100TH GENERAL ASSEMBLY
State of Illinois
2017 and 2018
SB3204

 

Introduced 2/15/2018, by Sen. Michael E. Hastings

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Consumer Credit Reporting Agency Registration and Cybersecurity Program Act. Provides for requirements for consumer credit reporting agency registration. Contains provisions regarding grounds for revocation and suspension of a registration. Provides that by January 1, 2019, a consumer credit reporting agency must have a cybersecurity program documented in writing and designed to protect the confidentiality, integrity and availability of its information systems. Provides that a consumer credit reporting agency shall implement and maintain a written cybersecurity policy setting forth its policies and procedures for the protection of its information systems and nonpublic information stored on those information systems. Provides that a consumer credit reporting agency shall designated a qualified individual as a chief information security officer to oversee and implement its cybersecurity policy. Contains provisions concerning penetration testing and vulnerability assessments, audit trail, access privileges, and application security. Provides that a consumer credit reporting agency shall conduct periodic risk assessments of its information systems. Provides requirements for cybersecurity personnel and third-party service provider security policy. Provides that a consumer credit reporting agency shall establish a written incident response plan designed to promptly respond to a cybersecurity event. Provides that the consumer credit reporting agency shall notify the Department of Financial and Professional Regulation of the existence of a cybersecurity event no later than 72 hours after the event occurred. Makes other changes. Effective immediately.


LRB100 20137 XWW 35421 b

FISCAL NOTE ACT MAY APPLY

 

 

A BILL FOR

 

SB3204LRB100 20137 XWW 35421 b

1    AN ACT concerning regulation.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Consumer Credit Reporting Agency Registration and
6Cybersecurity Program Act.
 
7    Section 5. Definitions. As used in this Act:
8    "Affiliate" means a person that controls, is controlled by,
9or is under common control with another person.
10    "Authorized user" means any employee, contractor, agent or
11other person that participates in the business operations of a
12consumer credit reporting agency and is authorized to access
13and use any information system and data of the consumer credit
14reporting agency.
15    "Consumer" means an individual.
16    "Consumer report" means a written, oral, or other
17communication of any information by a consumer reporting agency
18bearing on a consumer's credit worthiness, credit standing,
19credit capacity, character, general reputation, personal
20characteristics, or mode of living that is used or expected to
21be used or collected in whole or in part for the purpose of
22serving as a factor in establishing the consumer's eligibility
23for (i) credit or insurance to be used primarily for personal,

 

 

SB3204- 2 -LRB100 20137 XWW 35421 b

1family, or household purposes, (ii) employment purposes, or
2(iii) other purposes.
3    "Consumer reporting agency" means any person who, for
4monetary fees, dues, or on a cooperative nonprofit basis,
5regularly engages in whole or in part in the practice of
6assembling or evaluating consumer credit information or other
7information on consumers for the purpose of furnishing consumer
8reports or investigative consumer reports to third parties.
9    "Consumer credit reporting agency" means a consumer
10reporting agency that regularly engages in the practice of
11assembling or evaluating and maintaining public record
12information or credit account information from persons who
13furnish that information regularly and in the ordinary course
14of business for the purpose of furnishing consumer credit
15reports to third parties bearing on a consumer's credit
16worthiness, credit standing, and credit capacity.
17    "Cybersecurity event" means any act or attempt, successful
18or unsuccessful, to gain unauthorized access to, disrupt, or
19misuse an information system or information stored on such
20information system.
21    "Department" means the Department of Financial and
22Professional Responsibility.
23    "Financial institution" means a bank, savings bank,
24savings and loan association, credit union, or any licensee
25under the Consumer Installment Loan Act or the Sales Finance
26Agency Act.

 

 

SB3204- 3 -LRB100 20137 XWW 35421 b

1    "Information system" means a discrete set of electronic
2information resources organized for the collection,
3processing, maintenance, use, sharing, dissemination or
4disposition of electronic information, or any specialized
5system such as industrial or process control systems, telephone
6switching and private branch exchange systems, and
7environmental control systems.
8    "Multi-factor authentication" means authentication through
9verification of at least 2 of the following types of
10authentication factors:
11        (1) knowledge factor, such as a password;
12        (2) possession factor, such as a token or text message
13    on a mobile phone; or
14        (3) inherence factor, such as a biometric
15    characteristic.
16    "Nonpublic information" means all electronic information
17that is not publicly available information and is:
18        (1) business-related information of a consumer credit
19    reporting agency in which the tampering, or unauthorized
20    disclosure, access, or use of, would cause a material
21    adverse impact on the business, operations or security of
22    the consumer credit reporting agency;
23        (2) any information concerning an individual that
24    because of name, number, personal mark, or other identifier
25    can be used to identify such individual, in combination
26    with any one or more of the following data elements:

 

 

SB3204- 4 -LRB100 20137 XWW 35421 b

1            (i) social security number;
2            (ii) driver's license number or non-driver
3        identification card number;
4            (iii) account number, credit or debit card number;
5            (iv) any security code, access code or password
6        that would permit access to an individual's financial
7        account; or
8            (v) biometric records;
9        (3) any information or data, except age or gender, in
10    any form or medium created by or derived from a health care
11    provider or an individual that relates to:
12            (i) the past, present, or future physical, mental,
13        or behavioral health or condition of any individual or
14        a member of the individual's family;
15            (ii) the provision of health care to any
16        individual; or
17            (iii) payment for the provision of health care to
18        any individual.
19    "Penetration testing" means a test methodology in which
20assessors attempt to circumvent or defeat the security features
21of an information system by attempting penetration of databases
22or controls from outside or inside the consumer credit
23reporting agency's information systems.
24    "Person" means any individual or any non-governmental
25entity, including, but not limited to, any non-governmental
26partnership, corporation, branch, agency or association.

 

 

SB3204- 5 -LRB100 20137 XWW 35421 b

1    "Publicly available information" means any information
2that a consumer credit reporting agency has a reasonable basis
3to believe is lawfully made available to the general public
4from federal, State, or local government records, widely
5distributed media, or disclosures to the general public that
6are required to be made by federal, State or local law.
7        (1) For the purposes of this Act, a consumer credit
8    reporting agency has a reasonable basis to believe that
9    information is lawfully made available to the general
10    public if the consumer credit reporting agency has taken
11    steps to determine:
12            (i) that the information is of the type that is
13        available to the general public; and
14            (ii) whether an individual can direct that
15        information to make it unavailable to the general
16        public and, if so, that such individual has not done
17        so.
18    "Risk assessment" means the risk assessment that each
19consumer credit reporting agency is required to conduct under
20Section 65 of this Act.
21    "Risk-based authentication" means any risk-based system of
22authentication that detects anomalies or changes in the normal
23use patterns of a person and requires additional verification
24of the person's identity when such deviations or changes are
25detected, such as through the use of challenge questions.
26    "Senior officer" or "senior officers" means the senior

 

 

SB3204- 6 -LRB100 20137 XWW 35421 b

1individual or individuals, acting collectively or as a
2committee, responsible for the management, operations,
3security, information systems, compliance or risk of a consumer
4credit reporting agency, including a branch or agency of a
5foreign banking organization subject to this Act.
6    "Third-party service provider" means a person that:
7        (1) is not an affiliate of the consumer credit
8    reporting agency;
9        (2) provides services to the consumer credit reporting
10    agency; and
11        (3) maintains, processes, or otherwise is permitted
12    access to nonpublic information through provision of
13    services to the consumer credit reporting agency.
 
14    Section 10. Registration.
15    (a) A consumer credit reporting agency that assembles,
16evaluates, or maintains a consumer credit report on one or more
17consumers located in the State of Illinois shall register with
18the Department in a form and manner acceptable to the
19Department.
20    (b) For a business entity, the officer or officers and
21director or directors named in the registration application
22shall be designated responsible for the business entity's
23compliance with the financial services, banking, and insurance
24laws, rules, and regulations of this State.
25    (c) A consumer credit reporting agency that assembles,

 

 

SB3204- 7 -LRB100 20137 XWW 35421 b

1evaluates, or maintains a consumer credit report on any
2consumer located in the State of Illinois at any time between
3July 1, 2017 and September 1, 2018, shall make the registration
4required by subsection (a) on or before September 1, 2018. Any
5other consumer credit reporting agency shall make the
6registration required by subsection (a) prior to assembling,
7evaluating, or maintaining a consumer credit report on a
8consumer located in the State of Illinois.
9    (d) A consumer credit reporting agency shall renew its
10registration by January 1, 2019 for the 2019 calendar year, and
11by January 1 of each successive year for the calendar year
12thereafter.
13    (e) The Department may refuse to renew a consumer credit
14reporting agency's registration if, in the Department's
15judgment, the applicant or any member, principal, officer or
16director of the applicant, is not trustworthy and is not
17competent to act as or in connection with a consumer credit
18reporting agency, or that any of the foregoing has given cause
19for revocation or suspension of such registration, or has
20failed to comply with any minimum standard.
21    (f) Registrants under this Section shall be subject to
22examination by the Department as often as the Department may
23deem it necessary. The Department may promulgate regulations
24establishing methods and procedures for facilitating and
25verifying compliance with the requirements of this Act and such
26other regulations as necessary to enforce the provisions of

 

 

SB3204- 8 -LRB100 20137 XWW 35421 b

1this Act.
 
2    Section 15. Acting without registration.
3    (a) No individual, firm, association, corporation or other
4entity may assemble, evaluate, or maintain a consumer credit
5report on any consumer located in the State of Illinois without
6having a valid registration as a consumer credit reporting
7agency filed as described in Section 10 of this Act.
8    (b) No financial institution may pay any fee or other
9compensation to any consumer credit reporting agency that is
10required to be registered pursuant to Section 10 but fails to
11possess the required registration.
12    (c) No regulated person may transmit any information about
13a consumer located in the State of Illinois to a consumer
14credit reporting agency that is required to be registered
15pursuant to Section 10 of this Act but failed to possess the
16required registration.
 
17    Section 20. Revocation and suspension of a registration.
18    (a) The Department may refuse to renew, revoke, or may
19suspend the registration of a consumer credit report agency for
20a period the Department determines if, after notice and
21hearing, the Department determines that the registrant or any
22member, principal, officer, director, or controlling person of
23the registrant, has:
24        (1) violated any insurance, financial service, or

 

 

SB3204- 9 -LRB100 20137 XWW 35421 b

1    banking law or violated any regulation, subpoena or order
2    of the Department or any other State or federal agency with
3    authority to regulate consumer credit reporting agencies,
4    or has violated any law in the course of his or her
5    dealings in such capacity;
6        (2) provided materially incorrect, materially
7    misleading, materially incomplete or materially untrue
8    information in the registration application;
9        (3) failed to comply with the requirements of this Act,
10    including, but not limited to, Sections 30 through 105
11    concerning cybersecurity;
12        (4) used fraudulent, coercive or dishonest practices;
13    demonstrated incompetence; demonstrated untrustworthiness;
14    or demonstrated financial irresponsibility in the conduct
15    of business in this state or elsewhere;
16        (5) improperly withheld, misappropriated or converted
17    any moneys or properties received in the course of business
18    in this State or elsewhere;
19        (6) has been convicted of a felony;
20        (7) admitted or has been found to have committed any
21    unfair trade practice or fraud;
22        (8) had a consumer credit reporting agency
23    registration or its equivalent, denied, suspended, or
24    revoked in any other state, province, district or
25    territory; or
26        (9) failed to pay state income tax or comply with any

 

 

SB3204- 10 -LRB100 20137 XWW 35421 b

1    administrative or court order directing payment of state
2    income tax.
3    (b) Before revoking or suspending the registration of any
4consumer credit reporting agency pursuant to the provisions of
5this Act, the Department shall give notice to the registrant
6and shall hold, or cause to be held, a hearing not less than 10
7days after the giving of such notice.
8    (c) If a registration pursuant to the provisions of this
9Act is revoked or suspended by the Department, then the
10Department shall forthwith give notice to the registrant.
11    (d) The revocation or suspension of any registration
12pursuant to the provisions of this Act shall terminate
13forthwith such registration.
 
14    Section 25. Prohibited practices. No consumer credit
15reporting agency that assembles, evaluates, or maintains a
16consumer credit report on any consumer located in the State of
17Illinois shall:
18    (1) Directly or indirectly employ any scheme, device or
19artifice to defraud or mislead a consumer.
20    (2) Engage in any unfair, deceptive, or predatory act or
21practice toward any consumer, or misrepresent or omit any
22material information in connection with the assembly,
23evaluation, or maintenance of a credit report for a consumer
24located in the State of Illinois.
25    (3) Engage in any unfair, deceptive, or abusive act or

 

 

SB3204- 11 -LRB100 20137 XWW 35421 b

1practice in violation of Section 1036 of the Dodd-Frank Wall
2Street Reform and Consumer Protection Act.
3    (4) Include inaccurate information in any consumer report
4relating to a consumer located in the State of Illinois.
5    (5) Refuse to communicate with an authorized
6representative of a consumer located in the State of Illinois
7who provides a written authorization signed by the consumer,
8provided that the consumer credit reporting agency may adopt
9procedures reasonably related to verify that the
10representative is in fact authorized to act on behalf of the
11consumer.
12    (6) Make any false statement or make any omission of a
13material fact in connection with any information or reports
14filed with a governmental agency or in connection with any
15investigation conducted by another governmental agency.
 
16    Section 30. Cybersecurity program.
17    (a) By January 1, 2019, a consumer credit reporting agency
18that assembles, evaluates, or maintains a consumer credit
19report on Illinois consumers must have in place a written
20cybersecurity program designed to protect the confidentiality,
21integrity and availability of the consumer credit reporting
22agency's information systems.
23    (b) The cybersecurity program shall be based on the
24consumer credit reporting agency's risk assessment and
25designed to perform the following core cybersecurity

 

 

SB3204- 12 -LRB100 20137 XWW 35421 b

1functions:
2        (1) identify and assess internal and external
3    cybersecurity risks that may threaten the security or
4    integrity of nonpublic information stored on the consumer
5    credit reporting agency's information systems;
6        (2) use defensive infrastructure and the
7    implementation of policies and procedures to protect the
8    consumer credit reporting agency's information systems,
9    and the nonpublic information stored on those information
10    systems, from unauthorized access, use, or other malicious
11    acts;
12        (3) detect cybersecurity events;
13        (4) respond to identified or detected cybersecurity
14    events to mitigate any negative effects;
15        (5) recover from cybersecurity events and restore
16    normal operations and services; and
17        (6) fulfill applicable regulatory reporting
18    obligations.
19    (c) A consumer credit reporting agency may meet the
20requirements of this Act by adopting relevant and applicable
21provisions of a cybersecurity program maintained by an
22affiliate, provided that such provisions satisfy the
23requirements of this Act, as applicable to the consumer credit
24reporting agency.
25    (d) All documentation and information relevant to the
26consumer credit reporting agency's cybersecurity program shall

 

 

SB3204- 13 -LRB100 20137 XWW 35421 b

1be made available to the Department upon request.
 
2    Section 35. Cybersecurity policy. Each consumer credit
3reporting agency shall implement and maintain a written policy
4or policies, approved by a senior officer, the consumer credit
5reporting agency's board of directors, an appropriate
6committee thereof, or equivalent governing body, setting forth
7the consumer credit reporting agency's policies and procedures
8for the protection of its information systems and nonpublic
9information stored on those information systems. The
10cybersecurity policy shall be based on the consumer credit
11reporting agency's risk assessment and address the following
12areas to the extent applicable to the consumer credit reporting
13agency's operations:
14        (1) information security;
15        (2) data governance and classification;
16        (3) asset inventory and device management;
17        (4) access controls and identity management;
18        (5) business continuity and disaster recovery planning
19    and resources;
20        (6) systems operations and availability concerns;
21        (7) systems and network security;
22        (8) systems and network monitoring;
23        (9) systems and application development and quality
24    assurance;
25        (10) physical security and environmental controls;

 

 

SB3204- 14 -LRB100 20137 XWW 35421 b

1        (11) consumer data privacy;
2        (12) vendor and third-party service provider
3    management;
4        (13) risk assessment; and
5        (14) incident response.
 
6    Section 40. Chief information officer.
7    (a) A consumer credit reporting agency shall designate a
8qualified individual responsible for overseeing and
9implementing the consumer credit reporting agency's
10cybersecurity program and enforcing its cybersecurity policy.
11The chief information security officer may be employed by the
12consumer credit reporting agency, one of its affiliates, or a
13third-party service provider. To the extent this requirement is
14met using a third-party service provider or an affiliate, the
15consumer credit reporting agency shall:
16        (1) retain responsibility for compliance with this
17    Act;
18        (2) designate a senior member of the consumer credit
19    reporting agency's personnel responsible for direction and
20    oversight of the third-party service provider; and
21        (3) require the third-party service provider to
22    maintain a cybersecurity program that protects the
23    consumer credit reporting agency in accordance with the
24    requirements of this Act.
25    (b) The chief information security officer of each consumer

 

 

SB3204- 15 -LRB100 20137 XWW 35421 b

1credit reporting agency shall report in writing at least
2annually to the consumer credit reporting agency's board of
3directors or equivalent governing body. If no such board of
4directors or equivalent governing body exists, such report
5shall be timely presented to a senior officer of the consumer
6credit reporting agency responsible for the consumer credit
7reporting agency's cybersecurity program. The chief
8information security officer shall report on the consumer
9credit reporting agency's cybersecurity program and material
10cybersecurity risks. The chief information security officer
11shall consider to the extent applicable:
12        (1) the confidentiality of nonpublic information and
13    the integrity and security of the consumer credit reporting
14    agency's information systems;
15        (2) the consumer credit reporting agency's
16    cybersecurity policies and procedures;
17        (3) material cybersecurity risks to the consumer
18    credit reporting agency;
19        (4) overall effectiveness of the consumer credit
20    reporting agency's cybersecurity program; and
21        (5) material cybersecurity events involving the
22    consumer credit reporting agency during the time period
23    addressed by the report.
 
24    Section 45. Penetration testing and vulnerability
25assessments. The cybersecurity program for a consumer credit

 

 

SB3204- 16 -LRB100 20137 XWW 35421 b

1reporting agency shall include monitoring and testing,
2developed in accordance with the consumer credit reporting
3agency's risk assessment, designed to assess the effectiveness
4of the consumer credit reporting agency's cybersecurity
5program. The monitoring and testing shall include continuous
6monitoring or periodic penetration testing and vulnerability
7assessments. Absent effective continuous monitoring or other
8systems to detect, on an ongoing basis, changes in information
9systems that may create or indicate vulnerabilities, consumer
10credit agencies shall conduct:
11        (1) annual penetration testing of the consumer credit
12    reporting agency's information systems determined each
13    given year based on relevant identified risks in accordance
14    with the risk assessment; and
15        (2) vulnerability assessments every 2 years, including
16    any systematic scans or reviews of information systems
17    reasonably designed to identify publicly known
18    cybersecurity vulnerabilities in the consumer credit
19    reporting agency's information systems based on the risk
20    assessment.
 
21    Section 50. Audit trail.
22    (a) Each consumer credit reporting agency shall securely
23maintain systems that, to the extent applicable and based on
24its risk assessment:
25        (1) are designed to reconstruct material financial

 

 

SB3204- 17 -LRB100 20137 XWW 35421 b

1    transactions sufficient to support normal operations and
2    obligations of the consumer credit reporting agency; and
3        (2) include audit trails designed to detect and respond
4    to cybersecurity events that have a reasonable likelihood
5    of materially harming any material part of the normal
6    operations of the consumer credit reporting agency.
7    (b) Each consumer credit reporting agency shall maintain
8records required by paragraph (1) of subsection (a) for not
9fewer than 5 years and shall maintain records required by
10paragraph (2) of subsection (a) for not fewer than 3 years.
 
11    Section 55. Access privileges. As part of its cybersecurity
12program, based on the consumer credit reporting agency's risk
13assessment, a consumer credit reporting agency shall limit user
14access privileges to information systems that provide access to
15nonpublic information and shall periodically review such
16access privileges.
 
17    Section 60. Application security.
18    (a) A consumer credit reporting agency's cybersecurity
19program shall include written procedures, guidelines, and
20standards designed to ensure the use of secure development
21practices for in-house developed applications utilized by the
22consumer credit reporting agency, and procedures for
23evaluating, assessing, or testing the security of externally
24developed applications utilized by the consumer credit

 

 

SB3204- 18 -LRB100 20137 XWW 35421 b

1reporting agency within the context of the consumer credit
2reporting agency's technology environment.
3    (b) All such procedures, guidelines, and standards shall be
4periodically reviewed, assessed and updated as necessary by the
5chief information security officer or a qualified designee of
6the consumer credit reporting agency.
 
7    Section 65. Risk assessment.
8    (a) A consumer credit reporting agency shall conduct a
9periodic risk assessment of the consumer credit reporting
10agency's information systems sufficient to inform the designer
11of the cybersecurity program as required by this Act. Such risk
12assessment shall be updated as reasonably necessary to address
13changes to the consumer credit reporting agency's information
14systems, nonpublic information or business operations. The
15consumer credit reporting agency's risk assessment shall allow
16revision of controls to respond to technological developments
17and evolving threats and shall consider the particular risks of
18the consumer credit reporting agency's business operations
19related to cybersecurity, nonpublic information collected or
20stored, information systems utilized, and the availability and
21effectiveness of controls to protect nonpublic information and
22information systems.
23    (b) The risk assessment shall be carried out in accordance
24with written policies and procedures and shall be documented.
25Such policies and procedures shall include:

 

 

SB3204- 19 -LRB100 20137 XWW 35421 b

1        (1) criteria for the evaluation and categorization of
2    identified cybersecurity risks or threats facing the
3    consumer credit reporting agency;
4        (2) criteria for the assessment of the
5    confidentiality, integrity, security and availability of
6    the consumer credit reporting agency's information systems
7    and nonpublic information, including the adequacy of
8    existing controls in the context of identified risks; and
9        (3) requirements describing how identified risks will
10    be mitigated or accepted based on the risk assessment and
11    how the cybersecurity program will address the risks.
 
12    Section 70. Cybersecurity personnel and intelligence.
13    (a) In addition to the requirements set forth in Section
1440, a consumer credit reporting agency shall:
15        (1) utilize qualified cybersecurity personnel of the
16    consumer credit reporting agency, an affiliate, or a
17    third-party service provider sufficient to manage the
18    consumer credit reporting agency's cybersecurity risks and
19    to perform or oversee the performance of the core
20    cybersecurity functions specified in paragraphs (1)
21    through (6) of subsection (b) of Section 30;
22        (2) provide cybersecurity personnel with cybersecurity
23    updates and training sufficient to address relevant
24    cybersecurity risks; and
25        (3) verify that key cybersecurity personnel take steps

 

 

SB3204- 20 -LRB100 20137 XWW 35421 b

1    to maintain current knowledge of changing cybersecurity
2    threats and countermeasures.
3    (b) A consumer credit reporting agency may choose to
4utilize an affiliate or qualified third-party service provider
5to assist in complying with the requirements set forth in this
6Act, subject to the requirements set forth in Section 75.
 
7    Section 75. Third-party service provider security policy.
8    (a) Each consumer credit reporting agency shall implement
9written policies and procedures designed to ensure the security
10of information systems and nonpublic information that are
11accessible to, or held by, third-party service providers. Such
12policies and procedures shall be based on the risk assessment
13of the consumer credit reporting agency and shall address to
14the extent applicable:
15        (1) The identification and risk assessment of
16    third-party service providers.
17        (2) Minimum cybersecurity practices required to be met
18    by such third-party service providers in order for them to
19    do business with the consumer credit reporting agency.
20        (3) Due diligence processes used to evaluate the
21    adequacy of cybersecurity practices of such third-party
22    service providers.
23        (4) Periodic assessment of such third-party service
24    providers based on the risk they present and the continued
25    adequacy of their cybersecurity practices.

 

 

SB3204- 21 -LRB100 20137 XWW 35421 b

1    (b) Such policies and procedures shall include relevant
2guidelines for due diligence or contractual protections
3relating to third-party service providers to the extent
4applicable addressing:
5        (1) the third-party service provider's policies and
6    procedures for access controls, including its use of
7    multi-factor authentication as required by Section 80 of
8    this Act, to limit access to relevant information systems
9    and nonpublic information;
10        (2) the third-party service provider's policies and
11    procedures for use of encryption as required by Section 95
12    of this Act to protect nonpublic information in transit and
13    at rest;
14        (3) notice to be provided to the consumer credit
15    reporting agency in the event of a cybersecurity event
16    directly impacting the consumer credit reporting agency's
17    information systems or the consumer credit reporting
18    agency's nonpublic information being held by the
19    third-party service provider; and
20        (4) representations and warranties addressing the
21    third-party service provider's cybersecurity policies and
22    procedures that relate to the security of the consumer
23    credit reporting agency's information systems or nonpublic
24    information.
 
25    Section 80. Multi-factor authentication.

 

 

SB3204- 22 -LRB100 20137 XWW 35421 b

1    (a) Based on its risk assessment, each consumer credit
2reporting agency shall use effective controls, which may
3include multi-factor authentication or risk-based
4authentication, to protect against unauthorized access to
5nonpublic information or information systems.
6    (b) Multi-factor authentication shall be utilized for any
7individual accessing the consumer credit reporting agency's
8internal networks from an external network, unless the consumer
9credit reporting agency's chief information security officer
10has approved in writing the use of reasonably equivalent or
11more secure access controls.
 
12    Section 85. Limitations on data retention. As part of its
13cybersecurity program, a consumer credit reporting agency
14shall include policies and procedures for the secure disposal
15on a periodic basis of any nonpublic information that is no
16longer necessary for business operations or for other
17legitimate business purposes of the consumer credit reporting
18agency, except where such information is otherwise required to
19be retained by law or regulation, or where targeted disposal is
20not reasonably feasible due to the manner in which the
21information is maintained.
 
22    Section 90. Training and monitoring. As part of its
23cybersecurity program, each consumer credit reporting agency
24shall:

 

 

SB3204- 23 -LRB100 20137 XWW 35421 b

1        (1) implement risk-based policies, procedures and
2    controls designed to monitor the activity of authorized
3    users and detect unauthorized access or use of, or
4    tampering with, nonpublic information by such authorized
5    users; and
6        (2) provide regular cybersecurity awareness training
7    to all personnel that is updated to reflect risks
8    identified by the consumer credit reporting agency in its
9    risk assessment.
 
10    Section 95. Encryption of nonpublic information.
11    (a) As part of its cybersecurity program, based on its risk
12assessment, each consumer credit reporting agency shall
13implement controls, including encryption, to protect nonpublic
14information held or transmitted by the consumer credit
15reporting agency both in transit over external networks and at
16rest.
17        (1) To the extent a consumer credit reporting agency
18    determines that encryption of nonpublic information in
19    transit over external networks is infeasible, the consumer
20    credit reporting agency may instead secure such nonpublic
21    information using effective alternative compensating
22    controls reviewed and approved by the consumer credit
23    reporting agency's chief information security officer.
24        (2) To the extent a consumer credit reporting agency
25    determines that encryption of nonpublic information at

 

 

SB3204- 24 -LRB100 20137 XWW 35421 b

1    rest is infeasible, the consumer credit reporting agency
2    may instead secure such nonpublic information using
3    effective alternative compensating controls reviewed and
4    approved by the consumer credit reporting agency's chief
5    information security officer.
6    (b) To the extent that a consumer credit reporting agency
7is utilizing compensating controls under subsection (a), the
8feasibility of encryption and effectiveness of the
9compensating controls shall be reviewed by the chief
10information security officer at least annually.
 
11    Section 100. Incident response plan.
12    (a) As part of its cybersecurity program, a consumer credit
13reporting agency shall establish a written incident response
14plan designed to promptly respond to, and recover from, any
15cybersecurity event materially affecting the confidentiality,
16integrity or availability of the consumer credit reporting
17agency's information systems or the continuing functionality
18of any aspect of the consumer credit reporting agency's
19business or operations.
20    (b) Such incident response plan shall address the following
21areas:
22        (1) the internal processes for responding to a
23    cybersecurity event;
24        (2) the goals of the incident response plan;
25        (3) the definition of clear roles, responsibilities

 

 

SB3204- 25 -LRB100 20137 XWW 35421 b

1    and levels of decision-making authority;
2        (4) external and internal communications and
3    information sharing;
4        (5) identification of requirements for the remediation
5    of any identified weaknesses in information systems and
6    associated controls;
7        (6) documentation and reporting regarding
8    cybersecurity events and related incident response
9    activities; and
10        (7) the evaluation and revision as necessary of the
11    incident response plan following a cybersecurity event.
 
12    Section 105. Notice to the Department.
13    (a) A consumer credit reporting agency shall notify the
14Department as promptly as possible but in no event later than
1572 hours from a determination that a cybersecurity event has
16occurred that is either of the following:
17        (1) cybersecurity events impacting the consumer credit
18    reporting agency of which notice is required to be provided
19    to a government body, self-regulatory agency or any other
20    supervisory body; or
21        (2) cybersecurity events that have a reasonable
22    likelihood of materially harming any material part of the
23    normal operation of the consumer credit reporting agency.
24    (b) A consumer credit reporting agency shall submit to the
25Department a written statement annually covering the prior

 

 

SB3204- 26 -LRB100 20137 XWW 35421 b

1calendar year. This statement shall be submitted by February
215th in such manner as determined acceptable by the Department,
3certifying that the consumer credit reporting agency is in
4compliance with the requirements set forth in this Act. Each
5consumer credit reporting agency shall maintain all records,
6schedules, and data supporting this certificate for a period of
75 years for examination purposes conducted by the Department.
8To the extent a consumer credit reporting agency has identified
9areas, systems or processes that require material improvement,
10updating or redesign, the consumer credit reporting agency
11shall document the identification and the remedial efforts
12planned and underway to address such areas, systems or
13processes. Such documentation must be available for inspection
14by the Department.
 
15    Section 110. Enforcement. This Act shall be enforced by the
16Department pursuant to, and is not intended to limit, the
17Department's authority under any applicable laws.
 
18    Section 115. Severability. If any provision of this Act or
19the application thereof to any person or circumstance is
20adjudged invalid by a court of competent jurisdiction, such
21judgment shall not affect or impair the validity of the other
22provisions of this Act or the application thereof to other
23persons or circumstances.
 
24    Section 999. Effective date. This Act takes effect upon

 

 

SB3204- 27 -LRB100 20137 XWW 35421 b

1becoming law.