102ND GENERAL ASSEMBLY
State of Illinois
2021 and 2022
HB3536

 

Introduced 2/22/2021, by Rep. Lamont J. Robinson, Jr.

 

SYNOPSIS AS INTRODUCED:
 
New Act

    Creates the Security of Connected Devices Act. Requires manufacturers of connected devices to equip the device with security features that are designed to protect the device and any information the device contains from unauthorized access, destruction, use, modification, or disclosure.


LRB102 12759 JLS 18098 b

 

 

A BILL FOR

 

HB3536LRB102 12759 JLS 18098 b

1    AN ACT concerning regulation.
 
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
 
4    Section 1. Short title. This Act may be cited as the
5Security of Connected Devices Act.
 
6    Section 5. Definitions. As used in this Act:
7    "Authentication" means a method of verifying the authority
8of a user, process, or device to access resources in an
9information system.
10    "Connected device" means any device, or other physical
11object that is capable of connecting to the Internet and that
12is assigned an Internet Protocol address or Bluetooth address.
13    "Manufacturer" means the person who manufactures, or
14contracts with another person to manufacture on that person's
15behalf, connected devices that are sold or offered for sale in
16Illinois. A contract with another person to manufacture on the
17person's behalf does not, however, include a contract only to
18purchase a connected device, or only to purchase and brand a
19connected device.
20    "Security feature" means a feature of a device designed to
21provide security for that device.
22    "Unauthorized access, destruction, use, modification, or
23disclosure" means access, destruction, use, modification, or

 

 

HB3536- 2 -LRB102 12759 JLS 18098 b

1disclosure that is not authorized by the consumer.
 
2    Section 10. Device requirements.
3    (a) A manufacturer of a connected device shall equip the
4device with a reasonable security feature or features that are
5all of the following:
6        (1) Appropriate to the nature and function of the
7    device.
8        (2) Appropriate to the information it may collect,
9    contain, or transmit.
10        (3) Designed to protect the device and any information
11    contained in the device from unauthorized access,
12    destruction, use, modification, or disclosure.
13    (b) Subject to all of the requirements of subsection (a),
14if a connected device is equipped with a means for
15authentication outside a local area network, it shall be
16deemed a reasonable security feature under subsection (a) if
17either of the following requirements are met:
18        (1) The preprogrammed password is unique to each
19    device manufactured.
20        (2) The device contains a security feature that
21    requires a user to generate a new means of authentication
22    before access is granted to the device for the first time.
 
23    Section 15. Exceptions.
24    (a) This Act shall not be construed to impose any duty upon

 

 

HB3536- 3 -LRB102 12759 JLS 18098 b

1the manufacturer of a connected device related to unaffiliated
2third-party software or applications that a user chooses to
3add to a connected device.
4    (b) This Act shall not be construed to impose any duty upon
5a provider of an electronic store, gateway, marketplace, or
6other means of purchasing or downloading software or
7applications, to review or enforce compliance with this title.
8    (c) This Act shall not be construed to impose any duty upon
9the manufacturer of a connected device to prevent a user from
10having full control over a connected device, including the
11ability to modify the software or firmware running on the
12device at the user's discretion.
13    (d) This Act does not apply to any connected device the
14functionality of which is subject to security requirements
15under federal law, regulations, or guidance promulgated by a
16federal agency pursuant to its regulatory enforcement
17authority.
18    (e) This Act shall not be construed to provide a basis for
19a private right of action. The Attorney General shall have the
20exclusive authority to enforce this Act as an unlawful
21practice under the Consumer Fraud and Deceptive Business
22Practices Act.
23    (f) The duties and obligations imposed by this Act are
24cumulative with any other duties or obligations imposed under
25other law, and shall not be construed to relieve any party from
26any duties or obligations imposed under other law.

 

 

HB3536- 4 -LRB102 12759 JLS 18098 b

1    (g) This Act shall not be construed to limit the authority
2of a law enforcement agency to obtain connected device
3information from a manufacturer as authorized by law or
4pursuant to an order of a court.
5    (h) A covered entity, provider of health care, business
6associate, health care service plan, contractor, employer, or
7any other person subject to the federal Health Insurance
8Portability and Accountability Act of 1996 (Public Law
9104-191) is not subject to this Act with respect to any
10activity regulated by that Act.