101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB5398

 

Introduced , by Rep. Grant Wehrli - Avery Bourne - Amy Grant - Dan Ugaste

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Illinois Cyber Reserve Act. Establishes the Illinois Cyber Reserve, to be administered by the Illinois Emergency Management Agency, in order to deploy volunteers upon the occurrence of a cybersecurity incident. Contains provisions regarding volunteer requirements, criminal history checks, and civil liability. Requires volunteers to provide assistance for 6 years from the time of deployment or for the time required under the Agency's record retention policies, whichever is longer, and assistance to be for 7 days unless a different period is specified in writing. Creates the Illinois Cyber Reserve Advisory Board as an advisory body within the Agency and tasks it with reviewing and making recommendations regarding the policies and procedures used in implementing the Act. Requires the Agency to publish guidelines for the operation of the Illinois Cyber Reserve program and provides minimum requirements for the guidelines. Allows the Agency to enter into contracts with clients, provide training to individuals, and establish a fee schedule for clients. Provides that specified information given to the Illinois Cyber Reserve or obtained under the Act is exempt from disclosure under the Freedom of Information Act. Provides that the Agency shall adopt any rules necessary for the implementation and administration of the Act.


LRB101 16599 CPF 65983 b

 

 

A BILL FOR

 

HB5398LRB101 16599 CPF 65983 b

1    AN ACT concerning safety.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Illinois Cyber Reserve Act.
 
6    Section 5. Definitions. In this Act:
7    "Advisory Board" means the Illinois Cyber Reserve Advisory
8Board created under Section 40.
9    "Agency" means the Illinois Emergency Management Agency.
10    "Chief information officer" means the individual within
11the Agency designated by the Governor as the chief information
12officer for this State.
13    "Client" means a municipal, educational, nonprofit, or
14business organization that has requested and is using the rapid
15response assistance of the Illinois Cyber Reserve under the
16direction of the Agency.
17    "Cybersecurity incident" means an event occurring on or
18conducted through a computer network that actually or
19imminently jeopardizes the integrity, confidentiality, or
20availability of computers, information or communications
21systems or networks, physical or virtual infrastructure
22controlled by computers or information systems, or information
23resident on any of these. "Cybersecurity incident" includes,

 

 

HB5398- 2 -LRB101 16599 CPF 65983 b

1but is not limited to, the existence of a vulnerability in an
2information system, system security procedures, internal
3controls, or implementation that is subject to exploitation.
4    "Illinois Cyber Reserve" means the program established
5under this Act under which civilian volunteers who have
6expertise in addressing cybersecurity incidents may volunteer
7at the invitation of the Agency to provide rapid response
8assistance to a municipal, educational, nonprofit, or business
9organization in need of expert assistance during a
10cybersecurity incident.
11    "Illinois Cyber Reserve volunteer" means an individual who
12has entered into a volunteer agreement with the Agency to serve
13as a volunteer in the Illinois Cyber Reserve.
14    "Volunteer agreement" means the contract entered into
15between the Agency and an Illinois Cyber Reserve volunteer
16under Section 15.
 
17    Section 10. Appointment of volunteers. The Agency may
18appoint individuals to serve as Illinois Cyber Reserve
19volunteers for the purposes of facilitating the
20responsibilities of the Agency as provided under this Act.
 
21    Section 15. Volunteer agreement.The Agency shall enter
22into a contract with any individual who wishes to accept an
23invitation by the Agency to serve as an Illinois Cyber Reserve
24volunteer. The contract must include, at a minimum, all of the

 

 

HB5398- 3 -LRB101 16599 CPF 65983 b

1following:
2        (1) A provision acknowledging the confidentiality of
3    information relating to this State, State residents, and
4    clients.
5        (2) A provision protecting from disclosure any
6    confidential information of this State, State residents,
7    or clients acquired by the Illinois Cyber Reserve volunteer
8    through participation in the Illinois Cyber Reserve.
9        (3) A provision requiring the Illinois Cyber Reserve
10    volunteer to avoid conflicts of interest that might arise
11    from a particular deployment.
12        (4) A provision requiring the Illinois Cyber Reserve
13    volunteer to comply with all existing Agency security
14    policies and procedures regarding information technology
15    resources.
16        (5) A provision requiring the Illinois Cyber Reserve
17    volunteer to consent to background screening considered
18    appropriate by the Agency under this Act, and a provision
19    in which the individual gives that consent as described in
20    Section 20.
21        (6) A provision requiring the Illinois Cyber Reserve
22    volunteer to attest that he or she meets any standards of
23    expertise that may be established by the Agency.
 
24    Section 20. Clearance to become a volunteer; requirements.
25    (a) When an individual accepts an invitation to serve as an

 

 

HB5398- 4 -LRB101 16599 CPF 65983 b

1Illinois Cyber Reserve volunteer as described in Section 15 the
2Agency shall request the Illinois State Police to do both of
3the following:
4        (1) Conduct a criminal history check on the individual.
5        (2) Conduct a criminal records check through the
6    Federal Bureau of Investigation on the individual.
7    (b) An individual who accepts an invitation to the Illinois
8Cyber Reserve shall give written consent in the volunteer
9agreement for the Illinois State Police to conduct the criminal
10history check and criminal records check required under
11subsection (a). The Agency shall require the individual to
12submit his or her fingerprints to the Illinois State Police and
13the Federal Bureau of Investigation for the criminal records
14check.
15    (c) The Agency shall request a criminal history check and
16criminal records check under this Section on all individuals
17who wish to participate as Illinois Cyber Reserve volunteers.
18The Agency shall make the request on a form and in the manner
19prescribed by the Illinois State Police.
20    (d) Within a reasonable time after receiving a complete
21request by the Agency for a criminal history check and criminal
22records check on an individual under this Section, the Illinois
23State Police shall conduct the criminal history check and
24provide a report of the results to the Agency. The report must
25indicate that the individual is cleared or not cleared to
26become an Illinois Cyber Reserve volunteer.

 

 

HB5398- 5 -LRB101 16599 CPF 65983 b

1    (e) Within a reasonable time after receiving a proper
2request by the Agency for a criminal records check on an
3individual under this Section, the Illinois State Police shall
4initiate the criminal records check with the Federal Bureau of
5Investigation. After receiving the results of the criminal
6records check from the Federal Bureau of Investigation, the
7Illinois State Police shall provide a report to the Agency that
8indicates that the individual is cleared or not cleared to
9become an Illinois Cyber Reserve volunteer.
10    (f) If a criminal arrest fingerprint is subsequently
11submitted to the Illinois State Police and matches against a
12fingerprint that was submitted under this Act and stored in its
13automated fingerprint identification system database, the
14Illinois State Police shall notify the Agency that the
15individual is still cleared or is no longer cleared to continue
16as an Illinois Cyber Reserve volunteer. When the Illinois State
17Police is able to participate with the Federal Bureau of
18Investigation automatic notification system, then any
19subsequent arrest fingerprint submitted to the Federal Bureau
20of Investigation must also be reviewed by the Illinois State
21Police. The Illinois State Police shall provide a report to the
22Agency that indicates that the individual is still cleared or
23is no longer cleared to continue as an Illinois Cyber Reserve
24volunteer.
 
25    Section 25. Nature of the conduct of volunteers.

 

 

HB5398- 6 -LRB101 16599 CPF 65983 b

1    (a) An Illinois Cyber Reserve volunteer is not an agent,
2employee, or independent contractor of this State for any
3purpose and has no authority to bind this State with regard to
4third parties.
5    (b) This State is not liable to an Illinois Cyber Reserve
6volunteer for personal injury or property damage suffered by
7the Illinois Cyber Reserve volunteer through participation in
8the Illinois Cyber Reserve.
 
9    Section 30. Civil liability. Any Illinois Cyber Reserve
10volunteer who in good faith provides professional services in
11response to a cybersecurity incident shall not be liable for
12civil damages as a result of his or her acts or omissions in
13providing the professional services, except for willful and
14wanton misconduct. This immunity applies to services that are
15provided during or within the time of deployment for a
16cybersecurity incident.
 
17    Section 35. Initiation of deployment.
18    (a) On the occurrence of a cybersecurity incident that
19affects a client, the client may request the Agency to deploy
20one or more Illinois Cyber Reserve volunteers to provide rapid
21response assistance under the direction of the Agency.
22    (b) The Agency, in its discretion, may initiate deployment
23of Illinois Cyber Reserve volunteers upon the occurrence of a
24cybersecurity incident and the request of a client.

 

 

HB5398- 7 -LRB101 16599 CPF 65983 b

1    (c) Acceptance of a deployment by an Illinois Cyber Reserve
2volunteer for a particular cybersecurity incident must be made
3in writing. An Illinois Cyber Reserve volunteer may decline to
4accept deployment for any reason.
5    (d) To initiate the deployment of an Illinois Cyber Reserve
6volunteer for a particular cybersecurity incident, the Agency
7shall indicate in writing that the Illinois Cyber Reserve
8volunteer is authorized to provide the assistance. A single
9writing may initiate the deployment of more than one Illinois
10Cyber Reserve volunteer.
11    (e) The Agency shall maintain a writing initiating the
12deployment of an Illinois Cyber Reserve volunteer to provide
13assistance to a client for 6 years from the time of deployment
14or for the time required under the Agency's record retention
15policies, whichever is longer.
16    (f) The deployment of an Illinois Cyber Reserve volunteer
17to provide assistance to a client must be for 7 days unless the
18writing initiating the deployment contains a different period.
19    (g) At the direction of the Agency, the deployment of an
20Illinois Cyber Reserve volunteer may be extended in writing in
21the same manner as the initial deployment.
 
22    Section 40. Illinois Cyber Reserve Advisory Board.
23    (a) The Illinois Cyber Reserve Advisory Board is created as
24an advisory body within the Agency.
25    (b) The Advisory Board is composed of the adjutant general,

 

 

HB5398- 8 -LRB101 16599 CPF 65983 b

1the Director of the Agency, the Director of State Police, and
2the Director of the Department of Commerce and Economic
3Opportunity or their designees.
4    (c) The Advisory Board shall review and make
5recommendations to the Agency regarding the policies and
6procedures used by the Agency in implementing this Act.
 
7    Section 45. Powers and duties of the Agency.
8    (a) After consultation with the Advisory Board, the chief
9information officer shall do both of the following:
10        (1) Approve the set of tools that the Illinois Cyber
11    Reserve may use in response to a cybersecurity incident.
12        (2) Determine the standards of expertise necessary for
13    an individual to become a member of the Illinois Cyber
14    Reserve.
15    (b) After consultation with the Advisory Board, the Agency
16shall publish guidelines for the operation of the Illinois
17Cyber Reserve program. At a minimum, the published guidelines
18must include the following:
19        (1) An explanation of the standard the Agency will use
20    to determine whether an individual may serve as an Illinois
21    Cyber Reserve volunteer and an explanation of the process
22    by which an individual may become an Illinois Cyber Reserve
23    volunteer.
24        (2) An explanation of the requirements the Agency will
25    impose for a client to receive the assistance of the

 

 

HB5398- 9 -LRB101 16599 CPF 65983 b

1    Illinois Cyber Reserve and an explanation of the process by
2    which a client may request and receive the assistance of
3    the Illinois Cyber Reserve.
4    (c) The Agency may enter into contracts with clients as a
5condition to providing assistance through the Illinois Cyber
6Reserve.
7    (d) The Agency may provide appropriate training to
8individuals who wish to participate in the Illinois Cyber
9Reserve and to existing Illinois Cyber Reserve volunteers.
10    (e) The Agency may provide compensation for actual and
11necessary travel and subsistence expenses incurred by Illinois
12Cyber Reserve volunteers on a deployment, at the discretion of
13the Agency.
14    (f) The Agency may establish a fee schedule for clients who
15wish to use the assistance of the Illinois Cyber Reserve. The
16Agency may recoup expenses through the fees but may not
17generate a profit.
18    (g) Information voluntarily given to the Illinois Cyber
19Reserve or obtained under this Act that would identify or
20provide a means of identifying a person that may, as a result
21of disclosure of the information, become a victim of a
22cybersecurity incident or that would disclose a person's
23cybersecurity plans or cybersecurity-related practices,
24procedures, methods, results, organizational information
25system infrastructure, hardware, or software is exempt from
26disclosure under the Freedom of Information Act.

 

 

HB5398- 10 -LRB101 16599 CPF 65983 b

1    (h) The Agency shall adopt any rules necessary for the
2implementation and administration of this Act.