101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020
HB3391

 

Introduced , by Rep. Diane Pappas

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Security of Connected Devices Act. Requires manufacturers of connected devices to equip the device with security features that are designed to protect the device and any information the device contains from unauthorized access, destruction, use, modification, or disclosure.


LRB101 09162 JLS 54256 b

 

 

A BILL FOR

 

HB3391LRB101 09162 JLS 54256 b

1    AN ACT concerning regulation.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Security of Connected Devices Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Authentication" means a method of verifying the authority
8of a user, process, or device to access resources in an
9information system.
10    "Connected device" means any device, or other physical
11object that is capable of connecting to the Internet and that
12is assigned an Internet Protocol address or Bluetooth address.
13    "Manufacturer" means the person who manufactures, or
14contracts with another person to manufacture on that person's
15behalf, connected devices that are sold or offered for sale in
16Illinois. A contract with another person to manufacture on the
17person's behalf does not, however, include a contract only to
18purchase a connected device, or only to purchase and brand a
19connected device.
20    "Security feature" means a feature of a device designed to
21provide security for that device.
22    "Unauthorized access, destruction, use, modification, or
23disclosure" means access, destruction, use, modification, or

 

 

HB3391- 2 -LRB101 09162 JLS 54256 b

1disclosure that is not authorized by the consumer.
 
2    Section 10. Device requirements.
3    (a) A manufacturer of a connected device shall equip the
4device with a reasonable security feature or features that are
5all of the following:
6        (1) Appropriate to the nature and function of the
7    device.
8        (2) Appropriate to the information it may collect,
9    contain, or transmit.
10        (3) Designed to protect the device and any information
11    contained in the device from unauthorized access,
12    destruction, use, modification, or disclosure.
13    (b) Subject to all of the requirements of subsection (a),
14if a connected device is equipped with a means for
15authentication outside a local area network, it shall be deemed
16a reasonable security feature under subsection (a) if either of
17the following requirements are met:
18        (1) The preprogrammed password is unique to each device
19    manufactured.
20        (2) The device contains a security feature that
21    requires a user to generate a new means of authentication
22    before access is granted to the device for the first time.
 
23    Section 15. Exceptions.
24    (a) This Act shall not be construed to impose any duty upon

 

 

HB3391- 3 -LRB101 09162 JLS 54256 b

1the manufacturer of a connected device related to unaffiliated
2third-party software or applications that a user chooses to add
3to a connected device.
4    (b) This Act shall not be construed to impose any duty upon
5a provider of an electronic store, gateway, marketplace, or
6other means of purchasing or downloading software or
7applications, to review or enforce compliance with this title.
8    (c) This Act shall not be construed to impose any duty upon
9the manufacturer of a connected device to prevent a user from
10having full control over a connected device, including the
11ability to modify the software or firmware running on the
12device at the user's discretion.
13    (d) This Act does not apply to any connected device the
14functionality of which is subject to security requirements
15under federal law, regulations, or guidance promulgated by a
16federal agency pursuant to its regulatory enforcement
17authority.
18    (e) This Act shall not be construed to provide a basis for
19a private right of action. The Attorney General shall have the
20exclusive authority to enforce this Act as an unlawful practice
21under the Consumer Fraud and Deceptive Business Practices Act.
22    (f) The duties and obligations imposed by this Act are
23cumulative with any other duties or obligations imposed under
24other law, and shall not be construed to relieve any party from
25any duties or obligations imposed under other law.
26    (g) This Act shall not be construed to limit the authority

 

 

HB3391- 4 -LRB101 09162 JLS 54256 b

1of a law enforcement agency to obtain connected device
2information from a manufacturer as authorized by law or
3pursuant to an order of a court.
4    (h) A covered entity, provider of health care, business
5associate, health care service plan, contractor, employer, or
6any other person subject to the federal Health Insurance
7Portability and Accountability Act of 1996 (Public Law 104-191)
8is not subject to this Act with respect to any activity
9regulated by that Act.