103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024
HB4081

 

Introduced 5/10/2023, by Rep. Brad Stephens

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Cybersecurity Compliance Act. Creates an affirmative defense for every covered entity that creates, maintains, and complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of either personal information or both personal information and restricted information and that reasonably conforms to an industry-recognized cybersecurity framework. Prescribes requirements for the cybersecurity program.


LRB103 32146 BMS 61211 b

 

 

A BILL FOR

 

HB4081LRB103 32146 BMS 61211 b

1    AN ACT concerning business.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Cybersecurity Compliance Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Business" means any limited liability company, limited
8liability partnership, corporation, sole proprietorship,
9association, State institution of higher education, private
10college, or other group, however organized and whether
11operating for profit or not for profit, or the parent or
12subsidiary of any of the foregoing. "Business" includes a
13financial institution organized, chartered, or holding a
14license authorizing operation under the laws of this State,
15any other state, the United States, or any other country.
16    "Covered entity" means a business that accesses,
17maintains, communicates, or processes personal information or
18restricted information in or through one or more systems,
19networks, or services located in or outside of this State.
20    "Data breach" means unauthorized access to and acquisition
21of computerized data that compromises the security or
22confidentiality of personal information or restricted
23information owned by or licensed to a covered entity and that

 

 

HB4081- 2 -LRB103 32146 BMS 61211 b

1causes, reasonably is believed to have caused, or reasonably
2is believed will cause a material risk of identity theft or
3other fraud to person or property. "Data breach" does not
4include:
5        (1) the good faith acquisition of personal information
6    or restricted information by the covered entity's employee
7    or agent for the purposes of the covered entity so long as
8    the personal information or restricted information is not
9    used for an unlawful purpose or subject to further
10    unauthorized disclosure; or
11        (2) the acquisition of personal information or
12    restricted information pursuant to a search warrant,
13    subpoena, or other court order, or pursuant to a subpoena,
14    order, or duty of a regulatory State agency.
15    "Personal information" has the same meaning as provided in
16the Personal Information Protection Act.
17    "Restricted information" means any information about an
18individual, other than personal information, that, alone or in
19combination with other information, including personal
20information, can be used to distinguish or trace the
21individual's identity or that is linked or linkable to an
22individual, if the information is not encrypted, redacted, or
23altered by any method or technology in such a manner that the
24information is unreadable, and the breach of which is likely
25to result in a material risk of identity theft or other fraud
26to a person or property.
 

 

 

HB4081- 3 -LRB103 32146 BMS 61211 b

1    Section 10. Safe harbor requirements.
2    (a) A covered entity seeking an affirmative defense under
3this Act shall:
4        (1) create, maintain, and comply with a written
5    cybersecurity program that contains administrative,
6    technical, and physical safeguards for the protection of
7    personal information and that reasonably conforms to an
8    industry-recognized cybersecurity framework, as described
9    in Section 15; or
10        (2) create, maintain, and comply with a written
11    cybersecurity program that contains administrative,
12    technical, and physical safeguards for the protection of
13    both personal information and restricted information and
14    that reasonably conforms to an industry-recognized
15    cybersecurity framework, as described in Section 15.
16    (b) A covered entity's cybersecurity program shall be
17designed to do all of the following:
18        (1) protect the security and confidentiality of
19    information;
20        (2) protect against any anticipated threats or hazards
21    to the security or integrity of information; and
22        (3) protect against unauthorized access to and
23    acquisition of the information that is likely to result in
24    a material risk of identity theft or other fraud to the
25    individual to whom the information relates.

 

 

HB4081- 4 -LRB103 32146 BMS 61211 b

1    (c) The scale and scope of a covered entity's
2cybersecurity program under subsection (a), as applicable, is
3appropriate if it is based on all of the following factors:
4        (1) the size and complexity of the covered entity;
5        (2) the nature and scope of the activities of the
6    covered entity;
7        (3) the sensitivity of the information to be
8    protected;
9        (4) the cost and availability of tools to improve
10    information security and reduce vulnerabilities; and
11        (5) the resources available to the covered entity.
12    (d) A covered entity under this Section is entitled to an
13affirmative defense as follows:
14        (1) A covered entity that satisfies paragraph (1) of
15    subsection (a) and also subsections (b) and (c) is
16    entitled to an affirmative defense to any cause of action
17    sounding in tort that is brought under the laws of this
18    State or in the courts of this State and that alleges that
19    the failure to implement reasonable information security
20    controls resulted in a data breach concerning personal
21    information.
22        (2) A covered entity that satisfies paragraph (2) of
23    subsection (a) and also subsections (b) and (c) is
24    entitled to an affirmative defense to any cause of action
25    sounding in tort that is brought under the laws of this
26    State or in the courts of this State and that alleges that

 

 

HB4081- 5 -LRB103 32146 BMS 61211 b

1    the failure to implement reasonable information security
2    controls resulted in a data breach concerning personal
3    information or restricted information.
 
4    Section 15. Reasonable conformance.
5    (a) A covered entity's cybersecurity program reasonably
6conforms to an industry-recognized cybersecurity framework for
7purposes of this Act if the requirements of subsection (b),
8(c), or (d) are satisfied.
9    (b)(1) The cybersecurity program reasonably conforms to an
10industry-recognized cybersecurity framework for purposes of
11this Act if the cybersecurity program reasonably conforms to
12the current version of any of the following or any combination
13of the following, subject to paragraph (2) and subsection (e):
14        (A) The "framework for improving critical
15    infrastructure cyber security" developed by the National
16    Institute of Standards and Technology (NIST);
17        (B) NIST special publication 800-171;
18        (C) NIST special publications 800-53 and 800-53a;
19        (D) The Federal Risk And Authorization Management
20    Program (FedRAMP) Security Assessment Framework;
21        (E) The Center for Internet Security Critical Security
22    Controls for Effective Cyber Defense; or
23        (F) The International Organization for
24    Standardization/International Electrotechnical Commission
25    27000 Family - Information Security Management Systems.

 

 

HB4081- 6 -LRB103 32146 BMS 61211 b

1    (2) When a final revision to a framework listed in
2paragraph (1) is published, a covered entity whose
3cybersecurity program reasonably conforms to that framework
4shall reasonably conform to the revised framework not later
5than one year after the publication date stated in the
6revision.
7    (c)(1) The covered entity's cybersecurity program
8reasonably conforms to an industry-recognized cybersecurity
9framework for purposes of this Act if the covered entity is
10regulated by the State, by the federal government, or both, or
11is otherwise subject to the requirements of any of the laws or
12regulations listed below, and the cybersecurity program
13reasonably conforms to the entirety of the current version of
14any of the following, subject to paragraph (2):
15        (A) The security requirements of the Health Insurance
16    Portability and Accountability Act of 1996, as set forth
17    in 45 CFR Part 164, Subpart C;
18        (B) Title V of the Gramm-Leach-Bliley Act of 1999,
19    Public Law 106-102, as amended;
20        (C) The Federal Information Security Modernization Act
21    of 2014, Public Law 113-283;
22        (D) The Health Information Technology for Economic and
23    Clinical Health Act, as set forth in 45 CFR Part 162.
24    (2) When a framework listed in paragraph (1) is amended, a
25covered entity whose cybersecurity program reasonably conforms
26to that framework shall reasonably conform to the amended

 

 

HB4081- 7 -LRB103 32146 BMS 61211 b

1framework not later than one year after the effective date of
2the amended framework.
3    (d)(1) The cybersecurity program reasonably conforms to an
4industry-recognized cybersecurity framework for purposes of
5this Act if the cybersecurity program reasonably complies with
6both the current version of the payment card industry (PCI)
7data security standard and conforms to the current version of
8another applicable industry-recognized cybersecurity
9framework listed in subsection (b), subject to paragraph (2)
10of subsection (b) and subsection (e).
11    (2) When a final revision to the PCI data security
12standard is published, a covered entity whose cybersecurity
13program reasonably complies with that standard shall
14reasonably comply with the revised standard not later than one
15year after the publication date stated in the revision.
16    (e) If a covered entity's cybersecurity program reasonably
17conforms to a combination of industry-recognized cybersecurity
18frameworks, or complies with a standard, as in the case of the
19PCI data security standard, as described in subsection (b) or
20(d), and 2 or more of those frameworks are revised, the covered
21entity whose cybersecurity program reasonably conforms to or
22complies with, as applicable, those frameworks shall
23reasonably conform to or comply with, as applicable, all of
24the revised frameworks not later than one year after the
25latest publication date stated in the revisions.
 

 

 

HB4081- 8 -LRB103 32146 BMS 61211 b

1    Section 20. No private right of action. This Act shall not
2be construed to provide a private right of action, including a
3class action, with respect to any act or practice regulated
4under it.
 
5    Section 97. Severability. The provisions of this Act are
6severable under Section 1.31 of the Statute on Statutes.