Full Text of HB5483 103rd General Assembly
HB5483 103RD GENERAL ASSEMBLY | | | 103RD GENERAL ASSEMBLY
State of Illinois
2023 and 2024 HB5483 Introduced 2/9/2024, by Rep. Edgar Gonzalez, Jr. SYNOPSIS AS INTRODUCED: | | 30 ILCS 5/3-2.4 | | 30 ILCS 5/3-4 | from Ch. 15, par. 303-4 | 30 ILCS 5/3-14 | from Ch. 15, par. 303-14 | 30 ILCS 5/3-15 | from Ch. 15, par. 303-15 | 30 ILCS 5/6-1 | from Ch. 15, par. 306-1 |
| Amends the Illinois State Auditing Act. Provides that in order to protect and preserve the integrity, security, and confidentiality of the network, infrastructure, and data of a State agency, any findings resulting from the testing conducted under the provisions shall be included within the applicable State agency's compliance examination report and made available only to the applicable State agency under review. Provides that in order to protect and preserve the integrity, security, and confidentiality of the network, infrastructure, and data of a State agency, any investigations, findings, and recommendations pertaining to State agencies and their information technology controls, privacy programs and practices, and cybersecurity programs and practices, must be redacted and withheld from public disclosure. Restricts the Auditor General from disclosing the contents of the specific findings or recommendations except as permitted. Provides that all audit reports shall be maintained in the Office of the Auditor General as a public record. Establishes that where records or information are required to be disclosed, the Office of the Auditor General shall collect, maintain, and store, all records or information classified as confidential, legally protected, or maintaining an equivalent or greater privacy designation, under the same or greater privacy and security requirements to which such records or information were disclosed by the State agency to the Office of the Auditor General. Effective immediately. |
| |
| | A BILL FOR |
| | | | HB5483 | | LRB103 37636 MXP 67763 b |
|
| 1 | | AN ACT concerning transportation. | 2 | | Be it enacted by the People of the State of Illinois, | 3 | | represented in the General Assembly: | 4 | | Section 5. The Illinois State Auditing Act is amended by | 5 | | changing Sections 3-2.4, 3-4, 3-14, 3-15, and 6-1 as follows: | 6 | | (30 ILCS 5/3-2.4) | 7 | | Sec. 3-2.4. Cybersecurity audit. | 8 | | (a) In conjunction with its annual compliance examination | 9 | | program, the Auditor General shall review State agencies and | 10 | | their cybersecurity programs and practices, with a particular | 11 | | focus on agencies holding large volumes of personal | 12 | | information. | 13 | | (b) The review required under this Section shall, at a | 14 | | minimum, assess the following: | 15 | | (1) the effectiveness of State agency cybersecurity | 16 | | practices; | 17 | | (2) the risks or vulnerabilities of the cybersecurity | 18 | | systems used by State agencies; | 19 | | (3) the types of information that are most susceptible | 20 | | to attack; | 21 | | (4) ways to improve cybersecurity and eliminate | 22 | | vulnerabilities to State cybersecurity systems; and | 23 | | (5) any other information concerning the cybersecurity |
| | | HB5483 | - 2 - | LRB103 37636 MXP 67763 b |
|
| 1 | | of State agencies that the Auditor General deems necessary | 2 | | and proper. | 3 | | (c) In order to protect and preserve the integrity, | 4 | | security, and confidentiality of the network, infrastructure, | 5 | | and data of a State agency, any Any findings resulting from the | 6 | | testing conducted under this Section shall be included within | 7 | | the applicable State agency's compliance examination report | 8 | | and made available only to the applicable State agency under | 9 | | review . Each compliance examination report shall be issued in | 10 | | accordance with the provisions of Section 3-14. A copy of the | 11 | | report shall also be delivered to the head of the applicable | 12 | | State agency and posted on the Auditor General's website . | 13 | | (Source: P.A. 100-914, eff. 1-1-19 .) | 14 | | (30 ILCS 5/3-4) (from Ch. 15, par. 303-4) | 15 | | Sec. 3-4. Investigations. | 16 | | The Auditor General shall make such investigations as are | 17 | | directed by either house of the General Assembly or by the | 18 | | Commission in a resolution specifying the acts, transactions | 19 | | or practices to be the subject of the investigation. | 20 | | The resolution directing such an investigation may specify | 21 | | to whom the Auditor General shall make his findings and | 22 | | recommendations after the investigation and whether those | 23 | | findings and recommendations are to be made public . | 24 | | Unless the resolution directing the investigation provides | 25 | | otherwise, the Auditor General shall direct and provide his |
| | | HB5483 | - 3 - | LRB103 37636 MXP 67763 b |
|
| 1 | | findings and recommendations to the Commission, to the | 2 | | Governor, to the official in charge of each agency included in | 3 | | the investigation and to each person who was named | 4 | | individually as a subject of investigation by the directing | 5 | | resolution , except as restricted hereunder . No other publicity | 6 | | shall be given to the report and recommendations other than is | 7 | | provided by this paragraph. | 8 | | The Auditor General may recommend to the Commission that | 9 | | an investigation be directed with regard to any matter which | 10 | | he believes to be in the public interest to investigate. | 11 | | In order to protect and preserve the integrity, security, | 12 | | and confidentiality of the network, infrastructure, and data | 13 | | of a State agency, any investigations, findings, and | 14 | | recommendations pertaining to State agencies and their | 15 | | information technology controls, privacy programs and | 16 | | practices, and cybersecurity programs and practices, must be | 17 | | redacted and withheld from public disclosure. | 18 | | Investigations, findings, and recommendations under this | 19 | | Section, pertaining to State agencies and their information | 20 | | technology controls, privacy programs and practices, and | 21 | | cybersecurity programs and practices, shall be made available | 22 | | only to the applicable State agency under review, shall be | 23 | | delivered to the official in charge of the agency included | 24 | | within the investigation, and shall be delivered to each | 25 | | person who was named individually as a subject of the | 26 | | investigation by the directing resolution. |
| | | HB5483 | - 4 - | LRB103 37636 MXP 67763 b |
|
| 1 | | When investigations are directed under this Section, and | 2 | | pertain to State agencies and their information technology | 3 | | controls, privacy programs and practices, and cybersecurity | 4 | | programs and practices, the Auditor General shall direct and | 5 | | provide the numerical number of findings and affirmatively | 6 | | state whether recommendations were made, to those specified by | 7 | | the resolution directing such an investigation and all others | 8 | | required by this Section. At no time may the Auditor General | 9 | | disclose the contents of the specific findings or | 10 | | recommendations except as permitted hereunder. | 11 | | (Source: P.A. 78-884.) | 12 | | (30 ILCS 5/3-14) (from Ch. 15, par. 303-14) | 13 | | Sec. 3-14. Audit reports. Upon completion of any audit the | 14 | | Auditor General shall issue an audit report which shall | 15 | | include: a precise statement of the scope of the audit or | 16 | | review, a statement of the material findings resulting from | 17 | | the audit, a statement of the underlying cause, evaluative | 18 | | criteria used and the current and prospective significance | 19 | | thereof and a statement of explanation or rebuttal which may | 20 | | have been submitted by the agency audited relevant to the | 21 | | audit findings included in the report. | 22 | | As part of this report the Auditor General shall prepare a | 23 | | signed digest of the legislatively significant matters of the | 24 | | report and, as may be applicable, a concise statement of (1) | 25 | | any actions taken or contemplated by persons or agencies |
| | | HB5483 | - 5 - | LRB103 37636 MXP 67763 b |
|
| 1 | | subsequent to the completion of the audit but prior to the | 2 | | release of the report, which bear on matters in the report, (2) | 3 | | any actions the Auditor General considers necessary or | 4 | | desirable, and (3) any other information the Auditor General | 5 | | deems useful to the General Assembly in order to understand or | 6 | | act on any matters presented in the audit. | 7 | | The Auditor General shall submit a copy of each audit | 8 | | report to the Commission, the Governor, the Speaker and | 9 | | minority leader of the House of Representatives and the | 10 | | President and minority leader of the Senate. | 11 | | All audit reports shall be maintained in the Office of the | 12 | | Auditor General as a public record, subject to Section 3-11. | 13 | | In order to protect and preserve the integrity, security, | 14 | | and confidentiality of the network, infrastructure, and data | 15 | | of a State agency, all audit reports containing findings and | 16 | | recommendations pertaining to State agencies and their | 17 | | information technology controls, privacy programs and | 18 | | practices, and cybersecurity programs and practices, must be | 19 | | redacted and withheld from public disclosure. The unredacted | 20 | | findings and recommendations pertaining to State agencies and | 21 | | their cybersecurity programs and practices shall be made | 22 | | available only to the applicable State agency under review; | 23 | | provided however, a State agency may disclose findings and | 24 | | recommendations to a duly authorized third-party who is | 25 | | providing services or otherwise assisting the State agency | 26 | | subject to the findings and recommendations with its |
| | | HB5483 | - 6 - | LRB103 37636 MXP 67763 b |
|
| 1 | | cybersecurity plan and operations. | 2 | | All audit reports shall be maintained in the Office of the | 3 | | Auditor General as a public record, subject to Section 3-11. | 4 | | If the post audit of a State agency discloses an apparent | 5 | | violation of a penal statute or an apparent instance of | 6 | | misfeasance, malfeasance or nonfeasance, by any person, | 7 | | relating to the obligation, expenditure, receipt or use of | 8 | | public funds of the State, the Auditor General shall | 9 | | immediately make a written report to the Commission and the | 10 | | Governor stating that to be the case and setting forth the | 11 | | underlying facts that have led to that conclusion. | 12 | | (Source: P.A. 82-368.) | 13 | | (30 ILCS 5/3-15) (from Ch. 15, par. 303-15) | 14 | | Sec. 3-15. Reports of Auditor General. By March 1, each | 15 | | year, the Auditor General shall submit to the Commission, the | 16 | | General Assembly and the Governor an annual report summarizing | 17 | | all audits, investigations and special studies made under this | 18 | | Act during the last preceding calendar year. | 19 | | As it relates to information technology controls, privacy | 20 | | programs and practices, and cybersecurity findings and | 21 | | recommendations, in order to protect and preserve the | 22 | | integrity, security, and confidentiality of the network, | 23 | | infrastructure, and data of a State agency, reports under this | 24 | | Section may only contain the numerical number of information | 25 | | technology controls, privacy programs and practices, and |
| | | HB5483 | - 7 - | LRB103 37636 MXP 67763 b |
|
| 1 | | cybersecurity findings and affirmatively state whether | 2 | | recommendations were made. At no time may the Auditor General | 3 | | disclose the contents of the specific findings or | 4 | | recommendations except as permitted hereunder. | 5 | | Once each 3 months, the Auditor General shall submit to | 6 | | the Commission a quarterly report concerning the operation of | 7 | | his office, including relevant fiscal and personnel matters, | 8 | | details of any contractual services utilized during that | 9 | | period, a summary of audits and studies still in process and | 10 | | such other information as the Commission requires. | 11 | | The Auditor General shall prepare and distribute such | 12 | | other reports as may be required by the Commission. | 13 | | All post audits directed by resolution of the House or | 14 | | Senate shall be reported to the members of the General | 15 | | Assembly, unless the directing resolution specifies otherwise. | 16 | | The requirement for reporting to the General Assembly | 17 | | shall be satisfied by filing copies of the report as required | 18 | | by Section 3.1 of the General Assembly Organization Act, and | 19 | | filing such additional copies with the State Government Report | 20 | | Distribution Center for the General Assembly as is required | 21 | | under paragraph (t) of Section 7 of the State Library Act. | 22 | | (Source: P.A. 100-1148, eff. 12-10-18.) | 23 | | (30 ILCS 5/6-1) (from Ch. 15, par. 306-1) | 24 | | Sec. 6-1. Effect on other laws. The powers and duties of | 25 | | the Auditor General under this Act and the system of audits |
| | | HB5483 | - 8 - | LRB103 37636 MXP 67763 b |
|
| 1 | | established by this Act are in addition to any other powers, | 2 | | duties or audits required or authorized by law. | 3 | | Where records or information are classified as | 4 | | confidential, legally protected, or records or information | 5 | | with maintain an equivalent or greater privacy designation, by | 6 | | or pursuant to law, such records or information shall be | 7 | | disclosed to the Office of the Auditor General as necessary | 8 | | and to the extent required for the performance of an | 9 | | authorized post audit. Federal tax information shall only be | 10 | | provided in accordance with federal law and regulation | 11 | | applicable to the safeguarding of federal tax information. | 12 | | Where records or information are required to be disclosed, | 13 | | the Office of the Auditor General shall collect, maintain, and | 14 | | store, all records or information classified as confidential, | 15 | | legally protected, or with maintaining an equivalent or | 16 | | greater privacy designation, under the same or greater privacy | 17 | | and security requirements to which such records or information | 18 | | were disclosed by the State agency to the Office of the Auditor | 19 | | General. | 20 | | Confidential records or information disclosed to the | 21 | | Office of the Auditor General shall be subject to the same | 22 | | legal, confidentiality, legal confidentiality and protective | 23 | | restrictions in the Office of the Auditor General as such | 24 | | records and information have in the hands of the official | 25 | | authorized custodian. Any penalties applicable to the | 26 | | officially authorized custodian or his employees for the |
| | | HB5483 | - 9 - | LRB103 37636 MXP 67763 b |
|
| 1 | | violation of any confidentiality or protective restrictions | 2 | | applicable to such records or information shall also apply to | 3 | | the officers, employees, contractors, and agents of the Office | 4 | | of the Auditor General. | 5 | | The Office of the Auditor General may not publish any | 6 | | confidential legally protected, or records or information with | 7 | | an equivalent or greater privacy designation, information or | 8 | | records in any report, including data and statistics, if such | 9 | | information as published is directly or indirectly matchable | 10 | | to any individual. | 11 | | The Office of the Auditor General may not publish any | 12 | | records or information in any report, generated by, through, | 13 | | in conjunction with, or on behalf of the Office of the Auditor | 14 | | General, which includes any of the following data disclosed by | 15 | | a State agency: Cybersecurity assessments, cybersecurity | 16 | | measures, and cybersecurity response policies or plans and the | 17 | | like, that are designed to identify, prevent, or respond to | 18 | | potential cyberattacks upon a public body or agency's | 19 | | personnel or systems, facilities, or installations, the | 20 | | destruction or exploitation of which would constitute a clear | 21 | | and present danger to the health, safety or security of the | 22 | | public body or agency. For the purposes of this Section, | 23 | | records and information detailing the mobilization and | 24 | | deployment of personnel, vendors, teams, or equipment in | 25 | | preparation or response to a cybersecurity policy or plan and | 26 | | the like, the cybersecurity or privacy product and solutions |
| | | HB5483 | - 10 - | LRB103 37636 MXP 67763 b |
|
| 1 | | names or configurations and the like, the operation of | 2 | | communication systems or protocols and the like, or other | 3 | | cybersecurity operations and the like, may not be published. | 4 | | Inside the Office of the Auditor General, confidential | 5 | | legally protected, or records or information with an | 6 | | equivalent or greater privacy designation, records or | 7 | | information may be used only for official purposes. | 8 | | Any officer, employee, contractor, or agent of the Office | 9 | | of the Auditor General who violates any legal confidentiality | 10 | | or protective restriction , or privacy and security | 11 | | requirement, governing any records or information shall be | 12 | | guilty of a Class A misdemeanor unless a greater penalty is | 13 | | otherwise provided by law. | 14 | | Where this Act expressly governs or grants authority for | 15 | | regulations to govern other auditing procedures, this Act | 16 | | supersedes all other statutes to the contrary. To the extent | 17 | | that this Act conflicts with another statute, this Act | 18 | | prevails. | 19 | | Except as provided in this Section, this Act does not | 20 | | supersede or repeal by implication any other statute. | 21 | | (Source: P.A. 102-61, eff. 7-9-21.) | 22 | | Section 99. Effective date. This Act takes effect upon | 23 | | becoming law. |
|