. Secretary of State authority to adopt
25 rules.
26 (a) The Secretary of State may adopt rules applicable to
27 both the public and private sectors for the purpose of
28 defining when a certificate is considered sufficiently
29 trustworthy under Section 15-105 such that a digital
30 signature verified by reference to such a certificate will be
31 considered a qualified security procedure under Section
32 10-110. The rules may include (1) establishing or adopting
33 standards applicable to certification authorities or
HB3180 Enrolled -20- LRB9009236JSmg
1 certificates, compliance with which may be measured by
2 becoming certified by the Secretary of State, becoming
3 accredited by one or more independent accrediting entities
4 recognized by the Secretary of State, or by other appropriate
5 means and (2) where appropriate, establishing fees to be
6 charged by the Secretary of State to recover all or a portion
7 of its costs in connection therewith.
8 (b) In developing the rules, the Secretary of State
9 shall endeavor to do so in a manner that will provide
10 maximum flexibility to the implementation of digital
11 signature technology and the business models necessary to
12 support it, that will provide a clear basis for the
13 recognition of certificates issued by foreign certification
14 authorities, and, to the extent reasonably possible, that
15 will maximize the opportunities for uniformity with the laws
16 of other jurisdictions (both within the United States and
17 internationally).
18 (c) The Secretary of State shall have exclusive
19 authority to adopt rules authorized by this Section.
20 Section 15-201. Reliance on certificates foreseeable.
21 It is foreseeable that persons relying on a digital signature
22 will also rely on a valid certificate containing the public
23 key by which the digital signature can be verified, during
24 the operational period of such certificate and within any
25 limits specified in such certificate.
26 Section 15-205. Restrictions on publication of
27 certificate. No person may publish a certificate, or
28 otherwise knowingly make it available to anyone likely to
29 rely on the certificate or on a digital signature that is
30 verifiable with reference to the public key listed in the
31 certificate, if such person knows that:
32 (1) the certification authority listed in the
HB3180 Enrolled -21- LRB9009236JSmg
1 certificate has not issued it;
2 (2) the subscriber listed in the certificate has
3 not accepted it; or
4 (3) the certificate has been revoked or suspended,
5 unless such publication is for the purpose of verifying a
6 digital signature created prior to such revocation or
7 suspension, or giving notice of revocation or suspension.
8 Section 15-210. Fraudulent use. No person shall
9 knowingly create, publish, alter, or otherwise use a
10 certificate for any fraudulent or other unlawful purpose. A
11 person convicted of a violation of this Section shall be
12 guilty of a Class 4 felony. A person convicted of a violation
13 of this Section who previously has been convicted of a
14 violation of this Section or Section 10-140 shall be guilty
15 of a Class 3 felony. A person who violates this Section in
16 furtherance of any scheme or artifice to defraud in excess of
17 $50,000 shall be guilty of a Class 2 felony.
18 Section 15-215. False or unauthorized request. No
19 person shall knowingly misrepresent his or her identity or
20 authorization in requesting or accepting a certificate or in
21 requesting suspension or revocation of a certificate. A
22 person convicted of a violation of this Section shall be
23 guilty of a Class A misdemeanor. A person who violates this
24 Section 10 times within a 12-month period, or in furtherance
25 of any scheme or artifice to defraud, shall be guilty of a
26 Class 4 felony. A person who violates this Section in
27 furtherance of any scheme or artifice to defraud in excess of
28 $50,000 shall be guilty of a Class 2 felony.
29 Section 15-220. Unauthorized use of signature device. No
30 person shall knowingly access, alter, disclose, or use the
31 signature device of a certification authority used to issue
HB3180 Enrolled -22- LRB9009236JSmg
1 certificates without authorization, or in excess of lawful
2 authorization, for the purpose of creating, or allowing or
3 causing another person to create, an unauthorized electronic
4 signature using such signature device. A person convicted of
5 a violation of this Section shall be guilty of a Class 3
6 felony. A person who violates this Section in furtherance of
7 any scheme or artifice to defraud shall be guilty of a Class
8 2 felony.
9 Section 15-301. Trustworthy services. Except as
10 conspicuously set forth in its certification practice
11 statement, a certification authority and a person maintaining
12 a repository must maintain its operations and perform its
13 services in a trustworthy manner.
14 Section 15-305. Disclosure.
15 (a) For each certificate issued by a certification
16 authority with the intention that it will be relied upon by
17 third parties to verify digital signatures created by
18 subscribers, a certification authority must publish or
19 otherwise make available to the subscriber and all such
20 relying parties:
21 (1) its certification practice statement, if any,
22 applicable thereto; and
23 (2) its certificate that identifies the
24 certification authority as a subscriber and that contains
25 the public key corresponding to the private key used by
26 the certification authority to digitally sign the
27 certificate (its "certification authority certificate").
28 (b) In the event of an occurrence that materially and
29 adversely affects a certification authority's operations or
30 system, its certification authority certificate, or any other
31 aspect of its ability to operate in a trustworthy manner, the
32 certification authority must act in accordance with
HB3180 Enrolled -23- LRB9009236JSmg
1 procedures governing such an occurrence specified in its
2 certification practice statement, or in the absence of such
3 procedures, must use reasonable efforts to notify any persons
4 that the certification authority knows might foreseeably be
5 damaged as a result of such occurrence.
6 Section 15-310. Issuance of a certificate. A
7 certification authority may issue a certificate to a
8 prospective subscriber for the purpose of allowing third
9 parties to verify digital signatures created by the
10 subscriber only after:
11 (1) the certification authority has received a request
12 for issuance from the prospective subscriber; and
13 (2) the certification authority has:
14 (A) complied with all of the relevant practices and
15 procedures set forth in its applicable certification
16 practice statement, if any; or
17 (B) in the absence of a certification practice
18 statement addressing these issues, confirmed in a
19 trustworthy manner that:
20 (i) the prospective subscriber is the person
21 to be listed in the certificate to be issued;
22 (ii) the information in the certificate to be
23 issued is accurate; and
24 (iii) the prospective subscriber rightfully
25 holds a private key capable of creating a digital
26 signature, and the public key to be listed in the
27 certificate can be used to verify a digital
28 signature affixed by such private key.
29 Section 15-315. Representations upon issuance of
30 certificate.
31 (a) By issuing a certificate with the intention that it
32 will be relied upon by third parties to verify digital
HB3180 Enrolled -24- LRB9009236JSmg
1 signatures created by the subscriber, a certification
2 authority represents to the subscriber, and to any person who
3 reasonably relies on information contained in the
4 certificate, in good faith and during its operational period,
5 that:
6 (1) the certification authority has processed,
7 approved, and issued, and will manage and revoke if
8 necessary, the certificate in accordance with its
9 applicable certification practice statement stated or
10 incorporated by reference in the certificate or of which
11 such person has notice, or in lieu thereof, in accordance
12 with this Act or the law of the jurisdiction governing
13 issuance of the certificate;
14 (2) the certification authority has verified the
15 identity of the subscriber to the extent stated in the
16 certificate or its applicable certification practice
17 statement, or in lieu thereof, that the certification
18 authority has verified the identity of the subscriber in
19 a trustworthy manner;
20 (3) the certification authority has verified that
21 the person requesting the certificate holds the private
22 key corresponding to the public key listed in the
23 certificate; and
24 (4) except as conspicuously set forth in the
25 certificate or its applicable certification practice
26 statement, to the certification authority's knowledge as
27 of the date the certificate was issued, all other
28 information in the certificate is accurate, and not
29 materially misleading.
30 (b) If a certification authority issued the certificate
31 subject to the laws of another jurisdiction, the
32 certification authority also makes all warranties and
33 representations, if any, otherwise applicable under the law
34 governing its issuance.
HB3180 Enrolled -25- LRB9009236JSmg
1 Section 15-320. Revocation of a certificate.
2 (a) During the operational period of a certificate, the
3 certification authority that issued the certificate must
4 revoke the certificate in accordance with the policies and
5 procedures governing revocation specified in its applicable
6 certification practice statement, or in the absence of such
7 policies and procedures, as soon as possible after:
8 (1) receiving a request for revocation by the
9 subscriber named in the certificate, and confirming that
10 the person requesting revocation is the subscriber, or is
11 an agent of the subscriber with authority to request the
12 revocation;
13 (2) receiving a certified copy of an individual
14 subscriber's death certificate, or upon confirming by
15 other reliable evidence that the subscriber is dead;
16 (3) being presented with documents effecting a
17 dissolution of a corporate subscriber, or confirmation by
18 other evidence that the subscriber has been dissolved or
19 has ceased to exist;
20 (4) being served with an order requiring revocation
21 that was issued by a court of competent jurisdiction; or
22 (5) confirmation by the certification authority
23 that:
24 (A) a material fact represented in the
25 certificate is false;
26 (B) a material prerequisite to issuance of the
27 certificate was not satisfied;
28 (C) the certification authority's private key
29 or system operations were compromised in a manner
30 materially affecting the certificate's reliability;
31 or
32 (D) the subscriber's private key was
33 compromised.
34 (b) Upon effecting such a revocation, the certification
HB3180 Enrolled -26- LRB9009236JSmg
1 authority must notify the subscriber and relying parties in
2 accordance with the policies and procedures governing notice
3 of revocation specified in its applicable certification
4 practice statement, or in the absence of such policies and
5 procedures, promptly notify the subscriber, promptly publish
6 notice of the revocation in all repositories where the
7 certification authority previously caused publication of the
8 certificate, and otherwise disclose the fact of revocation on
9 inquiry by a relying party.
10 ARTICLE 20. DUTIES OF SUBSCRIBERS
11 Section 20-101. Obtaining a certificate. All material
12 representations knowingly made by a person to a certification
13 authority for purposes of obtaining a certificate naming such
14 person as a subscriber must be accurate and complete to the
15 best of such person's knowledge and belief.
16 Section 20-105. Acceptance of a certificate.
17 (a) A person accepts a certificate that names such
18 person as a subscriber by publishing or approving publication
19 of it to one or more persons, or in a repository, or
20 otherwise demonstrating approval of it, while knowing or
21 having notice of its contents.
22 (b) By accepting a certificate, the subscriber listed in
23 the certificate represents to any person who reasonably
24 relies on information contained in the certificate, in good
25 faith and during its operational period, that:
26 (1) the subscriber rightfully holds the private key
27 corresponding to the public key listed in the
28 certificate;
29 (2) all representations made by the subscriber to
30 the certification authority and material to the
31 information listed in the certificate are true; and
HB3180 Enrolled -27- LRB9009236JSmg
1 (3) all information in the certificate that is
2 within the knowledge of the subscriber is true.
3 Section 20-110. Revocation of certificate. Except as
4 otherwise provided by another applicable rule of law, if the
5 private key corresponding to the public key listed in a valid
6 certificate is lost, stolen, accessible to an unauthorized
7 person, or otherwise compromised during the operational
8 period of the certificate, a subscriber who has learned of
9 the compromise must promptly request the issuing
10 certification authority to revoke the certificate and publish
11 notice of revocation in all repositories in which the
12 subscriber previously authorized the certificate to be
13 published, or otherwise provide reasonable notice of the
14 revocation.
15 ARTICLE 25. STATE AGENCY USE OF
16 ELECTRONIC RECORDS AND SIGNATURES
17 Section 25-101. State agency use of electronic records.
18 (a) Each State agency shall determine if, and the extent
19 to which, it will send and receive electronic records and
20 electronic signatures to and from other persons and otherwise
21 create, use, store, and rely upon electronic records and
22 electronic signatures.
23 (b) In any case where a State agency decides to send or
24 receive electronic records, or to accept document filings by
25 electronic records, the State agency may, by appropriate
26 agency rule (or court rule where appropriate), giving due
27 consideration to security, specify:
28 (1) the manner and format in which such electronic
29 records must be created, sent, received, and stored;
30 (2) if such electronic records must be signed, the
31 type of electronic signature required, the manner and
HB3180 Enrolled -28- LRB9009236JSmg
1 format in which such signature must be affixed to the
2 electronic record, and the identity of, or criteria that
3 must be met by, any third party used by the person filing
4 the document to facilitate the process;
5 (3) control processes and procedures as appropriate
6 to ensure adequate integrity, security, confidentiality,
7 and auditability of such electronic records; and
8 (4) any other required attributes for such
9 electronic records that are currently specified for
10 corresponding paper documents, or reasonably necessary
11 under the circumstances.
12 (c) All rules adopted by a State agency shall include
13 the relevant minimum security requirements established by the
14 Department of Central Management Services, if any.
15 (d) Whenever any rule of law requires or authorizes the
16 filing of any information, notice, lien, or other document or
17 record with any State agency, a filing made by an electronic
18 record shall have the same force and effect as a filing made
19 on paper in all cases where the State agency has authorized
20 or agreed to such electronic filing and the filing is made in
21 accordance with applicable rules or agreement.
22 (e) Nothing in this Act shall be construed to require
23 any State agency to use or to permit the use of electronic
24 records or electronic signatures.
25 Section 25-105. Department of Central Management
26 Services to adopt State standards.
27 (a) The Department of Central Management Services may
28 adopt rules setting forth minimum security requirements for
29 the use of electronic records and electronic signatures by
30 State agencies.
31 (b) The Department of Central Management Services shall
32 specify appropriate minimum security requirements to be
33 implemented and followed by State agencies for (1) the
HB3180 Enrolled -29- LRB9009236JSmg
1 generation, use, and storage of key pairs, (2) the issuance,
2 acceptance, use, suspension, and revocation of certificates,
3 and (3) the use of digital signatures.
4 (c) Each State agency shall have the authority to issue,
5 or contract for the issuance of, certificates to (i) its
6 employees and agents and (ii) persons conducting business or
7 other transactions with such State agency and to take other
8 actions consistent therewith, including the establishment of
9 repositories and the suspension or revocation of certificates
10 so issued, provided that the foregoing is conducted in
11 accordance with all the rules, procedures, and policies
12 specified by the Department of Central Management Services.
13 The Department of Central Management Services shall have the
14 authority to specify the rules, procedures, and policies
15 whereby State agencies may issue or contract for the issuance
16 of certificates.
17 (d) The Department of Central Management Services may
18 specify appropriate minimum standards and requirements that
19 must be satisfied by a certification authority before:
20 (1) its services are used by any State agency for
21 the issuance, publication, revocation, and suspension of
22 certificates to such agency, or its employees or agents
23 (for official use); or
24 (2) the certificates it issues will be accepted for
25 purposes of verifying digitally signed electronic records
26 sent to any State agency by any person.
27 (e) Where appropriate, the rules adopted by the
28 Department of Central Management Services pursuant to this
29 Section shall specify differing levels of minimum standards
30 from which implementing State agencies can select the
31 standard most appropriate for a particular application.
32 (f) The General Assembly, through the Joint Committee on
33 Legislative Support Services, and the Supreme Court,
34 separately for the respective branches, may adopt rules
HB3180 Enrolled -30- LRB9009236JSmg
1 setting forth the minimum security requirements for the use
2 of electronic records and electronic signatures by the
3 respective branches. The rules shall generally be consistent
4 with the rules adopted by the Department of Central
5 Management Services. The Joint Committee on Legislative
6 Support Services and the Supreme Court may also accept the
7 rules adopted by the Department of Central Management
8 Services for the use of electronic records and electronic
9 signatures by the respective branches.
10 (g) Except as provided in subsection (f) and in Section
11 25-101, the Department of Central Management Services shall
12 have exclusive authority to adopt rules authorized by this
13 Section.
14 Section 25-115. Interoperability. To the extent
15 reasonable under the circumstances, rules adopted by the
16 Department of Central Management Services or a State agency
17 relating to the use of electronic records or electronic
18 signatures shall be drafted in a manner designed to encourage
19 and promote consistency and interoperability with similar
20 requirements adopted by government agencies of other states
21 and the federal government.
22 ARTICLE 30. ENFORCEMENT; CIVIL REMEDY; SEVERABILITY
23 Section 30-1. Enforcement. The Secretary of State may
24 investigate complaints or other information indicating
25 violations of rules adopted by the Secretary of State under
26 this Act. The Secretary of State shall certify to the
27 Attorney General, for such action as the Attorney General may
28 deem appropriate, all information he or she obtains that
29 discloses a violation of any provision of this Act or the
30 rules adopted by the Secretary of State under this Act.
HB3180 Enrolled -31- LRB9009236JSmg
1 Section 30-5. Civil remedy. Whoever suffers loss by
2 reason of a violation of Section 10-140, 15-210, 15-215, or
3 15-220 of this Act or Section 17-3 of the Criminal Code of
4 1961 may, in a civil action against the violator, obtain
5 appropriate relief. In a civil action under this Section,
6 the court may award to the prevailing party reasonable
7 attorneys fees and other litigation expenses.
8 Section 30-110. Severability. The provisions of this
9 Act are severable under Section 1.31 of the Statute on
10 Statutes.
11 ARTICLE 95. AMENDATORY PROVISIONS
12 Section 95-1. The Statute on Statutes is amended by
13 changing Section 1.15 as follows:
14 (5 ILCS 70/1.15) (from Ch. 1, par. 1016)
15 Sec. 1.15. "Written" and "in writing" may include
16 printing, electronic, and any other mode of representing
17 words and letters; but when the written signature of any
18 person is required by law on to any official or public
19 writing or bond, required by law, it shall be (1) in the
20 proper handwriting of such person or, in case he is unable to
21 write, his proper mark or (2) an electronic signature as
22 defined in the Electronic Commerce Security Act, except as
23 otherwise provided by law.
24 (Source: P.A. 88-672, eff. 12-14-94.)
25 Section 95-5. The Freedom of Information Act is amended
26 by changing Section 7 as follows:
27 (5 ILCS 140/7) (from Ch. 116, par. 207)
28 Sec. 7. Exemptions.
HB3180 Enrolled -32- LRB9009236JSmg
1 (1) The following shall be exempt from inspection and
2 copying:
3 (a) Information specifically prohibited from
4 disclosure by federal or State law or rules and
5 regulations adopted under federal or State law.
6 (b) Information that, if disclosed, would
7 constitute a clearly unwarranted invasion of personal
8 privacy, unless the disclosure is consented to in writing
9 by the individual subjects of the information. The
10 disclosure of information that bears on the public duties
11 of public employees and officials shall not be considered
12 an invasion of personal privacy. Information exempted
13 under this subsection (b) shall include but is not
14 limited to:
15 (i) files and personal information maintained
16 with respect to clients, patients, residents,
17 students or other individuals receiving social,
18 medical, educational, vocational, financial,
19 supervisory or custodial care or services directly
20 or indirectly from federal agencies or public
21 bodies;
22 (ii) personnel files and personal information
23 maintained with respect to employees, appointees or
24 elected officials of any public body or applicants
25 for those positions;
26 (iii) files and personal information
27 maintained with respect to any applicant, registrant
28 or licensee by any public body cooperating with or
29 engaged in professional or occupational
30 registration, licensure or discipline;
31 (iv) information required of any taxpayer in
32 connection with the assessment or collection of any
33 tax unless disclosure is otherwise required by State
34 statute; and
HB3180 Enrolled -33- LRB9009236JSmg
1 (v) information revealing the identity of
2 persons who file complaints with or provide
3 information to administrative, investigative, law
4 enforcement or penal agencies; provided, however,
5 that identification of witnesses to traffic
6 accidents, traffic accident reports, and rescue
7 reports may be provided by agencies of local
8 government, except in a case for which a criminal
9 investigation is ongoing, without constituting a
10 clearly unwarranted per se invasion of personal
11 privacy under this subsection.
12 (c) Records compiled by any public body for
13 administrative enforcement proceedings and any law
14 enforcement or correctional agency for law enforcement
15 purposes or for internal matters of a public body, but
16 only to the extent that disclosure would:
17 (i) interfere with pending or actually and
18 reasonably contemplated law enforcement proceedings
19 conducted by any law enforcement or correctional
20 agency;
21 (ii) interfere with pending administrative
22 enforcement proceedings conducted by any public
23 body;
24 (iii) deprive a person of a fair trial or an
25 impartial hearing;
26 (iv) unavoidably disclose the identity of a
27 confidential source or confidential information
28 furnished only by the confidential source;
29 (v) disclose unique or specialized
30 investigative techniques other than those generally
31 used and known or disclose internal documents of
32 correctional agencies related to detection,
33 observation or investigation of incidents of crime
34 or misconduct;
HB3180 Enrolled -34- LRB9009236JSmg
1 (vi) constitute an invasion of personal
2 privacy under subsection (b) of this Section;
3 (vii) endanger the life or physical safety of
4 law enforcement personnel or any other person; or
5 (viii) obstruct an ongoing criminal
6 investigation.
7 (d) Criminal history record information maintained
8 by State or local criminal justice agencies, except the
9 following which shall be open for public inspection and
10 copying:
11 (i) chronologically maintained arrest
12 information, such as traditional arrest logs or
13 blotters;
14 (ii) the name of a person in the custody of a
15 law enforcement agency and the charges for which
16 that person is being held;
17 (iii) court records that are public;
18 (iv) records that are otherwise available
19 under State or local law; or
20 (v) records in which the requesting party is
21 the individual identified, except as provided under
22 part (vii) of paragraph (c) of subsection (1) of
23 this Section.
24 "Criminal history record information" means data
25 identifiable to an individual and consisting of
26 descriptions or notations of arrests, detentions,
27 indictments, informations, pre-trial proceedings, trials,
28 or other formal events in the criminal justice system or
29 descriptions or notations of criminal charges (including
30 criminal violations of local municipal ordinances) and
31 the nature of any disposition arising therefrom,
32 including sentencing, court or correctional supervision,
33 rehabilitation and release. The term does not apply to
34 statistical records and reports in which individuals are
HB3180 Enrolled -35- LRB9009236JSmg
1 not identified and from which their identities are not
2 ascertainable, or to information that is for criminal
3 investigative or intelligence purposes.
4 (e) Records that relate to or affect the security
5 of correctional institutions and detention facilities.
6 (f) Preliminary drafts, notes, recommendations,
7 memoranda and other records in which opinions are
8 expressed, or policies or actions are formulated, except
9 that a specific record or relevant portion of a record
10 shall not be exempt when the record is publicly cited and
11 identified by the head of the public body. The exemption
12 provided in this paragraph (f) extends to all those
13 records of officers and agencies of the General Assembly
14 that pertain to the preparation of legislative documents.
15 (g) Trade secrets and commercial or financial
16 information obtained from a person or business where the
17 trade secrets or information are proprietary, privileged
18 or confidential, or where disclosure of the trade secrets
19 or information may cause competitive harm, including all
20 information determined to be confidential under Section
21 4002 of the Technology Advancement and Development Act.
22 Nothing contained in this paragraph (g) shall be
23 construed to prevent a person or business from consenting
24 to disclosure.
25 (h) Proposals and bids for any contract, grant, or
26 agreement, including information which if it were
27 disclosed would frustrate procurement or give an
28 advantage to any person proposing to enter into a
29 contractor agreement with the body, until an award or
30 final selection is made. Information prepared by or for
31 the body in preparation of a bid solicitation shall be
32 exempt until an award or final selection is made.
33 (i) Valuable formulae, designs, drawings and
34 research data obtained or produced by any public body
HB3180 Enrolled -36- LRB9009236JSmg
1 when disclosure could reasonably be expected to produce
2 private gain or public loss.
3 (j) Test questions, scoring keys and other
4 examination data used to administer an academic
5 examination or determined the qualifications of an
6 applicant for a license or employment.
7 (k) Architects' plans and engineers' technical
8 submissions for projects not constructed or developed in
9 whole or in part with public funds and for projects
10 constructed or developed with public funds, to the extent
11 that disclosure would compromise security.
12 (l) Library circulation and order records
13 identifying library users with specific materials.
14 (m) Minutes of meetings of public bodies closed to
15 the public as provided in the Open Meetings Act until the
16 public body makes the minutes available to the public
17 under Section 2.06 of the Open Meetings Act.
18 (n) Communications between a public body and an
19 attorney or auditor representing the public body that
20 would not be subject to discovery in litigation, and
21 materials prepared or compiled by or for a public body in
22 anticipation of a criminal, civil or administrative
23 proceeding upon the request of an attorney advising the
24 public body, and materials prepared or compiled with
25 respect to internal audits of public bodies.
26 (o) Information received by a primary or secondary
27 school, college or university under its procedures for
28 the evaluation of faculty members by their academic
29 peers.
30 (p) Administrative or technical information
31 associated with automated data processing operations,
32 including but not limited to software, operating
33 protocols, computer program abstracts, file layouts,
34 source listings, object modules, load modules, user
HB3180 Enrolled -37- LRB9009236JSmg
1 guides, documentation pertaining to all logical and
2 physical design of computerized systems, employee
3 manuals, and any other information that, if disclosed,
4 would jeopardize the security of the system or its data
5 or the security of materials exempt under this Section.
6 (q) Documents or materials relating to collective
7 negotiating matters between public bodies and their
8 employees or representatives, except that any final
9 contract or agreement shall be subject to inspection and
10 copying.
11 (r) Drafts, notes, recommendations and memoranda
12 pertaining to the financing and marketing transactions of
13 the public body. The records of ownership, registration,
14 transfer, and exchange of municipal debt obligations, and
15 of persons to whom payment with respect to these
16 obligations is made.
17 (s) The records, documents and information relating
18 to real estate purchase negotiations until those
19 negotiations have been completed or otherwise terminated.
20 With regard to a parcel involved in a pending or actually
21 and reasonably contemplated eminent domain proceeding
22 under Article VII of the Code of Civil Procedure,
23 records, documents and information relating to that
24 parcel shall be exempt except as may be allowed under
25 discovery rules adopted by the Illinois Supreme Court.
26 The records, documents and information relating to a real
27 estate sale shall be exempt until a sale is consummated.
28 (t) Any and all proprietary information and records
29 related to the operation of an intergovernmental risk
30 management association or self-insurance pool or jointly
31 self-administered health and accident cooperative or
32 pool.
33 (u) Information concerning a university's
34 adjudication of student or employee grievance or
HB3180 Enrolled -38- LRB9009236JSmg
1 disciplinary cases, to the extent that disclosure would
2 reveal the identity of the student or employee and
3 information concerning any public body's adjudication of
4 student or employee grievances or disciplinary cases,
5 except for the final outcome of the cases.
6 (v) Course materials or research materials used by
7 faculty members.
8 (w) Information related solely to the internal
9 personnel rules and practices of a public body.
10 (x) Information contained in or related to
11 examination, operating, or condition reports prepared by,
12 on behalf of, or for the use of a public body responsible
13 for the regulation or supervision of financial
14 institutions or insurance companies, unless disclosure is
15 otherwise required by State law.
16 (y) Information the disclosure of which is
17 restricted under Section 5-108 of the Public Utilities
18 Act.
19 (z) Manuals or instruction to staff that relate to
20 establishment or collection of liability for any State
21 tax or that relate to investigations by a public body to
22 determine violation of any criminal law.
23 (aa) Applications, related documents, and medical
24 records received by the Experimental Organ
25 Transplantation Procedures Board and any and all
26 documents or other records prepared by the Experimental
27 Organ Transplantation Procedures Board or its staff
28 relating to applications it has received.
29 (bb) Insurance or self insurance (including any
30 intergovernmental risk management association or self
31 insurance pool) claims, loss or risk management
32 information, records, data, advice or communications.
33 (cc) Information and records held by the Department
34 of Public Health and its authorized representatives
HB3180 Enrolled -39- LRB9009236JSmg
1 relating to known or suspected cases of sexually
2 transmissible disease or any information the disclosure
3 of which is restricted under the Illinois Sexually
4 Transmissible Disease Control Act.
5 (dd) Information the disclosure of which is
6 exempted under Section 30 of the Radon Industry Licensing
7 Act.
8 (ee) Firm performance evaluations under Section 55
9 of the Architectural, Engineering, and Land Surveying
10 Qualifications Based Selection Act.
11 (ff) Security portions of system safety program
12 plans, investigation reports, surveys, schedules, lists,
13 data, or information compiled, collected, or prepared by
14 or for the Regional Transportation Authority under
15 Section 2.11 of the Regional Transportation Authority Act
16 or the State of Missouri under the Bi-State Transit
17 Safety Act.
18 (gg) (ff) Information the disclosure of which is
19 restricted and exempted under Section 50 of the Illinois
20 Prepaid Tuition Act.
21 (hh) Information that would disclose or might lead
22 to the disclosure of secret or confidential information,
23 codes, algorithms, programs, or private keys intended to
24 be used to create electronic or digital signatures under
25 the Electronic Commerce Security Act.
26 (2) This Section does not authorize withholding of
27 information or limit the availability of records to the
28 public, except as stated in this Section or otherwise
29 provided in this Act.
30 (Source: P.A. 90-262, eff. 7-30-97; 90-273, eff. 7-30-97;
31 90-546, eff. 12-1-97; revised 12-24-97.)
32 Section 95-10. The State Comptroller Act is amended by
33 changing Section 14.01 as follows:
HB3180 Enrolled -40- LRB9009236JSmg
1 (15 ILCS 405/14.01)
2 Sec. 14.01. Digital signatures.
3 (a) In any communication between a State agency and the
4 Comptroller in which a signature is required or used, any
5 party to the communication may affix a signature by use of a
6 digital signature that complies with the requirements of this
7 Section. The use of a digital signature shall have the same
8 force and effect as the use of a manual signature if and only
9 if it embodies all of the following attributes:
10 (1) It is unique to the person using it.
11 (2) It is capable of verification.
12 (3) It is under the sole control of the person
13 using it.
14 (4) It is linked to data in such a manner that if
15 the data are changed, the digital signature is
16 invalidated.
17 (5) It conforms to regulations adopted by the
18 Comptroller.
19 (b) The use or acceptance of a digital signature shall
20 be at the option of the parties. Nothing in this Section
21 shall require a State agency to use or permit the use of a
22 digital signature.
23 (c) "Digital signature" has the meaning ascribed to that
24 term in the Electronic Commerce Security Act means an
25 electronic identifier, created by computer, intended by the
26 party using it to have the same force and effect as the use
27 of a manual signature.
28 (Source: P.A. 90-37, eff. 6-27-97.)
29 Section 95-15. The Criminal Code of 1961 is amended by
30 changing Section 17-3 as follows:
31 (720 ILCS 5/17-3) (from Ch. 38, par. 17-3)
32 Sec. 17-3. Forgery.
HB3180 Enrolled -41- LRB9009236JSmg
1 (a) A person commits forgery when, with intent to
2 defraud, he knowingly:
3 (1) makes or alters any document apparently capable
4 of defrauding another in such manner that it purports to
5 have been made by another or at another time, or with
6 different provisions, or by authority of one who did not
7 give such authority; or
8 (2) issues or delivers such document knowing it to
9 have been thus made or altered; or
10 (3) possesses, with intent to issue or deliver, any
11 such document knowing it to have been thus made or
12 altered; or.
13 (4) unlawfully uses the signature device of another
14 to create an electronic signature of that other person,
15 as those terms are defined in the Electronic Commerce
16 Security Act.
17 (b) An intent to defraud means an intention to cause
18 another to assume, create, transfer, alter or terminate any
19 right, obligation or power with reference to any person or
20 property.
21 (c) A document apparently capable of defrauding another
22 includes, but is not limited to, one by which any right,
23 obligation or power with reference to any person or property
24 may be created, transferred, altered or terminated. A
25 document includes any record or electronic record as those
26 terms are defined in the Electronic Commerce Security Act.
27 (d) Sentence.
28 Forgery is a Class 3 felony.
29 (Source: P.A. 77-2638.)
30 ARTICLE 99. EFFECTIVE DATE
31 Section 99-1. Effective date. This Act takes effect
32 July 1, 1999.