|
| | SB3939 Engrossed | | LRB102 22761 RJF 31907 b |
|
|
1 | | AN ACT concerning cybersecurity.
|
2 | | Be it enacted by the People of the State of Illinois,
|
3 | | represented in the General Assembly:
|
4 | | Section 5. The Freedom of Information Act is amended by |
5 | | changing Section 7 as follows: |
6 | | (5 ILCS 140/7) (from Ch. 116, par. 207) |
7 | | Sec. 7. Exemptions.
|
8 | | (1) When a request is made to inspect or copy a public |
9 | | record that contains information that is exempt from |
10 | | disclosure under this Section, but also contains information |
11 | | that is not exempt from disclosure, the public body may elect |
12 | | to redact the information that is exempt. The public body |
13 | | shall make the remaining information available for inspection |
14 | | and copying. Subject to this requirement, the following shall |
15 | | be exempt from inspection and copying:
|
16 | | (a) Information specifically prohibited from |
17 | | disclosure by federal or
State law or rules and |
18 | | regulations implementing federal or State law.
|
19 | | (b) Private information, unless disclosure is required |
20 | | by another provision of this Act, a State or federal law or |
21 | | a court order. |
22 | | (b-5) Files, documents, and other data or databases |
23 | | maintained by one or more law enforcement agencies and |
|
| | SB3939 Engrossed | - 2 - | LRB102 22761 RJF 31907 b |
|
|
1 | | specifically designed to provide information to one or |
2 | | more law enforcement agencies regarding the physical or |
3 | | mental status of one or more individual subjects. |
4 | | (c) Personal information contained within public |
5 | | records, the disclosure of which would constitute a |
6 | | clearly
unwarranted invasion of personal privacy, unless |
7 | | the disclosure is
consented to in writing by the |
8 | | individual subjects of the information. "Unwarranted |
9 | | invasion of personal privacy" means the disclosure of |
10 | | information that is highly personal or objectionable to a |
11 | | reasonable person and in which the subject's right to |
12 | | privacy outweighs any legitimate public interest in |
13 | | obtaining the information. The
disclosure of information |
14 | | that bears on the public duties of public
employees and |
15 | | officials shall not be considered an invasion of personal
|
16 | | privacy.
|
17 | | (d) Records in the possession of any public body |
18 | | created in the course of administrative enforcement
|
19 | | proceedings, and any law enforcement or correctional |
20 | | agency for
law enforcement purposes,
but only to the |
21 | | extent that disclosure would:
|
22 | | (i) interfere with pending or actually and |
23 | | reasonably contemplated
law enforcement proceedings |
24 | | conducted by any law enforcement or correctional
|
25 | | agency that is the recipient of the request;
|
26 | | (ii) interfere with active administrative |
|
| | SB3939 Engrossed | - 3 - | LRB102 22761 RJF 31907 b |
|
|
1 | | enforcement proceedings
conducted by the public body |
2 | | that is the recipient of the request;
|
3 | | (iii) create a substantial likelihood that a |
4 | | person will be deprived of a fair trial or an impartial |
5 | | hearing;
|
6 | | (iv) unavoidably disclose the identity of a |
7 | | confidential source, confidential information |
8 | | furnished only by the confidential source, or persons |
9 | | who file complaints with or provide information to |
10 | | administrative, investigative, law enforcement, or |
11 | | penal agencies; except that the identities of |
12 | | witnesses to traffic accidents, traffic accident |
13 | | reports, and rescue reports shall be provided by |
14 | | agencies of local government, except when disclosure |
15 | | would interfere with an active criminal investigation |
16 | | conducted by the agency that is the recipient of the |
17 | | request;
|
18 | | (v) disclose unique or specialized investigative |
19 | | techniques other than
those generally used and known |
20 | | or disclose internal documents of
correctional |
21 | | agencies related to detection, observation or |
22 | | investigation of
incidents of crime or misconduct, and |
23 | | disclosure would result in demonstrable harm to the |
24 | | agency or public body that is the recipient of the |
25 | | request;
|
26 | | (vi) endanger the life or physical safety of law |
|
| | SB3939 Engrossed | - 4 - | LRB102 22761 RJF 31907 b |
|
|
1 | | enforcement personnel
or any other person; or
|
2 | | (vii) obstruct an ongoing criminal investigation |
3 | | by the agency that is the recipient of the request.
|
4 | | (d-5) A law enforcement record created for law |
5 | | enforcement purposes and contained in a shared electronic |
6 | | record management system if the law enforcement agency |
7 | | that is the recipient of the request did not create the |
8 | | record, did not participate in or have a role in any of the |
9 | | events which are the subject of the record, and only has |
10 | | access to the record through the shared electronic record |
11 | | management system. |
12 | | (d-6) Records contained in the Officer Professional |
13 | | Conduct Database under Section 9.2 9.4 of the Illinois |
14 | | Police Training Act, except to the extent authorized under |
15 | | that Section. This includes the documents supplied to the |
16 | | Illinois Law Enforcement Training Standards Board from the |
17 | | Illinois State Police and Illinois State Police Merit |
18 | | Board. |
19 | | (e) Records that relate to or affect the security of |
20 | | correctional
institutions and detention facilities.
|
21 | | (e-5) Records requested by persons committed to the |
22 | | Department of Corrections, Department of Human Services |
23 | | Division of Mental Health, or a county jail if those |
24 | | materials are available in the library of the correctional |
25 | | institution or facility or jail where the inmate is |
26 | | confined. |
|
| | SB3939 Engrossed | - 5 - | LRB102 22761 RJF 31907 b |
|
|
1 | | (e-6) Records requested by persons committed to the |
2 | | Department of Corrections, Department of Human Services |
3 | | Division of Mental Health, or a county jail if those |
4 | | materials include records from staff members' personnel |
5 | | files, staff rosters, or other staffing assignment |
6 | | information. |
7 | | (e-7) Records requested by persons committed to the |
8 | | Department of Corrections or Department of Human Services |
9 | | Division of Mental Health if those materials are available |
10 | | through an administrative request to the Department of |
11 | | Corrections or Department of Human Services Division of |
12 | | Mental Health. |
13 | | (e-8) Records requested by a person committed to the |
14 | | Department of Corrections, Department of Human Services |
15 | | Division of Mental Health, or a county jail, the |
16 | | disclosure of which would result in the risk of harm to any |
17 | | person or the risk of an escape from a jail or correctional |
18 | | institution or facility. |
19 | | (e-9) Records requested by a person in a county jail |
20 | | or committed to the Department of Corrections or |
21 | | Department of Human Services Division of Mental Health, |
22 | | containing personal information pertaining to the person's |
23 | | victim or the victim's family, including, but not limited |
24 | | to, a victim's home address, home telephone number, work |
25 | | or school address, work telephone number, social security |
26 | | number, or any other identifying information, except as |
|
| | SB3939 Engrossed | - 6 - | LRB102 22761 RJF 31907 b |
|
|
1 | | may be relevant to a requester's current or potential case |
2 | | or claim. |
3 | | (e-10) Law enforcement records of other persons |
4 | | requested by a person committed to the Department of |
5 | | Corrections, Department of Human Services Division of |
6 | | Mental Health, or a county jail, including, but not |
7 | | limited to, arrest and booking records, mug shots, and |
8 | | crime scene photographs, except as these records may be |
9 | | relevant to the requester's current or potential case or |
10 | | claim. |
11 | | (f) Preliminary drafts, notes, recommendations, |
12 | | memoranda and other
records in which opinions are |
13 | | expressed, or policies or actions are
formulated, except |
14 | | that a specific record or relevant portion of a
record |
15 | | shall not be exempt when the record is publicly cited
and |
16 | | identified by the head of the public body. The exemption |
17 | | provided in
this paragraph (f) extends to all those |
18 | | records of officers and agencies
of the General Assembly |
19 | | that pertain to the preparation of legislative
documents.
|
20 | | (g) Trade secrets and commercial or financial |
21 | | information obtained from
a person or business where the |
22 | | trade secrets or commercial or financial information are |
23 | | furnished under a claim that they are
proprietary, |
24 | | privileged, or confidential, and that disclosure of the |
25 | | trade
secrets or commercial or financial information would |
26 | | cause competitive harm to the person or business, and only |
|
| | SB3939 Engrossed | - 7 - | LRB102 22761 RJF 31907 b |
|
|
1 | | insofar as the claim directly applies to the records |
2 | | requested. |
3 | | The information included under this exemption includes |
4 | | all trade secrets and commercial or financial information |
5 | | obtained by a public body, including a public pension |
6 | | fund, from a private equity fund or a privately held |
7 | | company within the investment portfolio of a private |
8 | | equity fund as a result of either investing or evaluating |
9 | | a potential investment of public funds in a private equity |
10 | | fund. The exemption contained in this item does not apply |
11 | | to the aggregate financial performance information of a |
12 | | private equity fund, nor to the identity of the fund's |
13 | | managers or general partners. The exemption contained in |
14 | | this item does not apply to the identity of a privately |
15 | | held company within the investment portfolio of a private |
16 | | equity fund, unless the disclosure of the identity of a |
17 | | privately held company may cause competitive harm. |
18 | | Nothing contained in this
paragraph (g) shall be |
19 | | construed to prevent a person or business from
consenting |
20 | | to disclosure.
|
21 | | (h) Proposals and bids for any contract, grant, or |
22 | | agreement, including
information which if it were |
23 | | disclosed would frustrate procurement or give
an advantage |
24 | | to any person proposing to enter into a contractor |
25 | | agreement
with the body, until an award or final selection |
26 | | is made. Information
prepared by or for the body in |
|
| | SB3939 Engrossed | - 8 - | LRB102 22761 RJF 31907 b |
|
|
1 | | preparation of a bid solicitation shall be
exempt until an |
2 | | award or final selection is made.
|
3 | | (i) Valuable formulae,
computer geographic systems,
|
4 | | designs, drawings and research data obtained or
produced |
5 | | by any public body when disclosure could reasonably be |
6 | | expected to
produce private gain or public loss.
The |
7 | | exemption for "computer geographic systems" provided in |
8 | | this paragraph
(i) does not extend to requests made by |
9 | | news media as defined in Section 2 of
this Act when the |
10 | | requested information is not otherwise exempt and the only
|
11 | | purpose of the request is to access and disseminate |
12 | | information regarding the
health, safety, welfare, or |
13 | | legal rights of the general public.
|
14 | | (j) The following information pertaining to |
15 | | educational matters: |
16 | | (i) test questions, scoring keys and other |
17 | | examination data used to
administer an academic |
18 | | examination;
|
19 | | (ii) information received by a primary or |
20 | | secondary school, college, or university under its |
21 | | procedures for the evaluation of faculty members by |
22 | | their academic peers; |
23 | | (iii) information concerning a school or |
24 | | university's adjudication of student disciplinary |
25 | | cases, but only to the extent that disclosure would |
26 | | unavoidably reveal the identity of the student; and |
|
| | SB3939 Engrossed | - 9 - | LRB102 22761 RJF 31907 b |
|
|
1 | | (iv) course materials or research materials used |
2 | | by faculty members. |
3 | | (k) Architects' plans, engineers' technical |
4 | | submissions, and
other
construction related technical |
5 | | documents for
projects not constructed or developed in |
6 | | whole or in part with public funds
and the same for |
7 | | projects constructed or developed with public funds, |
8 | | including, but not limited to, power generating and |
9 | | distribution stations and other transmission and |
10 | | distribution facilities, water treatment facilities, |
11 | | airport facilities, sport stadiums, convention centers, |
12 | | and all government owned, operated, or occupied buildings, |
13 | | but
only to the extent
that disclosure would compromise |
14 | | security.
|
15 | | (l) Minutes of meetings of public bodies closed to the
|
16 | | public as provided in the Open Meetings Act until the |
17 | | public body
makes the minutes available to the public |
18 | | under Section 2.06 of the Open
Meetings Act.
|
19 | | (m) Communications between a public body and an |
20 | | attorney or auditor
representing the public body that |
21 | | would not be subject to discovery in
litigation, and |
22 | | materials prepared or compiled by or for a public body in
|
23 | | anticipation of a criminal, civil, or administrative |
24 | | proceeding upon the
request of an attorney advising the |
25 | | public body, and materials prepared or
compiled with |
26 | | respect to internal audits of public bodies.
|
|
| | SB3939 Engrossed | - 10 - | LRB102 22761 RJF 31907 b |
|
|
1 | | (n) Records relating to a public body's adjudication |
2 | | of employee grievances or disciplinary cases; however, |
3 | | this exemption shall not extend to the final outcome of |
4 | | cases in which discipline is imposed.
|
5 | | (o) Administrative or technical information associated |
6 | | with automated
data processing operations, including, but |
7 | | not limited to, software,
operating protocols, computer |
8 | | program abstracts, file layouts, source
listings, object |
9 | | modules, load modules, user guides, documentation
|
10 | | pertaining to all logical and physical design of |
11 | | computerized systems,
employee manuals, and any other |
12 | | information that, if disclosed, would
jeopardize the |
13 | | security of the system or its data or the security of
|
14 | | materials exempt under this Section.
|
15 | | (p) Records relating to collective negotiating matters
|
16 | | between public bodies and their employees or |
17 | | representatives, except that
any final contract or |
18 | | agreement shall be subject to inspection and copying.
|
19 | | (q) Test questions, scoring keys, and other |
20 | | examination data used to determine the qualifications of |
21 | | an applicant for a license or employment.
|
22 | | (r) The records, documents, and information relating |
23 | | to real estate
purchase negotiations until those |
24 | | negotiations have been completed or
otherwise terminated. |
25 | | With regard to a parcel involved in a pending or
actually |
26 | | and reasonably contemplated eminent domain proceeding |
|
| | SB3939 Engrossed | - 11 - | LRB102 22761 RJF 31907 b |
|
|
1 | | under the Eminent Domain Act, records, documents, and
|
2 | | information relating to that parcel shall be exempt except |
3 | | as may be
allowed under discovery rules adopted by the |
4 | | Illinois Supreme Court. The
records, documents, and |
5 | | information relating to a real estate sale shall be
exempt |
6 | | until a sale is consummated.
|
7 | | (s) Any and all proprietary information and records |
8 | | related to the
operation of an intergovernmental risk |
9 | | management association or
self-insurance pool or jointly |
10 | | self-administered health and accident
cooperative or pool.
|
11 | | Insurance or self insurance (including any |
12 | | intergovernmental risk management association or self |
13 | | insurance pool) claims, loss or risk management |
14 | | information, records, data, advice or communications.
|
15 | | (t) Information contained in or related to |
16 | | examination, operating, or
condition reports prepared by, |
17 | | on behalf of, or for the use of a public
body responsible |
18 | | for the regulation or supervision of financial
|
19 | | institutions, insurance companies, or pharmacy benefit |
20 | | managers, unless disclosure is otherwise
required by State |
21 | | law.
|
22 | | (u) Information that would disclose
or might lead to |
23 | | the disclosure of
secret or confidential information, |
24 | | codes, algorithms, programs, or private
keys intended to |
25 | | be used to create electronic signatures under the Uniform |
26 | | Electronic Transactions Act.
|
|
| | SB3939 Engrossed | - 12 - | LRB102 22761 RJF 31907 b |
|
|
1 | | (v) Vulnerability assessments, security measures, and |
2 | | response policies
or plans that are designed to identify, |
3 | | prevent, or respond to potential
attacks upon a |
4 | | community's population or systems, facilities, or |
5 | | installations,
the destruction or contamination of which |
6 | | would constitute a clear and present
danger to the health |
7 | | or safety of the community, but only to the extent that
|
8 | | disclosure could reasonably be expected to expose the |
9 | | vulnerability or jeopardize the effectiveness of the
|
10 | | measures , policies, or plans, or the safety of the |
11 | | personnel who implement them or the public.
Information |
12 | | exempt under this item may include such things as details
|
13 | | pertaining to the mobilization or deployment of personnel |
14 | | or equipment, to the
operation of communication systems or |
15 | | protocols, to cybersecurity vulnerabilities, or to |
16 | | tactical operations.
|
17 | | (w) (Blank). |
18 | | (x) Maps and other records regarding the location or |
19 | | security of generation, transmission, distribution, |
20 | | storage, gathering,
treatment, or switching facilities |
21 | | owned by a utility, by a power generator, or by the |
22 | | Illinois Power Agency.
|
23 | | (y) Information contained in or related to proposals, |
24 | | bids, or negotiations related to electric power |
25 | | procurement under Section 1-75 of the Illinois Power |
26 | | Agency Act and Section 16-111.5 of the Public Utilities |
|
| | SB3939 Engrossed | - 13 - | LRB102 22761 RJF 31907 b |
|
|
1 | | Act that is determined to be confidential and proprietary |
2 | | by the Illinois Power Agency or by the Illinois Commerce |
3 | | Commission.
|
4 | | (z) Information about students exempted from |
5 | | disclosure under Sections 10-20.38 or 34-18.29 of the |
6 | | School Code, and information about undergraduate students |
7 | | enrolled at an institution of higher education exempted |
8 | | from disclosure under Section 25 of the Illinois Credit |
9 | | Card Marketing Act of 2009. |
10 | | (aa) Information the disclosure of which is
exempted |
11 | | under the Viatical Settlements Act of 2009.
|
12 | | (bb) Records and information provided to a mortality |
13 | | review team and records maintained by a mortality review |
14 | | team appointed under the Department of Juvenile Justice |
15 | | Mortality Review Team Act. |
16 | | (cc) Information regarding interments, entombments, or |
17 | | inurnments of human remains that are submitted to the |
18 | | Cemetery Oversight Database under the Cemetery Care Act or |
19 | | the Cemetery Oversight Act, whichever is applicable. |
20 | | (dd) Correspondence and records (i) that may not be |
21 | | disclosed under Section 11-9 of the Illinois Public Aid |
22 | | Code or (ii) that pertain to appeals under Section 11-8 of |
23 | | the Illinois Public Aid Code. |
24 | | (ee) The names, addresses, or other personal |
25 | | information of persons who are minors and are also |
26 | | participants and registrants in programs of park |
|
| | SB3939 Engrossed | - 14 - | LRB102 22761 RJF 31907 b |
|
|
1 | | districts, forest preserve districts, conservation |
2 | | districts, recreation agencies, and special recreation |
3 | | associations. |
4 | | (ff) The names, addresses, or other personal |
5 | | information of participants and registrants in programs of |
6 | | park districts, forest preserve districts, conservation |
7 | | districts, recreation agencies, and special recreation |
8 | | associations where such programs are targeted primarily to |
9 | | minors. |
10 | | (gg) Confidential information described in Section |
11 | | 1-100 of the Illinois Independent Tax Tribunal Act of |
12 | | 2012. |
13 | | (hh) The report submitted to the State Board of |
14 | | Education by the School Security and Standards Task Force |
15 | | under item (8) of subsection (d) of Section 2-3.160 of the |
16 | | School Code and any information contained in that report. |
17 | | (ii) Records requested by persons committed to or |
18 | | detained by the Department of Human Services under the |
19 | | Sexually Violent Persons Commitment Act or committed to |
20 | | the Department of Corrections under the Sexually Dangerous |
21 | | Persons Act if those materials: (i) are available in the |
22 | | library of the facility where the individual is confined; |
23 | | (ii) include records from staff members' personnel files, |
24 | | staff rosters, or other staffing assignment information; |
25 | | or (iii) are available through an administrative request |
26 | | to the Department of Human Services or the Department of |
|
| | SB3939 Engrossed | - 15 - | LRB102 22761 RJF 31907 b |
|
|
1 | | Corrections. |
2 | | (jj) Confidential information described in Section |
3 | | 5-535 of the Civil Administrative Code of Illinois. |
4 | | (kk) The public body's credit card numbers, debit card |
5 | | numbers, bank account numbers, Federal Employer |
6 | | Identification Number, security code numbers, passwords, |
7 | | and similar account information, the disclosure of which |
8 | | could result in identity theft or impression or defrauding |
9 | | of a governmental entity or a person. |
10 | | (ll) Records concerning the work of the threat |
11 | | assessment team of a school district. |
12 | | (1.5) Any information exempt from disclosure under the |
13 | | Judicial Privacy Act shall be redacted from public records |
14 | | prior to disclosure under this Act. |
15 | | (2) A public record that is not in the possession of a |
16 | | public body but is in the possession of a party with whom the |
17 | | agency has contracted to perform a governmental function on |
18 | | behalf of the public body, and that directly relates to the |
19 | | governmental function and is not otherwise exempt under this |
20 | | Act, shall be considered a public record of the public body, |
21 | | for purposes of this Act. |
22 | | (3) This Section does not authorize withholding of |
23 | | information or limit the
availability of records to the |
24 | | public, except as stated in this Section or
otherwise provided |
25 | | in this Act.
|
26 | | (Source: P.A. 101-434, eff. 1-1-20; 101-452, eff. 1-1-20; |
|
| | SB3939 Engrossed | - 16 - | LRB102 22761 RJF 31907 b |
|
|
1 | | 101-455, eff. 8-23-19; 101-652, eff. 1-1-22; 102-38, eff. |
2 | | 6-25-21; 102-558, eff. 8-20-21; revised 11-22-21.) |
3 | | Section 10. The Department of Innovation and Technology |
4 | | Act is amended by adding Section 1-75 as follows: |
5 | | (20 ILCS 1370/1-75 new) |
6 | | Sec. 1-75. Local government cybersecurity designee. The |
7 | | principal executive officer, or his or her designee, of each |
8 | | municipality with a population of 35,000 or greater and of |
9 | | each county shall designate a local official or employee as |
10 | | the primary point of contact for local cybersecurity issues. |
11 | | Each jurisdiction must provide the name and contact |
12 | | information of the cybersecurity designee to the Department |
13 | | and update the information as necessary. |
14 | | Section 15. The Illinois Information Security Improvement |
15 | | Act is amended by changing Section 5-25 and by adding Section |
16 | | 5-30 as follows: |
17 | | (20 ILCS 1375/5-25)
|
18 | | Sec. 5-25. Responsibilities. |
19 | | (a) The Secretary shall: |
20 | | (1) appoint a Statewide Chief Information Security |
21 | | Officer pursuant to Section 5-20; |
22 | | (2) provide the Office with the staffing and resources |
|
| | SB3939 Engrossed | - 17 - | LRB102 22761 RJF 31907 b |
|
|
1 | | deemed necessary by the Secretary to fulfill the |
2 | | responsibilities of the Office; |
3 | | (3) oversee statewide information security policies |
4 | | and practices, including:
|
5 | | (A) directing and overseeing the development, |
6 | | implementation, and communication of statewide |
7 | | information security policies, standards, and |
8 | | guidelines; |
9 | | (B) overseeing the education of State agency |
10 | | personnel regarding the requirement to identify and |
11 | | provide information security protections commensurate |
12 | | with the risk and magnitude of the harm resulting from |
13 | | the unauthorized access, use, disclosure, disruption, |
14 | | modification, or destruction of information in a |
15 | | critical information system; |
16 | | (C) overseeing the development and implementation |
17 | | of a statewide information security risk management |
18 | | program; |
19 | | (D) overseeing State agency compliance with the |
20 | | requirements of this Section; |
21 | | (E) coordinating Information Security policies and |
22 | | practices with related information and personnel |
23 | | resources management policies and procedures; and |
24 | | (F) providing an effective and efficient process |
25 | | to assist State agencies with complying with the |
26 | | requirements of this Act ; and . |
|
| | SB3939 Engrossed | - 18 - | LRB102 22761 RJF 31907 b |
|
|
1 | | (4) subject to appropriation, establish a |
2 | | cybersecurity liaison program to advise and assist units |
3 | | of local government in identifying cyber threats, |
4 | | performing risk assessments, sharing best practices, and |
5 | | responding to cyber incidents. |
6 | | (b) The Statewide Chief Information Security Officer |
7 | | shall: |
8 | | (1) serve as the head of the Office and ensure the |
9 | | execution of the responsibilities of the Office as set |
10 | | forth in subsection (c) of Section 5-15, the Statewide |
11 | | Chief Information Security Officer shall also oversee |
12 | | State agency personnel with significant responsibilities |
13 | | for information security and ensure a competent workforce |
14 | | that keeps pace with the changing information security |
15 | | environment; |
16 | | (2) develop and recommend information security |
17 | | policies, standards, procedures, and guidelines to the |
18 | | Secretary for statewide adoption and monitor compliance |
19 | | with these policies, standards, guidelines, and procedures |
20 | | through periodic testing; |
21 | | (3) develop and maintain risk-based, cost-effective |
22 | | information security programs and control techniques to |
23 | | address all applicable security and compliance |
24 | | requirements throughout the life cycle of State agency |
25 | | information systems; |
26 | | (4) establish the procedures, processes, and |
|
| | SB3939 Engrossed | - 19 - | LRB102 22761 RJF 31907 b |
|
|
1 | | technologies to rapidly and effectively identify threats, |
2 | | risks, and vulnerabilities to State information systems, |
3 | | and ensure the prioritization of the remediation of |
4 | | vulnerabilities that pose risk to the State; |
5 | | (5) develop and implement capabilities and procedures |
6 | | for detecting, reporting, and responding to information |
7 | | security incidents; |
8 | | (6) establish and direct a statewide information |
9 | | security risk management program to identify information |
10 | | security risks in State agencies and deploy risk |
11 | | mitigation strategies, processes, and procedures; |
12 | | (7) establish the State's capability to sufficiently |
13 | | protect the security of data through effective information |
14 | | system security planning, secure system development, |
15 | | acquisition, and deployment, the application of protective |
16 | | technologies and information system certification, |
17 | | accreditation, and assessments; |
18 | | (8) ensure that State agency personnel, including |
19 | | contractors, are appropriately screened and receive |
20 | | information security awareness training; |
21 | | (9) convene meetings with agency heads and other State |
22 | | officials to help ensure: |
23 | | (A) the ongoing communication of risk and risk |
24 | | reduction strategies, |
25 | | (B) effective implementation of information |
26 | | security policies and practices, and |
|
| | SB3939 Engrossed | - 20 - | LRB102 22761 RJF 31907 b |
|
|
1 | | (C) the incorporation of and compliance with |
2 | | information security policies, standards, and |
3 | | guidelines into the policies and procedures of the |
4 | | agencies; |
5 | | (10) provide operational and technical assistance to |
6 | | State agencies in implementing policies, principles, |
7 | | standards, and guidelines on information security, |
8 | | including implementation of standards promulgated under |
9 | | subparagraph (A) of paragraph (3) of subsection (a) of |
10 | | this Section, and provide assistance and effective and |
11 | | efficient means for State agencies to comply with the |
12 | | State agency requirements under this Act; |
13 | | (11) in coordination and consultation with the |
14 | | Secretary and the Governor's Office of Management and |
15 | | Budget, review State agency budget requests related to |
16 | | Information Security systems and provide recommendations |
17 | | to the Governor's Office of Management and Budget; |
18 | | (12) ensure the preparation and maintenance of plans |
19 | | and procedures to provide cyber resilience and continuity |
20 | | of operations for critical information systems that |
21 | | support the operations of the State; and |
22 | | (13) take such other actions as the Secretary may |
23 | | direct.
|
24 | | (Source: P.A. 100-611, eff. 7-20-18; 101-81, eff. 7-12-19.) |
25 | | (20 ILCS 1375/5-30 new) |
|
| | SB3939 Engrossed | - 21 - | LRB102 22761 RJF 31907 b |
|
|
1 | | Sec. 5-30. Local government employee cybersecurity |
2 | | training. Every employee of a county or municipality shall |
3 | | annually complete a cybersecurity training program. The |
4 | | training shall include, but need not be limited to, detecting |
5 | | phishing scams, preventing spyware infections and identity |
6 | | theft, and preventing and responding to data breaches. The |
7 | | Department shall make available to each county and |
8 | | municipality a training program for employees that complies |
9 | | with the content requirements of this Section. A county or |
10 | | municipality may create its own cybersecurity training |
11 | | program. |
12 | | Section 20. The Illinois Procurement Code is amended by |
13 | | adding Section 25-90 as follows: |
14 | | (30 ILCS 500/25-90 new) |
15 | | Sec. 25-90. Cybersecurity prohibited products. State |
16 | | agencies are prohibited from purchasing any products that, due |
17 | | to cybersecurity risks, are prohibited for purchase by federal |
18 | | agencies pursuant to a United States Department of Homeland |
19 | | Security Binding Operational Directive.
|