101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB5204

 

Introduced , by Rep. Keith R. Wheeler

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Cybersecurity Compliance Act. Defines terms. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.


LRB101 13577 TAE 62429 b

 

 

A BILL FOR

 

HB5204LRB101 13577 TAE 62429 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Cybersecurity Compliance Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Business" means any limited liability company, limited
8liability partnership, corporation, sole proprietorship,
9association, State institution of higher education, private
10college, or other group, however organized and whether
11operating for profit or not for profit, or the parent or
12subsidiary of any of the foregoing. "Business" includes a
13financial institution organized, chartered, or holding a
14license authorizing operation under the laws of this State, any
15other state, the United States, or any other country.
16    "Covered entity" means a business that accesses,
17maintains, communicates, or processes personal information or
18restricted information in or through one or more systems,
19networks, or services located in or outside of this State.
20    "Data breach" means unauthorized access to and acquisition
21of computerized data that compromises the security or
22confidentiality of personal information or restricted
23information owned by or licensed to a covered entity and that

 

 

HB5204- 2 -LRB101 13577 TAE 62429 b

1causes, reasonably is believed to have caused, or reasonably is
2believed will cause a material risk of identity theft or other
3fraud to person or property. "Data breach" does not include:
4        (1) good faith acquisition of personal information or
5    restricted information by the covered entity's employee or
6    agent for the purposes of the covered entity so long as the
7    personal information or restricted information is not used
8    for an unlawful purpose or subject to further unauthorized
9    disclosure; or
10        (2) acquisition of personal information or restricted
11    information pursuant to a search warrant, subpoena, or
12    other court order, or pursuant to a subpoena, order, or
13    duty of a regulatory State agency.
14    "Personal information" has the same meaning as provided in
15the Personal Information Protection Act.
16    "Restricted information" means any information about an
17individual, other than personal information, that, alone or in
18combination with other information, including personal
19information, can be used to distinguish or trace the
20individual's identity or that is linked or linkable to an
21individual, if the information is not encrypted, redacted, or
22altered by any method or technology in such a manner that the
23information is unreadable, and the breach of which is likely to
24result in a material risk of identity theft or other fraud to
25person or property.
 

 

 

HB5204- 3 -LRB101 13577 TAE 62429 b

1    Section 10. Safe harbor requirements.
2    (a) A covered entity seeking an affirmative defense under
3this Act shall:
4        (1) create, maintain, and comply with a written
5    cybersecurity program that contains administrative,
6    technical, and physical safeguards for the protection of
7    personal information and that reasonably conforms to an
8    industry-recognized cybersecurity framework, as described
9    in Section 15 of this Act; or
10        (2) create, maintain, and comply with a written
11    cybersecurity program that contains administrative,
12    technical, and physical safeguards for the protection of
13    both personal information and restricted information and
14    that reasonably conforms to an industry-recognized
15    cybersecurity framework, as described in Section 15 of this
16    Act.
17    (b) A covered entity's cybersecurity program shall be
18designed to do all of the following:
19        (1) protect the security and confidentiality of
20    information;
21        (2) protect against any anticipated threats or hazards
22    to the security or integrity of information; and
23        (3) protect against unauthorized access to and
24    acquisition of the information that is likely to result in
25    a material risk of identity theft or other fraud to the
26    individual to whom the information relates.

 

 

HB5204- 4 -LRB101 13577 TAE 62429 b

1    (c) The scale and scope of a covered entity's cybersecurity
2program under subsection (a) of this Section, as applicable, is
3appropriate if it is based on all of the following factors:
4        (1) the size and complexity of the covered entity;
5        (2) the nature and scope of the activities of the
6    covered entity;
7        (3) the sensitivity of the information to be protected;
8        (4) the cost and availability of tools to improve
9    information security and reduce vulnerabilities; and
10        (5) the resources available to the covered entity.
11    (d) A covered entity under this Section is entitled to an
12affirmative defense as follows:
13        (1) A covered entity that satisfies paragraph (1) of
14    subsection (a) and also subsections (b) and (c) of this
15    Section is entitled to an affirmative defense to any cause
16    of action sounding in tort that is brought under the laws
17    of this State or in the courts of this State and that
18    alleges that the failure to implement reasonable
19    information security controls resulted in a data breach
20    concerning personal information.
21        (2) A covered entity that satisfies paragraph (2) of
22    subsection (a) and also subsections (b) and (c) of this
23    Section is entitled to an affirmative defense to any cause
24    of action sounding in tort that is brought under the laws
25    of this State or in the courts of this State and that
26    alleges that the failure to implement reasonable

 

 

HB5204- 5 -LRB101 13577 TAE 62429 b

1    information security controls resulted in a data breach
2    concerning personal information or restricted information.
 
3    Section 15. Reasonable conformance.
4    (a) A covered entity's cybersecurity program reasonably
5conforms to an industry-recognized cybersecurity framework for
6purposes of this Act if the requirements of subsections (b),
7(c), or (d) of this Section is satisfied.
8    (b)(1) The cybersecurity program reasonably conforms to
9the current version of any of the following or any combination
10of the following, subject to paragraph (2) and subsection (e)
11of this Section:
12        (A) The "framework for improving critical
13    infrastructure cyber security" developed by the National
14    Institute of Standards and Technology" (NIST);
15        (B) NIST special publication 800-171;
16        (C) NIST special publications 800-53 and 800-53a;
17        (D) The Federal Risk And Authorization Management
18    Program (FedRAMP) Security Assessment Framework;
19        (E) The Center for Internet Security Critical Security
20    Controls for Effective Cyber Defense; or
21        (F) The International Organization for
22    Standardization/International Electrotechnical Commission
23    27000 Family - Information Security Management Systems.
24    (2) When a final revision to a framework listed in
25paragraph (1) is published, a covered entity whose

 

 

HB5204- 6 -LRB101 13577 TAE 62429 b

1cybersecurity program reasonably conforms to that framework
2shall reasonably conform to the revised framework not later
3than one year after the publication date stated in the
4revision.
5    (c)(1) The covered entity is regulated by the State, by the
6federal government, or both, or is otherwise subject to the
7requirements of any of the laws or regulations listed below,
8and the cybersecurity program reasonably conforms to the
9entirety of the current version of any of the following,
10subject to paragraph (2):
11        (A) The security requirements of the Health Insurance
12    Portability and Accountability Act of 1996, as set forth in
13    45 CFR Part 164 Subpart C;
14        (B) Title V of the Gramm-Leach-Bliley Act of 1999,
15    Public Law 106-102, as amended;
16        (C) The Federal Information Security Modernization Act
17    of 2014, Public Law 113-283;
18        (D) The Health Information Technology for Economic and
19    Clinical Health Act, as set forth in 45 CFR part 162.
20    (2) When a framework listed in paragraph (1) of this
21subsection is amended, a covered entity whose cybersecurity
22program reasonably conforms to that framework shall reasonably
23conform to the amended framework not later than one year after
24the effective date of the amended framework.
25    (d)(1) The cybersecurity program reasonably complies with
26both the current version of the payment card industry (PCI)

 

 

HB5204- 7 -LRB101 13577 TAE 62429 b

1data security standard and conforms to the current version of
2another applicable industry-recognized cybersecurity framework
3listed in subsection (b) of this Section, subject to paragraph
4(2) and subsection (e) of this Section.
5    (2) When a final revision to the PCI data security standard
6is published, a covered entity whose cybersecurity program
7reasonably complies with that standard shall reasonably comply
8with the revised standard not later than one year after the
9publication date stated in the revision.
10    (e) If a covered entity's cybersecurity program reasonably
11conforms to a combination of industry-recognized cybersecurity
12frameworks, or complies with a standard, as in the case of the
13payment card industry (PCI) data security standard, as
14described in subsection (b) or (d), and 2 or more of those
15frameworks are revised, the covered entity whose cybersecurity
16program reasonably conforms to or complies with, as applicable,
17those frameworks shall reasonably conform to or comply with, as
18applicable, all of the revised frameworks not later than one
19year after the latest publication date stated in the revisions.
 
20    Section 20. No private right of action. This Act shall not
21be construed to provide a private right of action, including a
22class action, with respect to any act or practice regulated
23under it.
 
24    Section 97. Severability. The provisions of this Act are

 

 

HB5204- 8 -LRB101 13577 TAE 62429 b

1severable under Section 1.31 of the Statute on Statutes.