Full Text of HB5398 101st General Assembly
HB5398 101ST GENERAL ASSEMBLY |
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020 HB5398 Introduced , by Rep. Grant Wehrli - Avery Bourne - Amy Grant - Dan Ugaste SYNOPSIS AS INTRODUCED: |
| |
Creates the Illinois Cyber Reserve Act. Establishes the Illinois Cyber Reserve, to be administered by the Illinois Emergency Management Agency, in order to deploy volunteers upon the occurrence of a cybersecurity incident. Contains provisions regarding volunteer requirements, criminal history checks, and civil liability. Requires volunteers to provide assistance for 6 years from the time of deployment or for the time required under the Agency's record retention policies, whichever is longer, and assistance to be for 7 days unless a different period is specified in writing. Creates the Illinois Cyber Reserve Advisory Board as an advisory body within the Agency and tasks it with reviewing and making recommendations regarding the policies and procedures used in implementing the Act. Requires the Agency to publish guidelines for the operation of the Illinois Cyber Reserve program and provides minimum requirements for the guidelines. Allows the Agency to enter into contracts with clients, provide training to individuals, and establish a fee schedule for clients. Provides that specified information given to the Illinois Cyber Reserve or obtained under the Act is exempt from disclosure under the Freedom of Information Act. Provides that the Agency shall adopt any rules necessary for the implementation and administration of the Act.
|
| |
| | A BILL FOR |
|
| | | HB5398 | | LRB101 16599 CPF 65983 b |
|
| 1 | | AN ACT concerning safety.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 1. Short title. This Act may be cited as the | 5 | | Illinois Cyber Reserve Act. | 6 | | Section 5. Definitions. In this Act: | 7 | | "Advisory Board" means the Illinois Cyber Reserve Advisory | 8 | | Board created under Section 40. | 9 | | "Agency" means the Illinois Emergency Management Agency. | 10 | | "Chief information officer" means the individual within | 11 | | the Agency designated by the Governor as the chief information | 12 | | officer for this State. | 13 | | "Client" means a municipal, educational, nonprofit, or | 14 | | business organization that has requested and is using the rapid | 15 | | response assistance of the Illinois Cyber Reserve under the | 16 | | direction of the Agency. | 17 | | "Cybersecurity incident" means an event occurring on or | 18 | | conducted through a computer network that actually or | 19 | | imminently jeopardizes the integrity, confidentiality, or | 20 | | availability of computers, information or communications | 21 | | systems or networks, physical or virtual infrastructure | 22 | | controlled by computers or information systems, or information | 23 | | resident on any of these. "Cybersecurity incident" includes, |
| | | HB5398 | - 2 - | LRB101 16599 CPF 65983 b |
|
| 1 | | but is not limited to, the existence of a vulnerability in an | 2 | | information system, system security procedures, internal | 3 | | controls, or implementation that is subject to exploitation. | 4 | | "Illinois Cyber Reserve" means the program established | 5 | | under this Act under which civilian volunteers who have | 6 | | expertise in addressing cybersecurity incidents may volunteer | 7 | | at the invitation of the Agency to provide rapid response | 8 | | assistance to a municipal, educational, nonprofit, or business | 9 | | organization in need of expert assistance during a | 10 | | cybersecurity incident. | 11 | | "Illinois Cyber Reserve volunteer" means an individual who | 12 | | has entered into a volunteer agreement with the Agency to serve | 13 | | as a volunteer in the Illinois Cyber Reserve. | 14 | | "Volunteer agreement" means the contract entered into | 15 | | between the Agency and an Illinois Cyber Reserve volunteer | 16 | | under Section 15.
| 17 | | Section 10. Appointment of volunteers. The Agency may | 18 | | appoint individuals to serve as Illinois Cyber Reserve | 19 | | volunteers for the purposes of facilitating the | 20 | | responsibilities of the Agency as provided under this Act. | 21 | | Section 15. Volunteer agreement. The Agency shall enter | 22 | | into a contract with any individual who wishes to accept an | 23 | | invitation by the Agency to serve as an Illinois Cyber Reserve | 24 | | volunteer. The contract must include, at a minimum, all of the |
| | | HB5398 | - 3 - | LRB101 16599 CPF 65983 b |
|
| 1 | | following: | 2 | | (1) A provision acknowledging the confidentiality of | 3 | | information relating to this State, State residents, and | 4 | | clients. | 5 | | (2) A provision protecting from disclosure any | 6 | | confidential information of this State, State residents, | 7 | | or clients acquired by the Illinois Cyber Reserve volunteer | 8 | | through participation in the Illinois Cyber Reserve. | 9 | | (3) A provision requiring the Illinois Cyber Reserve | 10 | | volunteer to avoid conflicts of interest that might arise | 11 | | from a particular deployment. | 12 | | (4) A provision requiring the Illinois Cyber Reserve | 13 | | volunteer to comply with all existing Agency security | 14 | | policies and procedures regarding information technology | 15 | | resources. | 16 | | (5) A provision requiring the Illinois Cyber Reserve | 17 | | volunteer to consent to background screening considered | 18 | | appropriate by the Agency under this Act, and a provision | 19 | | in which the individual gives that consent as described in | 20 | | Section 20. | 21 | | (6) A provision requiring the Illinois Cyber Reserve | 22 | | volunteer to attest that he or she meets any standards of | 23 | | expertise that may be established by the Agency. | 24 | | Section 20. Clearance to become a volunteer; requirements. | 25 | | (a) When an individual accepts an invitation to serve as an |
| | | HB5398 | - 4 - | LRB101 16599 CPF 65983 b |
|
| 1 | | Illinois Cyber Reserve volunteer as described in Section 15 the | 2 | | Agency shall request the Illinois State Police to do both of | 3 | | the following: | 4 | | (1) Conduct a criminal history check on the individual. | 5 | | (2) Conduct a criminal records check through the | 6 | | Federal Bureau of Investigation on the individual.
| 7 | | (b) An individual who accepts an invitation to the Illinois | 8 | | Cyber Reserve shall give written consent in the volunteer | 9 | | agreement for the Illinois State Police to conduct the criminal | 10 | | history check and criminal records check required under | 11 | | subsection (a). The Agency shall require the individual to | 12 | | submit his or her fingerprints to the Illinois State Police and | 13 | | the Federal Bureau of Investigation for the criminal records | 14 | | check. | 15 | | (c) The Agency shall request a criminal history check and | 16 | | criminal records check under this Section on all individuals | 17 | | who wish to participate as Illinois Cyber Reserve volunteers. | 18 | | The Agency shall make the request on a form and in the manner | 19 | | prescribed by the Illinois State Police. | 20 | | (d) Within a reasonable time after receiving a complete | 21 | | request by the Agency for a criminal history check and criminal | 22 | | records check on an individual under this Section, the Illinois | 23 | | State Police shall conduct the criminal history check and | 24 | | provide a report of the results to the Agency. The report must | 25 | | indicate that the individual is cleared or not cleared to | 26 | | become an Illinois Cyber Reserve volunteer. |
| | | HB5398 | - 5 - | LRB101 16599 CPF 65983 b |
|
| 1 | | (e) Within a reasonable time after receiving a proper | 2 | | request by the Agency for a criminal records check on an | 3 | | individual under this Section, the Illinois State Police shall | 4 | | initiate the criminal records check with the Federal Bureau of | 5 | | Investigation. After receiving the results of the criminal | 6 | | records check from the Federal Bureau of Investigation, the | 7 | | Illinois State Police shall provide a report to the Agency that | 8 | | indicates that the individual is cleared or not cleared to | 9 | | become an Illinois Cyber Reserve volunteer. | 10 | | (f) If a criminal arrest fingerprint is subsequently | 11 | | submitted to the Illinois State Police and matches against a | 12 | | fingerprint that was submitted under this Act and stored in its | 13 | | automated fingerprint identification system database, the | 14 | | Illinois State Police shall notify the Agency that the | 15 | | individual is still cleared or is no longer cleared to continue | 16 | | as an Illinois Cyber Reserve volunteer. When the Illinois State | 17 | | Police is able to participate with the Federal Bureau of | 18 | | Investigation automatic notification system, then any | 19 | | subsequent arrest fingerprint submitted to the Federal Bureau | 20 | | of Investigation must also be reviewed by the Illinois State | 21 | | Police. The Illinois State Police shall provide a report to the | 22 | | Agency that indicates that the individual is still cleared or | 23 | | is no longer cleared to continue as an Illinois Cyber Reserve | 24 | | volunteer.
| 25 | | Section 25. Nature of the conduct of volunteers. |
| | | HB5398 | - 6 - | LRB101 16599 CPF 65983 b |
|
| 1 | | (a) An Illinois Cyber Reserve volunteer is not an agent, | 2 | | employee, or independent contractor of this State for any | 3 | | purpose and has no authority to bind this State with regard to | 4 | | third parties. | 5 | | (b) This State is not liable to an Illinois Cyber Reserve | 6 | | volunteer for personal injury or property damage suffered by | 7 | | the Illinois Cyber Reserve volunteer through participation in | 8 | | the Illinois Cyber Reserve. | 9 | | Section 30. Civil liability. Any Illinois Cyber Reserve | 10 | | volunteer who in good faith provides professional services in | 11 | | response to a cybersecurity incident shall not be liable for | 12 | | civil damages as a result of his or her acts or omissions in | 13 | | providing the professional services, except for willful and | 14 | | wanton misconduct. This immunity applies to services that are | 15 | | provided during or within the time of deployment for a | 16 | | cybersecurity incident. | 17 | | Section 35. Initiation of deployment. | 18 | | (a) On the occurrence of a cybersecurity incident that | 19 | | affects a client, the client may request the Agency to deploy | 20 | | one or more Illinois Cyber Reserve volunteers to provide rapid | 21 | | response assistance under the direction of the Agency. | 22 | | (b) The Agency, in its discretion, may initiate deployment | 23 | | of Illinois Cyber Reserve volunteers upon the occurrence of a | 24 | | cybersecurity incident and the request of a client. |
| | | HB5398 | - 7 - | LRB101 16599 CPF 65983 b |
|
| 1 | | (c) Acceptance of a deployment by an Illinois Cyber Reserve | 2 | | volunteer for a particular cybersecurity incident must be made | 3 | | in writing. An Illinois Cyber Reserve volunteer may decline to | 4 | | accept deployment for any reason. | 5 | | (d) To initiate the deployment of an Illinois Cyber Reserve | 6 | | volunteer for a particular cybersecurity incident, the Agency | 7 | | shall indicate in writing that the Illinois Cyber Reserve | 8 | | volunteer is authorized to provide the assistance. A single | 9 | | writing may initiate the deployment of more than one Illinois | 10 | | Cyber Reserve volunteer. | 11 | | (e) The Agency shall maintain a writing initiating the | 12 | | deployment of an Illinois Cyber Reserve volunteer to provide | 13 | | assistance to a client for 6 years from the time of deployment | 14 | | or for the time required under the Agency's record retention | 15 | | policies, whichever is longer. | 16 | | (f) The deployment of an Illinois Cyber Reserve volunteer | 17 | | to provide assistance to a client must be for 7 days unless the | 18 | | writing initiating the deployment contains a different period. | 19 | | (g) At the direction of the Agency, the deployment of an | 20 | | Illinois Cyber Reserve volunteer may be extended in writing in | 21 | | the same manner as the initial deployment.
| 22 | | Section 40. Illinois Cyber Reserve Advisory Board. | 23 | | (a) The Illinois Cyber Reserve Advisory Board is created as | 24 | | an advisory body within the Agency. | 25 | | (b) The Advisory Board is composed of the adjutant general, |
| | | HB5398 | - 8 - | LRB101 16599 CPF 65983 b |
|
| 1 | | the Director of the Agency, the Director of State Police, and | 2 | | the Director of the Department of Commerce and Economic | 3 | | Opportunity or their designees. | 4 | | (c) The Advisory Board shall review and make | 5 | | recommendations to the Agency regarding the policies and | 6 | | procedures used by the Agency in implementing this Act. | 7 | | Section 45. Powers and duties of the Agency. | 8 | | (a) After consultation with the Advisory Board, the chief | 9 | | information officer shall do both of the following: | 10 | | (1) Approve the set of tools that the Illinois Cyber | 11 | | Reserve may use in response to a cybersecurity incident. | 12 | | (2) Determine the standards of expertise necessary for | 13 | | an individual to become a member of the Illinois Cyber | 14 | | Reserve.
| 15 | | (b) After consultation with the Advisory Board, the Agency | 16 | | shall publish guidelines for the operation of the Illinois | 17 | | Cyber Reserve program. At a minimum, the published guidelines | 18 | | must include the following: | 19 | | (1) An explanation of the standard the Agency will use | 20 | | to determine whether an individual may serve as an Illinois | 21 | | Cyber Reserve volunteer and an explanation of the process | 22 | | by which an individual may become an Illinois Cyber Reserve | 23 | | volunteer. | 24 | | (2) An explanation of the requirements the Agency will | 25 | | impose for a client to receive the assistance of the |
| | | HB5398 | - 9 - | LRB101 16599 CPF 65983 b |
|
| 1 | | Illinois Cyber Reserve and an explanation of the process by | 2 | | which a client may request and receive the assistance of | 3 | | the Illinois Cyber Reserve. | 4 | | (c) The Agency may enter into contracts with clients as a | 5 | | condition to providing assistance through the Illinois Cyber | 6 | | Reserve. | 7 | | (d) The Agency may provide appropriate training to | 8 | | individuals who wish to participate in the Illinois Cyber | 9 | | Reserve and to existing Illinois Cyber Reserve volunteers. | 10 | | (e) The Agency may provide compensation for actual and | 11 | | necessary travel and subsistence expenses incurred by Illinois | 12 | | Cyber Reserve volunteers on a deployment, at the discretion of | 13 | | the Agency. | 14 | | (f) The Agency may establish a fee schedule for clients who | 15 | | wish to use the assistance of the Illinois Cyber Reserve. The | 16 | | Agency may recoup expenses through the fees but may not | 17 | | generate a profit. | 18 | | (g) Information voluntarily given to the Illinois Cyber | 19 | | Reserve or obtained under this Act that would identify or | 20 | | provide a means of identifying a person that may, as a result | 21 | | of disclosure of the information, become a victim of a | 22 | | cybersecurity incident or that would disclose a person's | 23 | | cybersecurity plans or cybersecurity-related practices, | 24 | | procedures, methods, results, organizational information | 25 | | system infrastructure, hardware, or software is exempt from | 26 | | disclosure under the Freedom of Information Act. |
| | | HB5398 | - 10 - | LRB101 16599 CPF 65983 b |
|
| 1 | | (h) The Agency shall adopt any rules necessary for the | 2 | | implementation and administration of this Act.
|
|