100TH GENERAL ASSEMBLY
State of Illinois
2017 and 2018
SB3204
 
Introduced 2/15/2018, by Sen. Michael E. Hastings
 
SYNOPSIS AS INTRODUCED:
 

 
New Act

     Creates the Consumer Credit Reporting Agency Registration and Cybersecurity Program Act. Provides for requirements for consumer credit reporting agency registration. Contains provisions regarding grounds for revocation and suspension of a registration. Provides that by January 1, 2019, a consumer credit reporting agency must have a cybersecurity program documented in writing and designed to protect the confidentiality, integrity and availability of its information systems. Provides that a consumer credit reporting agency shall implement and maintain a written cybersecurity policy setting forth its policies and procedures for the protection of its information systems and nonpublic information stored on those information systems. Provides that a consumer credit reporting agency shall designated a qualified individual as a chief information security officer to oversee and implement its cybersecurity policy. Contains provisions concerning penetration testing and vulnerability assessments, audit trail, access privileges, and application security. Provides that a consumer credit reporting agency shall conduct periodic risk assessments of its information systems. Provides requirements for cybersecurity personnel and third-party service provider security policy. Provides that a consumer credit reporting agency shall establish a written incident response plan designed to promptly respond to a cybersecurity event. Provides that the consumer credit reporting agency shall notify the Department of Financial and Professional Regulation of the existence of a cybersecurity event no later than 72 hours after the event occurred. Makes other changes. Effective immediately.
  


LRB100 20137 XWW 35421 b

FISCAL NOTE ACT MAY APPLY
 
 
A BILL FOR
 

  
SB3204LRB100 20137 XWW 35421 b


  
1    AN ACT concerning regulation.
  
 
2    Be it enacted by the People of the State of Illinois,
 
3represented in the General Assembly:
  
 
 
4    Section 1. Short title. This Act may be cited as the 
5Consumer Credit Reporting Agency Registration and 
6Cybersecurity Program Act.
 
7    Section 5. Definitions. As used in this Act:
8    "Affiliate" means a person that controls, is controlled by, 
9or is under common control with another person.
10    "Authorized user" means any employee, contractor, agent or 
11other person that participates in the business operations of a 
12consumer credit reporting agency and is authorized to access 
13and use any information system and data of the consumer credit 
14reporting agency.
15    "Consumer" means an individual.
16    "Consumer report" means a written, oral, or other 
17communication of any information by a consumer reporting agency 
18bearing on a consumer's credit worthiness, credit standing, 
19credit capacity, character, general reputation, personal 
20characteristics, or mode of living that is used or expected to 
21be used or collected in whole or in part for the purpose of 
22serving as a factor in establishing the consumer's eligibility 
23for (i) credit or insurance to be used primarily for personal, 
 
 
SB3204- 2 -LRB100 20137 XWW 35421 b

1family, or household purposes, (ii) employment purposes, or 
2(iii) other purposes.
3    "Consumer reporting agency" means any person who, for 
4monetary fees, dues, or on a cooperative nonprofit basis, 
5regularly engages in whole or in part in the practice of 
6assembling or evaluating consumer credit information or other 
7information on consumers for the purpose of furnishing consumer 
8reports or investigative consumer reports to third parties.
9    "Consumer credit reporting agency" means a consumer 
10reporting agency that regularly engages in the practice of 
11assembling or evaluating and maintaining public record 
12information or credit account information from persons who 
13furnish that information regularly and in the ordinary course 
14of business for the purpose of furnishing consumer credit 
15reports to third parties bearing on a consumer's credit 
16worthiness, credit standing, and credit capacity.
17    "Cybersecurity event" means any act or attempt, successful 
18or unsuccessful, to gain unauthorized access to, disrupt, or 
19misuse an information system or information stored on such 
20information system.
21    "Department" means the Department of Financial and 
22Professional Responsibility.
23    "Financial institution" means a bank, savings bank, 
24savings and loan association, credit union, or any licensee 
25under the Consumer Installment Loan Act or the Sales Finance 
26Agency Act.
 
 
SB3204- 3 -LRB100 20137 XWW 35421 b

1    "Information system" means a discrete set of electronic 
2information resources organized for the collection, 
3processing, maintenance, use, sharing, dissemination or 
4disposition of electronic information, or any specialized 
5system such as industrial or process control systems, telephone 
6switching and private branch exchange systems, and 
7environmental control systems.
8    "Multi-factor authentication" means authentication through 
9verification of at least 2 of the following types of 
10authentication factors: 
11        (1) knowledge factor, such as a password;
12        (2) possession factor, such as a token or text message 
13    on a mobile phone; or
14        (3) inherence factor, such as a biometric 
15    characteristic.
16    "Nonpublic information" means all electronic information 
17that is not publicly available information and is:
18        (1) business-related information of a consumer credit 
19    reporting agency in which  the tampering, or unauthorized 
20    disclosure, access, or use of, would cause a material 
21    adverse impact on the business, operations or security of 
22    the consumer credit reporting agency;
23        (2) any information concerning an individual that 
24    because of name, number, personal mark, or other identifier 
25    can be used to identify such individual, in combination 
26    with any one or more of the following data elements:
 
 
SB3204- 4 -LRB100 20137 XWW 35421 b

1            (i) social security number;
2            (ii) driver's license number or non-driver 
3        identification card number;
4            (iii) account number, credit or debit card number;
5            (iv) any security code, access code or password 
6        that would permit access to an individual's financial 
7        account; or
8            (v) biometric records;
9        (3) any information or data, except age or gender, in 
10    any form or medium created by or derived from a health care 
11    provider or an individual that relates to:
12            (i) the past, present, or future physical, mental, 
13        or behavioral health or condition of any individual or 
14        a member of the individual's family;
15            (ii) the provision of health care to any 
16        individual; or
17            (iii) payment for the provision of health care to 
18        any individual.
19    "Penetration testing" means a test methodology in which 
20assessors attempt to circumvent or defeat the security features 
21of an information system by attempting penetration of databases 
22or controls from outside or inside the consumer credit 
23reporting agency's information systems.
24    "Person" means any individual or any non-governmental 
25entity, including, but not limited to, any non-governmental 
26partnership, corporation, branch, agency or association.
 
 
SB3204- 5 -LRB100 20137 XWW 35421 b

1    "Publicly available information" means any information 
2that a consumer credit reporting agency has a reasonable basis 
3to believe is lawfully made available to the general public 
4from federal, State, or local government records, widely 
5distributed media, or disclosures to the general public that 
6are required to be made by federal, State or local law.
7        (1) For the purposes of this Act, a consumer credit 
8    reporting agency has a reasonable basis to believe that 
9    information is lawfully made available to the general 
10    public if the consumer credit reporting agency has taken 
11    steps to determine:
12            (i) that the information is of the type that is 
13        available to the general public; and
14            (ii) whether an individual can direct that 
15        information to make it unavailable to the general 
16        public and, if so, that such individual has not done 
17        so.
18    "Risk assessment" means the risk assessment that each 
19consumer credit reporting agency is required to conduct under 
20Section 65 of this Act.
21    "Risk-based authentication" means any risk-based system of 
22authentication that detects anomalies or changes in the normal 
23use patterns of a person and requires additional verification 
24of the person's identity when such deviations or changes are 
25detected, such as through the use of challenge questions.
26    "Senior officer" or "senior officers" means the senior 
 
 
SB3204- 6 -LRB100 20137 XWW 35421 b

1individual or individuals, acting collectively or as a 
2committee, responsible for the management, operations, 
3security, information systems, compliance or risk of a consumer 
4credit reporting agency, including a branch or agency of a 
5foreign banking organization subject to this Act.
6    "Third-party service provider" means a person that:
7        (1) is not an affiliate of the consumer credit 
8    reporting agency;
9        (2) provides services to the consumer credit reporting 
10    agency; and
11        (3) maintains, processes, or otherwise is permitted 
12    access to nonpublic information through provision of 
13    services to the consumer credit reporting agency.
 
14    Section 10. Registration.  
15    (a) A consumer credit reporting agency that assembles, 
16evaluates, or maintains a consumer credit report on one or more 
17consumers located in the State of Illinois shall register with 
18the Department in a form and manner acceptable to the 
19Department.
20    (b) For a business entity, the officer or officers and 
21director or directors named in the registration application 
22shall be designated responsible for the business entity's 
23compliance with the financial services, banking, and insurance 
24laws, rules, and regulations of this State.
25    (c) A consumer credit reporting agency that assembles, 
 
 
SB3204- 7 -LRB100 20137 XWW 35421 b

1evaluates, or maintains a consumer credit report on any 
2consumer located in the State of Illinois at any time between 
3July 1, 2017 and September 1, 2018, shall make the registration 
4required by subsection (a) on or before September 1, 2018. Any 
5other consumer credit reporting agency shall make the 
6registration required by subsection (a) prior to assembling, 
7evaluating, or maintaining a consumer credit report on a 
8consumer located in the State of Illinois.
9    (d) A consumer credit reporting agency shall renew its 
10registration by January 1, 2019 for the 2019 calendar year, and 
11by January 1 of each successive year for the calendar year 
12thereafter.
13    (e) The Department may refuse to renew a consumer credit 
14reporting agency's registration if, in the Department's 
15judgment, the applicant or any member, principal, officer or 
16director of the applicant, is not trustworthy and is not 
17competent to act as or in connection with a consumer credit 
18reporting agency, or that any of the foregoing has given cause 
19for revocation or suspension of such registration, or has 
20failed to comply with any minimum standard.
21    (f) Registrants under this Section shall be subject to 
22examination by the Department as often as the Department may 
23deem it necessary. The Department may promulgate regulations 
24establishing methods and procedures for facilitating and 
25verifying compliance with the requirements of this Act and such 
26other regulations as necessary to enforce the provisions of 
 
 
SB3204- 8 -LRB100 20137 XWW 35421 b

1this Act.
 
2    Section 15. Acting without registration. 
3    (a) No individual, firm, association, corporation or other 
4entity may assemble, evaluate, or maintain a consumer credit 
5report on any consumer located in the State of Illinois without 
6having a valid registration as a consumer credit reporting 
7agency filed as described in Section 10 of this Act.
8    (b) No financial institution may pay any fee or other 
9compensation to any consumer credit reporting agency that is 
10required to be registered pursuant to Section 10 but fails to 
11possess the required registration.
12    (c) No regulated person may transmit any information about 
13a consumer located in the State of Illinois to a consumer 
14credit reporting agency that is required to be registered 
15pursuant to Section 10 of this Act but failed to possess the 
16required registration.
 
17    Section 20. Revocation and suspension of a registration. 
18    (a) The Department may refuse to renew, revoke, or may 
19suspend the registration of a consumer credit report agency for 
20a period the Department determines if, after notice and 
21hearing, the Department determines that the registrant or any 
22member, principal, officer, director, or controlling person of 
23the registrant, has:
24        (1) violated any insurance, financial service, or 
 
 
SB3204- 9 -LRB100 20137 XWW 35421 b

1    banking law or violated any regulation, subpoena or order 
2    of the Department or any other State or federal agency with 
3    authority to regulate consumer credit reporting agencies, 
4    or has violated any law in the course of his or her 
5    dealings in such capacity;
6        (2) provided materially incorrect, materially 
7    misleading, materially incomplete or materially untrue 
8    information in the registration application;
9        (3) failed to comply with the requirements of this Act, 
10    including, but not limited to, Sections 30 through  105 
11    concerning cybersecurity;
12        (4) used fraudulent, coercive or dishonest practices; 
13    demonstrated incompetence; demonstrated untrustworthiness; 
14    or demonstrated financial irresponsibility in the conduct 
15    of business in this state or elsewhere;
16        (5) improperly withheld, misappropriated or converted 
17    any moneys or properties received in the course of business 
18    in this State or elsewhere;
19        (6) has been convicted of a felony;
20        (7) admitted or has been found to have committed any 
21    unfair trade practice or fraud;
22        (8) had a consumer credit reporting agency 
23    registration or its equivalent, denied, suspended, or 
24    revoked in any other state, province, district or 
25    territory; or
26        (9) failed to pay state income tax or comply with any 
 
 
SB3204- 10 -LRB100 20137 XWW 35421 b

1    administrative or court order directing payment of state 
2    income tax.
3    (b) Before revoking or suspending the registration of any 
4consumer credit reporting agency pursuant to the provisions of 
5this Act, the Department shall give notice to the registrant 
6and shall hold, or cause to be held, a hearing not less than 10 
7days after the giving of such notice.
8    (c) If a registration pursuant to the provisions of this 
9Act is revoked or suspended by the Department, then the 
10Department shall forthwith give notice to the registrant.
11    (d) The revocation or suspension of any registration 
12pursuant to the provisions of this Act shall terminate 
13forthwith such registration.
 
14    Section 25. Prohibited practices. No consumer credit 
15reporting agency that assembles, evaluates, or maintains a 
16consumer credit report on any consumer located in the State of 
17Illinois shall:
18    (1) Directly or indirectly employ any scheme, device or 
19artifice to defraud or mislead a consumer.
20    (2) Engage in any unfair, deceptive, or predatory act or 
21practice toward any consumer, or misrepresent or omit any 
22material information in connection with the assembly, 
23evaluation, or maintenance of a credit report for a consumer 
24located in the State of Illinois.
25    (3) Engage in any unfair, deceptive, or abusive act or 
 
 
SB3204- 11 -LRB100 20137 XWW 35421 b

1practice in violation of Section 1036 of the Dodd-Frank Wall 
2Street Reform and Consumer Protection Act.
3    (4) Include inaccurate information in any consumer report 
4relating to a consumer located in the State of Illinois.
5    (5) Refuse to communicate with an authorized 
6representative of a consumer located in the State of Illinois 
7who provides a written authorization signed by the consumer, 
8provided that the consumer credit reporting agency may adopt 
9procedures reasonably related to verify that the 
10representative is in fact authorized to act on behalf of the 
11consumer.
12    (6)  Make any false statement or make any omission of a 
13material fact in connection with any information or reports 
14filed with a governmental agency or in connection with any 
15investigation conducted by another governmental agency.
 
16    Section 30. Cybersecurity program.  
17    (a) By January 1, 2019, a consumer credit reporting agency 
18that assembles, evaluates, or maintains a consumer credit 
19report on Illinois consumers must have in place a written 
20cybersecurity program designed to protect the confidentiality, 
21integrity and availability of the consumer credit reporting 
22agency's information systems.
23    (b) The cybersecurity program shall be based on the 
24consumer credit reporting agency's risk assessment and 
25designed to perform the following core cybersecurity 
 
 
SB3204- 12 -LRB100 20137 XWW 35421 b

1functions:
2        (1) identify and assess internal and external 
3    cybersecurity risks that may threaten the security or 
4    integrity of nonpublic information stored on the consumer 
5    credit reporting agency's information systems;
6        (2) use defensive infrastructure and the 
7    implementation of policies and procedures to protect the 
8    consumer credit reporting agency's information systems, 
9    and the nonpublic information stored on those information 
10    systems, from unauthorized access, use, or other malicious 
11    acts;
12        (3) detect cybersecurity events;
13        (4) respond to identified or detected cybersecurity 
14    events to mitigate any negative effects;
15        (5) recover from cybersecurity events and restore 
16    normal operations and services; and
17        (6) fulfill applicable regulatory reporting 
18    obligations.
19    (c) A consumer credit reporting agency may meet the 
20requirements of this Act by adopting relevant and applicable 
21provisions of a cybersecurity program maintained by an 
22affiliate, provided that such provisions satisfy the 
23requirements of this Act, as applicable to the consumer credit 
24reporting agency.
25    (d) All documentation and information relevant to the 
26consumer credit reporting agency's cybersecurity program shall 
 
 
SB3204- 13 -LRB100 20137 XWW 35421 b

1be made available to the Department upon request.
 
2    Section 35. Cybersecurity policy.  Each consumer credit 
3reporting agency shall implement and maintain a written policy 
4or policies, approved by a senior officer, the consumer credit 
5reporting agency's board of directors, an appropriate 
6committee thereof, or equivalent governing body, setting forth 
7the consumer credit reporting agency's policies and procedures 
8for the protection of its information systems and nonpublic 
9information stored on those information systems. The 
10cybersecurity policy shall be based on the consumer credit 
11reporting agency's risk assessment and address the following 
12areas to the extent applicable to the consumer credit reporting 
13agency's operations:
14        (1) information security;
15        (2) data governance and classification;
16        (3) asset inventory and device management;
17        (4) access controls and identity management;
18        (5) business continuity and disaster recovery planning 
19    and resources;
20        (6) systems operations and availability concerns;
21        (7) systems and network security;
22        (8) systems and network monitoring;
23        (9) systems and application development and quality 
24    assurance;
25        (10) physical security and environmental controls;
 
 
SB3204- 14 -LRB100 20137 XWW 35421 b

1        (11) consumer data privacy;
2        (12) vendor and third-party service provider 
3    management;
4        (13) risk assessment; and
5        (14) incident response.
 
6    Section 40. Chief information officer.  
7    (a) A consumer credit reporting agency shall designate a 
8qualified individual responsible for overseeing and 
9implementing the consumer credit reporting agency's 
10cybersecurity program and enforcing its cybersecurity policy. 
11The chief information security officer may be employed by the 
12consumer credit reporting agency, one of its affiliates, or a 
13third-party service provider. To the extent this requirement is 
14met using a third-party service provider or an affiliate, the 
15consumer credit reporting agency shall:
16        (1) retain responsibility for compliance with this 
17    Act;
18        (2) designate a senior member of the consumer credit 
19    reporting agency's personnel responsible for direction and 
20    oversight of the third-party service provider; and
21        (3) require the third-party service provider to 
22    maintain a cybersecurity program that protects the 
23    consumer credit reporting agency in accordance with the 
24    requirements of this Act.
25    (b) The chief information security officer of each consumer 
 
 
SB3204- 15 -LRB100 20137 XWW 35421 b

1credit reporting agency shall report in writing at least 
2annually to the consumer credit reporting agency's board of 
3directors or equivalent governing body. If no such board of 
4directors or equivalent governing body exists, such report 
5shall be timely presented to a senior officer of the consumer 
6credit reporting agency responsible for the consumer credit 
7reporting agency's cybersecurity program. The chief 
8information security officer shall report on the consumer 
9credit reporting agency's cybersecurity program and material 
10cybersecurity risks. The chief information security officer 
11shall consider to the extent applicable:
12        (1) the confidentiality of nonpublic information and 
13    the integrity and security of the consumer credit reporting 
14    agency's information systems;
15        (2) the consumer credit reporting agency's 
16    cybersecurity policies and procedures;
17        (3) material cybersecurity risks to the consumer 
18    credit reporting agency;
19        (4) overall effectiveness of the consumer credit 
20    reporting agency's cybersecurity program; and
21        (5) material cybersecurity events involving the 
22    consumer credit reporting agency during the time period 
23    addressed by the report.
 
24    Section 45. Penetration testing and vulnerability 
25assessments. The cybersecurity program for a consumer credit 
 
 
SB3204- 16 -LRB100 20137 XWW 35421 b

1reporting agency shall include monitoring and testing, 
2developed in accordance with the consumer credit reporting 
3agency's risk assessment, designed to assess the effectiveness 
4of the consumer credit reporting agency's cybersecurity 
5program. The monitoring and testing shall include continuous 
6monitoring or periodic penetration testing and vulnerability 
7assessments. Absent effective continuous monitoring or other 
8systems to detect, on an ongoing basis, changes in information 
9systems that may create or indicate vulnerabilities, consumer 
10credit agencies shall conduct:
11        (1) annual penetration testing of the consumer credit 
12    reporting agency's information systems determined each 
13    given year based on relevant identified risks in accordance 
14    with the risk assessment; and
15        (2) vulnerability assessments every 2 years, including 
16    any systematic scans or reviews of information systems 
17    reasonably designed to identify publicly known 
18    cybersecurity vulnerabilities in the consumer credit 
19    reporting agency's information systems based on the risk 
20    assessment.
 
21    Section 50. Audit trail.  
22    (a) Each consumer credit reporting agency shall securely 
23maintain systems that, to the extent applicable and based on 
24its risk assessment:
25        (1) are designed to reconstruct material financial 
 
 
SB3204- 17 -LRB100 20137 XWW 35421 b

1    transactions sufficient to support normal operations and 
2    obligations of the consumer credit reporting agency; and
3        (2) include audit trails designed to detect and respond 
4    to cybersecurity events that have a reasonable likelihood 
5    of materially harming any material part of the normal 
6    operations of the consumer credit reporting agency.
7    (b) Each consumer credit reporting agency shall maintain 
8records required by paragraph (1) of subsection (a)  for not 
9fewer than 5 years and shall maintain records required by 
10paragraph (2) of subsection (a)  for not fewer than 3 years.
 
11    Section 55. Access privileges. As part of its cybersecurity 
12program, based on the consumer credit reporting agency's risk 
13assessment, a  consumer credit reporting agency shall limit user 
14access privileges to information systems that provide access to 
15nonpublic information and shall periodically review such 
16access privileges. 
 
17    Section 60. Application security.   
18    (a) A consumer credit reporting agency's cybersecurity 
19program shall include written procedures, guidelines, and 
20standards designed to ensure the use of secure development 
21practices for in-house developed applications utilized by the 
22consumer credit reporting agency, and procedures for 
23evaluating, assessing, or testing the security of externally 
24developed applications utilized by the consumer credit 
 
 
SB3204- 18 -LRB100 20137 XWW 35421 b

1reporting agency within the context of the consumer credit 
2reporting agency's technology environment.
3    (b) All such procedures, guidelines, and standards shall be 
4periodically reviewed, assessed and updated as necessary by the 
5chief information security officer or a qualified designee of 
6the consumer credit reporting agency.
 
7    Section 65. Risk assessment.  
8    (a) A consumer credit reporting agency shall conduct a 
9periodic risk assessment of the consumer credit reporting 
10agency's information systems sufficient to inform the designer 
11of the cybersecurity program as required by this Act. Such risk 
12assessment shall be updated as reasonably necessary to address 
13changes to the consumer credit reporting agency's information 
14systems, nonpublic information or business operations. The 
15consumer credit reporting agency's risk assessment shall allow 
16revision of controls to respond to technological developments 
17and evolving threats and shall consider the particular risks of 
18the consumer credit reporting agency's business operations 
19related to cybersecurity, nonpublic information collected or 
20stored, information systems utilized, and the availability and 
21effectiveness of controls to protect nonpublic information and 
22information systems.
23    (b) The risk assessment shall be carried out in accordance 
24with written policies and procedures and shall be documented. 
25Such policies and procedures shall include:
 
 
SB3204- 19 -LRB100 20137 XWW 35421 b

1        (1) criteria for the evaluation and categorization of 
2    identified cybersecurity risks or threats facing the 
3    consumer credit reporting agency;
4        (2) criteria for the assessment of the 
5    confidentiality, integrity, security and availability of 
6    the consumer credit reporting agency's information systems 
7    and nonpublic information, including the adequacy of 
8    existing controls in the context of identified risks; and
9        (3) requirements describing how identified risks will 
10    be mitigated or accepted based on the risk assessment and 
11    how the cybersecurity program will address the risks.
 
12    Section 70. Cybersecurity personnel and intelligence. 
13    (a) In addition to the requirements set forth in Section 
1440,  a consumer credit reporting agency shall:
15        (1) utilize qualified cybersecurity personnel of the 
16    consumer credit reporting agency, an affiliate, or a 
17    third-party service provider sufficient to manage the 
18    consumer credit reporting agency's cybersecurity risks and 
19    to perform or oversee the performance of the core 
20    cybersecurity functions specified in paragraphs (1) 
21    through (6) of subsection (b) of Section 30;
22        (2) provide cybersecurity personnel with cybersecurity 
23    updates and training sufficient to address relevant 
24    cybersecurity risks; and
25        (3) verify that key cybersecurity personnel take steps 
 
 
SB3204- 20 -LRB100 20137 XWW 35421 b

1    to maintain current knowledge of changing cybersecurity 
2    threats and countermeasures.
3    (b) A consumer credit reporting agency may choose to 
4utilize an affiliate or qualified third-party service provider 
5to assist in complying with the requirements set forth in this 
6Act, subject to the requirements set forth in Section 75.
 
7    Section 75. Third-party service provider security policy.  
8    (a) Each consumer credit reporting agency shall implement 
9written policies and procedures designed to ensure the security 
10of information systems and nonpublic information that are 
11accessible to, or held by, third-party service providers. Such 
12policies and procedures shall be based on the risk assessment 
13of the consumer credit reporting agency and shall address to 
14the extent applicable:
15        (1) The identification and risk assessment of 
16    third-party service providers.
17        (2) Minimum cybersecurity practices required to be met 
18    by such third-party service providers in order for them to 
19    do business with the consumer credit reporting agency.
20        (3) Due diligence processes used to evaluate the 
21    adequacy of cybersecurity practices of such third-party 
22    service providers.
23        (4) Periodic assessment of such third-party service 
24    providers based on the risk they present and the continued 
25    adequacy of their cybersecurity practices.
 
 
SB3204- 21 -LRB100 20137 XWW 35421 b

1    (b) Such policies and procedures shall include relevant 
2guidelines for due diligence or contractual protections 
3relating to third-party service providers to the extent 
4applicable addressing:
5        (1) the third-party service provider's policies and 
6    procedures for access controls, including its use of 
7    multi-factor authentication as required by Section 80 of 
8    this Act, to limit access to relevant information systems 
9    and nonpublic information;
10        (2) the third-party service provider's policies and 
11    procedures for use of encryption as required by Section 95 
12    of this Act to protect nonpublic information in transit and 
13    at rest;
14        (3) notice to be provided to the consumer credit 
15    reporting agency in the event of a cybersecurity event 
16    directly impacting the consumer credit reporting agency's 
17    information systems or the consumer credit reporting 
18    agency's nonpublic information being held by the 
19    third-party service provider; and
20        (4) representations and warranties addressing the 
21    third-party service provider's cybersecurity policies and 
22    procedures that relate to the security of the consumer 
23    credit reporting agency's information systems or nonpublic 
24    information.
 
25    Section 80. Multi-factor authentication.  
 
 
SB3204- 22 -LRB100 20137 XWW 35421 b

1    (a) Based on its risk assessment, each consumer credit 
2reporting agency shall use effective controls, which may 
3include multi-factor authentication or risk-based 
4authentication, to protect against unauthorized access to 
5nonpublic information or information systems.
6    (b) Multi-factor authentication shall be utilized for any 
7individual accessing the consumer credit reporting agency's 
8internal networks from an external network, unless the consumer 
9credit reporting agency's chief information security officer 
10has approved in writing the use of reasonably equivalent or 
11more secure access controls.
 
12    Section 85. Limitations on data retention.   As part of its 
13cybersecurity program, a consumer credit reporting agency 
14shall include policies and procedures for the secure disposal 
15on a periodic basis of any nonpublic information that is no 
16longer necessary for business operations or for other 
17legitimate business purposes of the consumer credit reporting 
18agency, except where such information is otherwise required to 
19be retained by law or regulation, or where targeted disposal is 
20not reasonably feasible due to the manner in which the 
21information is maintained. 
 
22    Section 90. Training and monitoring. As part of its 
23cybersecurity program, each consumer credit reporting agency 
24shall:
 
 
SB3204- 23 -LRB100 20137 XWW 35421 b

1        (1) implement risk-based policies, procedures and 
2    controls designed to monitor the activity of authorized 
3    users and detect unauthorized access or use of, or 
4    tampering with, nonpublic information by such authorized 
5    users; and
6        (2) provide regular cybersecurity awareness training 
7    to all personnel that is updated to reflect risks 
8    identified by the consumer credit reporting agency in its 
9    risk assessment.
 
10    Section 95. Encryption of nonpublic information.   
11    (a) As part of its cybersecurity program, based on its risk 
12assessment, each consumer credit reporting agency shall 
13implement controls, including encryption, to protect nonpublic 
14information held or transmitted by the consumer credit 
15reporting agency both in transit over external networks and at 
16rest.
17        (1) To the extent a consumer credit reporting agency 
18    determines that encryption of nonpublic information in 
19    transit over external networks is infeasible, the consumer 
20    credit reporting agency may instead secure such nonpublic 
21    information using effective alternative compensating 
22    controls reviewed and approved by the consumer credit 
23    reporting agency's chief information security officer.
24        (2) To the extent a consumer credit reporting agency 
25    determines that encryption of nonpublic information at 
 
 
SB3204- 24 -LRB100 20137 XWW 35421 b

1    rest is infeasible, the consumer credit reporting agency 
2    may instead secure such nonpublic information using 
3    effective alternative compensating controls reviewed and 
4    approved by the consumer credit reporting agency's chief 
5    information security officer.
6    (b) To the extent that a consumer credit reporting agency 
7is utilizing compensating controls under subsection (a), the 
8feasibility of encryption and effectiveness of the 
9compensating controls shall be reviewed by the chief 
10information security officer at least annually.
 
11    Section 100. Incident response plan.  
12    (a) As part of its cybersecurity program, a consumer credit 
13reporting agency shall establish a written incident response 
14plan designed to promptly respond to, and recover from, any 
15cybersecurity event materially affecting the confidentiality, 
16integrity or availability of the consumer credit reporting 
17agency's information systems or the continuing functionality 
18of any aspect of the consumer credit reporting agency's 
19business or operations.
20    (b) Such incident response plan shall address the following 
21areas:
22        (1) the internal processes for responding to a 
23    cybersecurity event;
24        (2) the goals of the incident response plan;
25        (3) the definition of clear roles, responsibilities 
 
 
SB3204- 25 -LRB100 20137 XWW 35421 b

1    and levels of decision-making authority;
2        (4) external and internal communications and 
3    information sharing;
4        (5) identification of requirements for the remediation 
5    of any identified weaknesses in information systems and 
6    associated controls;
7        (6) documentation and reporting regarding 
8    cybersecurity events and related incident response 
9    activities; and
10        (7) the evaluation and revision as necessary of the 
11    incident response plan following a cybersecurity event.
 
12    Section 105. Notice to the Department. 
13    (a) A consumer credit reporting agency shall notify the 
14Department as promptly as possible but in no event later than 
1572 hours from a determination that a cybersecurity event has 
16occurred that is either of the following:
17        (1) cybersecurity events impacting the consumer credit 
18    reporting agency of which notice is required to be provided 
19    to a government body, self-regulatory agency or any other 
20    supervisory body; or
21        (2) cybersecurity events that have a reasonable 
22    likelihood of materially harming any material part of the 
23    normal operation of the consumer credit reporting agency.
24    (b) A consumer credit reporting agency shall submit to the 
25Department a written statement annually covering the prior 
 
 
SB3204- 26 -LRB100 20137 XWW 35421 b

1calendar year. This statement shall be submitted by February 
215th in such manner as determined acceptable by the Department, 
3certifying that the consumer credit reporting agency is in 
4compliance with the requirements set forth in this Act. Each 
5consumer credit reporting agency shall maintain all records, 
6schedules, and data supporting this certificate for a period of 
75 years for examination purposes conducted by the Department. 
8To the extent a consumer credit reporting agency has identified 
9areas, systems or processes that require material improvement, 
10updating or redesign, the consumer credit reporting agency 
11shall document the identification and the remedial efforts 
12planned and underway to address such areas, systems or 
13processes. Such documentation must be available for inspection 
14by the Department.
 
15    Section 110. Enforcement. This Act shall be enforced by the 
16Department pursuant to, and is not intended to limit, the 
17Department's authority under any applicable laws.
 
18    Section 115. Severability. If any provision of this Act or 
19the application thereof to any person or circumstance is 
20adjudged invalid by a court of competent jurisdiction, such 
21judgment shall not affect or impair the validity of the other 
22provisions of this Act or the application thereof to other 
23persons or circumstances.
 
 
24    Section 999. Effective date. This Act takes effect upon 
 
 
SB3204- 27 -LRB100 20137 XWW 35421 b

1becoming law.