103RD GENERAL ASSEMBLY State of Illinois 2023 and 2024 HB5483   Introduced 2/9/2024, by Rep. Edgar Gonzalez, Jr.   SYNOPSIS AS INTRODUCED:   30 ILCS 5/3-2.4 30 ILCS 5/3-4   from Ch. 15, par. 303-4 30 ILCS 5/3-14   from Ch. 15, par. 303-14 30 ILCS 5/3-15   from Ch. 15, par. 303-15 30 ILCS 5/6-1   from Ch. 15, par. 306-1     Amends the Illinois State Auditing Act. Provides that in order to protect and preserve the integrity, security, and confidentiality of the network, infrastructure, and data of a State agency, any findings resulting from the testing conducted under the provisions shall be included within the applicable State agency's compliance examination report and made available only to the applicable State agency under review. Provides that in order to protect and preserve the integrity, security, and confidentiality of the network, infrastructure, and data of a State agency, any investigations, findings, and recommendations pertaining to State agencies and their information technology controls, privacy programs and practices, and cybersecurity programs and practices, must be redacted and withheld from public disclosure. Restricts the Auditor General from disclosing the contents of the specific findings or recommendations except as permitted. Provides that all audit reports shall be maintained in the Office of the Auditor General as a public record. Establishes that where records or information are required to be disclosed, the Office of the Auditor General shall collect, maintain, and store, all records or information classified as confidential, legally protected, or maintaining an equivalent or greater privacy designation, under the same or greater privacy and security requirements to which such records or information were disclosed by the State agency to the Office of the Auditor General. Effective immediately. LRB103 37636 MXP 67763 b     A BILL FOR
HB5483 LRB103 37636 MXP 67763 b
1		AN ACT concerning transportation.
2		Be it enacted by the People of the State of Illinois,
3		represented in the General Assembly:
4		Section 5. The Illinois State Auditing Act is amended by
5		changing Sections 3-2.4, 3-4, 3-14, 3-15, and 6-1 as follows:
6		(30 ILCS 5/3-2.4)
7		Sec. 3-2.4. Cybersecurity audit.
8		(a) In conjunction with its annual compliance examination
9		program, the Auditor General shall review State agencies and
10		their cybersecurity programs and practices, with a particular
11		focus on agencies holding large volumes of personal
12		information.
13		(b) The review required under this Section shall, at a
14		minimum, assess the following:
15		(1) the effectiveness of State agency cybersecurity
16		practices;
17		(2) the risks or vulnerabilities of the cybersecurity
18		systems used by State agencies;
19		(3) the types of information that are most susceptible
20		to attack;
21		(4) ways to improve cybersecurity and eliminate
22		vulnerabilities to State cybersecurity systems; and
23		(5) any other information concerning the cybersecurity

HB5483 - 2 - LRB103 37636 MXP 67763 b
1		of State agencies that the Auditor General deems necessary
2		and proper.
3		(c) In order to protect and preserve the integrity,
4		security, and confidentiality of the network, infrastructure,
5		and data of a State agency, any Any findings resulting from the
6		testing conducted under this Section shall be included within
7		the applicable State agency's compliance examination report
8		and made available only to the applicable State agency under
9		review. Each compliance examination report shall be issued in
10		accordance with the provisions of Section 3-14. A copy of the
11		report shall also be delivered to the head of the applicable
12		State agency and posted on the Auditor General's website.
13		(Source: P.A. 100-914, eff. 1-1-19.)
14		(30 ILCS 5/3-4)  (from Ch. 15, par. 303-4)
15		Sec. 3-4. Investigations.
16		The Auditor General shall make such investigations as are
17		directed by either house of the General Assembly or by the
18		Commission in a resolution specifying the acts, transactions
19		or practices to be the subject of the investigation.
20		The resolution directing such an investigation may specify
21		to whom the Auditor General shall make his findings and
22		recommendations after the investigation and whether those
23		findings and recommendations are to be made public.
24		Unless the resolution directing the investigation provides
25		otherwise, the Auditor General shall direct and provide his

HB5483 - 3 - LRB103 37636 MXP 67763 b
1		findings and recommendations to the Commission, to the
2		Governor, to the official in charge of each agency included in
3		the investigation and to each person who was named
4		individually as a subject of investigation by the directing
5		resolution, except as restricted hereunder. No other publicity
6		shall be given to the report and recommendations other than is
7		provided by this paragraph.
8		The Auditor General may recommend to the Commission that
9		an investigation be directed with regard to any matter which
10		he believes to be in the public interest to investigate.
11		In order to protect and preserve the integrity, security,
12		and confidentiality of the network, infrastructure, and data
13		of a State agency, any investigations, findings, and
14		recommendations pertaining to State agencies and their
15		information technology controls, privacy programs and
16		practices, and cybersecurity programs and practices, must be
17		redacted and withheld from public disclosure.
18		Investigations, findings, and recommendations under this
19		Section, pertaining to State agencies and their information
20		technology controls, privacy programs and practices, and
21		cybersecurity programs and practices, shall be made available
22		only to the applicable State agency under review, shall be
23		delivered to the official in charge of the agency included
24		within the investigation, and shall be delivered to each
25		person who was named individually as a subject of the
26		investigation by the directing resolution.

HB5483 - 4 - LRB103 37636 MXP 67763 b
1		When investigations are directed under this Section, and
2		pertain to State agencies and their information technology
3		controls, privacy programs and practices, and cybersecurity
4		programs and practices, the Auditor General shall direct and
5		provide the numerical number of findings and affirmatively
6		state whether recommendations were made, to those specified by
7		the resolution directing such an investigation and all others
8		required by this Section. At no time may the Auditor General
9		disclose the contents of the specific findings or
10		recommendations except as permitted hereunder.
11		(Source: P.A. 78-884.)
12		(30 ILCS 5/3-14)  (from Ch. 15, par. 303-14)
13		Sec. 3-14. Audit reports. Upon completion of any audit the
14		Auditor General shall issue an audit report which shall
15		include: a precise statement of the scope of the audit or
16		review, a statement of the material findings resulting from
17		the audit, a statement of the underlying cause, evaluative
18		criteria used and the current and prospective significance
19		thereof and a statement of explanation or rebuttal which may
20		have been submitted by the agency audited relevant to the
21		audit findings included in the report.
22		As part of this report the Auditor General shall prepare a
23		signed digest of the legislatively significant matters of the
24		report and, as may be applicable, a concise statement of (1)
25		any actions taken or contemplated by persons or agencies

HB5483 - 5 - LRB103 37636 MXP 67763 b
1		subsequent to the completion of the audit but prior to the
2		release of the report, which bear on matters in the report, (2)
3		any actions the Auditor General considers necessary or
4		desirable, and (3) any other information the Auditor General
5		deems useful to the General Assembly in order to understand or
6		act on any matters presented in the audit.
7		The Auditor General shall submit a copy of each audit
8		report to the Commission, the Governor, the Speaker and
9		minority leader of the House of Representatives and the
10		President and minority leader of the Senate.
11		All audit reports shall be maintained in the Office of the
12		Auditor General as a public record, subject to Section 3-11.
13		In order to protect and preserve the integrity, security,
14		and confidentiality of the network, infrastructure, and data
15		of a State agency, all audit reports containing findings and
16		recommendations pertaining to State agencies and their
17		information technology controls, privacy programs and
18		practices, and cybersecurity programs and practices, must be
19		redacted and withheld from public disclosure. The unredacted
20		findings and recommendations pertaining to State agencies and
21		their cybersecurity programs and practices shall be made
22		available only to the applicable State agency under review;
23		provided however, a State agency may disclose findings and
24		recommendations to a duly authorized third-party who is
25		providing services or otherwise assisting the State agency
26		subject to the findings and recommendations with its

HB5483 - 6 - LRB103 37636 MXP 67763 b
1		cybersecurity plan and operations.
2		All audit reports shall be maintained in the Office of the
3		Auditor General as a public record, subject to Section 3-11.
4		If the post audit of a State agency discloses an apparent
5		violation of a penal statute or an apparent instance of
6		misfeasance, malfeasance or nonfeasance, by any person,
7		relating to the obligation, expenditure, receipt or use of
8		public funds of the State, the Auditor General shall
9		immediately make a written report to the Commission and the
10		Governor stating that to be the case and setting forth the
11		underlying facts that have led to that conclusion.
12		(Source: P.A. 82-368.)
13		(30 ILCS 5/3-15)  (from Ch. 15, par. 303-15)
14		Sec. 3-15. Reports of Auditor General. By March 1, each
15		year, the Auditor General shall submit to the Commission, the
16		General Assembly and the Governor an annual report summarizing
17		all audits, investigations and special studies made under this
18		Act during the last preceding calendar year.
19		As it relates to information technology controls, privacy
20		programs and practices, and cybersecurity findings and
21		recommendations, in order to protect and preserve the
22		integrity, security, and confidentiality of the network,
23		infrastructure, and data of a State agency, reports under this
24		Section may only contain the numerical number of information
25		technology controls, privacy programs and practices, and

HB5483 - 7 - LRB103 37636 MXP 67763 b
1		cybersecurity findings and affirmatively state whether
2		recommendations were made. At no time may the Auditor General
3		disclose the contents of the specific findings or
4		recommendations except as permitted hereunder.
5		Once each 3 months, the Auditor General shall submit to
6		the Commission a quarterly report concerning the operation of
7		his office, including relevant fiscal and personnel matters,
8		details of any contractual services utilized during that
9		period, a summary of audits and studies still in process and
10		such other information as the Commission requires.
11		The Auditor General shall prepare and distribute such
12		other reports as may be required by the Commission.
13		All post audits directed by resolution of the House or
14		Senate shall be reported to the members of the General
15		Assembly, unless the directing resolution specifies otherwise.
16		The requirement for reporting to the General Assembly
17		shall be satisfied by filing copies of the report as required
18		by Section 3.1 of the General Assembly Organization Act, and
19		filing such additional copies with the State Government Report
20		Distribution Center for the General Assembly as is required
21		under paragraph (t) of Section 7 of the State Library Act.
22		(Source: P.A. 100-1148, eff. 12-10-18.)
23		(30 ILCS 5/6-1)  (from Ch. 15, par. 306-1)
24		Sec. 6-1. Effect on other laws. The powers and duties of
25		the Auditor General under this Act and the system of audits

HB5483 - 8 - LRB103 37636 MXP 67763 b
1		established by this Act are in addition to any other powers,
2		duties or audits required or authorized by law.
3		Where records or information are classified as
4		confidential, legally protected, or records or information
5		with maintain an equivalent or greater privacy designation, by
6		or pursuant to law, such records or information shall be
7		disclosed to the Office of the Auditor General as necessary
8		and to the extent required for the performance of an
9		authorized post audit. Federal tax information shall only be
10		provided in accordance with federal law and regulation
11		applicable to the safeguarding of federal tax information.
12		Where records or information are required to be disclosed,
13		the Office of the Auditor General shall collect, maintain, and
14		store, all records or information classified as confidential,
15		legally protected, or with maintaining an equivalent or
16		greater privacy designation, under the same or greater privacy
17		and security requirements to which such records or information
18		were disclosed by the State agency to the Office of the Auditor
19		General.
20		Confidential records or information disclosed to the
21		Office of the Auditor General shall be subject to the same
22		legal, confidentiality, legal confidentiality and protective
23		restrictions in the Office of the Auditor General as such
24		records and information have in the hands of the official
25		authorized custodian. Any penalties applicable to the
26		officially authorized custodian or his employees for the

HB5483 - 9 - LRB103 37636 MXP 67763 b
1		violation of any confidentiality or protective restrictions
2		applicable to such records or information shall also apply to
3		the officers, employees, contractors, and agents of the Office
4		of the Auditor General.
5		The Office of the Auditor General may not publish any
6		confidential legally protected, or records or information with
7		an equivalent or greater privacy designation, information or
8		records in any report, including data and statistics, if such
9		information as published is directly or indirectly matchable
10		to any individual.
11		The Office of the Auditor General may not publish any
12		records or information in any report, generated by, through,
13		in conjunction with, or on behalf of the Office of the Auditor
14		General, which includes any of the following data disclosed by
15		a State agency: Cybersecurity assessments, cybersecurity
16		measures, and cybersecurity response policies or plans and the
17		like, that are designed to identify, prevent, or respond to
18		potential cyberattacks upon a public body or agency's
19		personnel or systems, facilities, or installations, the
20		destruction or exploitation of which would constitute a clear
21		and present danger to the health, safety or security of the
22		public body or agency. For the purposes of this Section,
23		records and information detailing the mobilization and
24		deployment of personnel, vendors, teams, or equipment in
25		preparation or response to a cybersecurity policy or plan and
26		the like, the cybersecurity or privacy product and solutions

HB5483 - 10 - LRB103 37636 MXP 67763 b
1		names or configurations and the like, the operation of
2		communication systems or protocols and the like, or other
3		cybersecurity operations and the like, may not be published.
4		Inside the Office of the Auditor General, confidential
5		legally protected, or records or information with an
6		equivalent or greater privacy designation, records or
7		information may be used only for official purposes.
8		Any officer, employee, contractor, or agent of the Office
9		of the Auditor General who violates any legal confidentiality
10		or protective restriction, or privacy and security
11		requirement, governing any records or information shall be
12		guilty of a Class A misdemeanor unless a greater penalty is
13		otherwise provided by law.
14		Where this Act expressly governs or grants authority for
15		regulations to govern other auditing procedures, this Act
16		supersedes all other statutes to the contrary. To the extent
17		that this Act conflicts with another statute, this Act
18		prevails.
19		Except as provided in this Section, this Act does not
20		supersede or repeal by implication any other statute.
21		(Source: P.A. 102-61, eff. 7-9-21.)
22		Section 99. Effective date. This Act takes effect upon
23		becoming law.