[ Search ] [ Legislation ] [ Bill Summary ]
[ Home ] [ Back ] [ Bottom ]
| [ Introduced ] | [ Enrolled ] | [ House Amendment 001 ] |
| [ Senate Amendment 002 ] |
90_HB3180eng
New Act
5 ILCS 70/1.15 from Ch. 1, par. 1016
5 ILCS 140/7 from Ch. 116, par. 207
15 ILCS 405/14.01 rep.
720 ILCS 5/17-3 from Ch. 38, par. 17-3
Creates the Electronic Commerce Security Act. Authorizes
the use of digital signatures and other forms of electronic
signatures in a manner designed to provide legal certainty
necessary to effect transactions over public electronic
networks. Provides that electronic records can satisfy the
legal requirement that information must be in writing. Sets
forth requirements for use of electronic signatures by State
agencies. Grants rule-making authority to the Secretary of
State regarding use by State agencies. Establishes criminal
penalties and civil remedies for violations. Amends certain
Acts to make changes accommodating the Act. Effective July
1, 1999.
LRB9009236JSmg
HB3180 Engrossed LRB9009236JSmg
1 AN ACT relating to electronic commerce security, amending
2 named Acts.
3 Be it enacted by the People of the State of Illinois,
4 represented in the General Assembly:
5 ARTICLE 1. SHORT TITLE; PURPOSE
6 Section 1-101. Short title. This Act may be cited as the
7 Electronic Commerce Security Act.
8 Section 1-105. Purposes and construction. This Act shall
9 be construed consistently with what is commercially
10 reasonable under the circumstances and to effectuate the
11 following purposes:
12 (1) To facilitate electronic communications by means of
13 reliable electronic records.
14 (2) To facilitate and promote electronic commerce, by
15 eliminating barriers resulting from uncertainties over
16 writing and signature requirements, and promoting the
17 development of the legal and business infrastructure
18 necessary to implement secure electronic commerce.
19 (3) To facilitate electronic filing of documents with
20 State and local government agencies, and promote efficient
21 delivery of government services by means of reliable
22 electronic records.
23 (4) To minimize the incidence of forged electronic
24 records, intentional and unintentional alteration of records,
25 and fraud in electronic commerce.
26 (5) To help to establish uniformity of rules and
27 standards regarding the authentication and integrity of
28 electronic records.
29 (6) To promote public confidence in the integrity and
30 reliability of electronic records and electronic commerce.
HB3180 Engrossed -2- LRB9009236JSmg
1 Section 1-110. Variation by agreement. As between parties
2 involved in generating, sending, receiving, storing, or
3 otherwise processing electronic records, the applicability of
4 provisions of this Act may be waived by agreement of the
5 parties, except for the provisions of Sections 10-140,
6 15-210, 15-215, 15-220, and subsection (b) of Section 10-130
7 of this Act.
8 ARTICLE 5. ELECTRONIC RECORDS AND SIGNATURES GENERALLY
9 Section 5-105. Definitions.
10 "Asymmetric cryptosystem" means a computer-based system
11 capable of generating and using a key pair consisting of a
12 private key for creating a digital signature and a public key
13 to verify the digital signature.
14 "Certificate" means a record that at a minimum: (a)
15 identifies the certification authority issuing it; (b) names
16 or otherwise identifies its subscriber or a device or
17 electronic agent under the control of the subscriber; (c)
18 contains a public key that corresponds to a private key under
19 the control of the subscriber; (d) specifies its operational
20 period; and (e) is digitally signed by the certification
21 authority issuing it.
22 "Certification authority" means a person who authorizes
23 and causes the issuance of a certificate.
24 "Certification practice statement" is a statement
25 published by a certification authority that specifies the
26 policies or practices that the certification authority
27 employs in issuing, managing, suspending, and revoking
28 certificates and providing access to them.
29 "Correspond", with reference to keys, means to belong to
30 the same key pair.
31 "Digital signature" means a type of electronic signature
32 created by transforming an electronic record using a message
HB3180 Engrossed -3- LRB9009236JSmg
1 digest function and encrypting the resulting transformation
2 with an asymmetric cryptosystem using the signer's private
3 key such that any person having the initial untransformed
4 electronic record, the encrypted transformation, and the
5 signer's corresponding public key can accurately determine
6 whether the transformation was created using the private key
7 that corresponds to the signer's public key and whether the
8 initial electronic record has been altered since the
9 transformation was made. A digital signature is a security
10 procedure.
11 "Electronic" includes electrical, digital, magnetic,
12 optical, electromagnetic, or any other form of technology
13 that entails capabilities similar to these technologies.
14 "Electronic record" means a record generated,
15 communicated, received, or stored by electronic means for use
16 in an information system or for transmission from one
17 information system to another.
18 "Electronic signature" means a signature in electronic
19 form attached to or logically associated with an electronic
20 record.
21 "Information" includes data, text, images, sound, codes,
22 computer programs, software, databases, and the like.
23 "Key pair" means, in an asymmetric cryptosystem, 2
24 mathematically related keys, referred to as a private key and
25 a public key, having the properties that (i) one key (the
26 private key) can encrypt a message that only the other key
27 (the public key) can decrypt, and (ii) even knowing one key
28 (the public key), it is computationally unfeasible to
29 discover the other key (the private key).
30 "Message digest function" means an algorithm that maps or
31 translates the sequence of bits comprising an electronic
32 record into another, generally smaller, set of bits (the
33 message digest) without requiring the use of any secret
34 information such as a key, such that an electronic record
HB3180 Engrossed -4- LRB9009236JSmg
1 yields the same message digest every time the algorithm is
2 executed using such record as input and it is computationally
3 unfeasible that any 2 electronic records can be found or
4 deliberately generated that would produce the same message
5 digest using the algorithm unless the 2 records are precisely
6 identical.
7 "Operational period of a certificate" begins on the date
8 and time the certificate is issued by a certification
9 authority (or on a later date and time certain if stated in
10 the certificate) and ends on the date and time it expires as
11 noted in the certificate or is earlier revoked, but does not
12 include any period during which a certificate is suspended.
13 "Person" means an individual, corporation, business
14 trust, estate, trust, partnership, limited partnership,
15 limited liability partnership, limited liability company,
16 association, joint venture, government, governmental
17 subdivision, agency, or instrumentality, or any other legal
18 or commercial entity.
19 "Private key" means the key of a key pair used to create
20 a digital signature.
21 "Public key" means the key of a key pair used to verify a
22 digital signature.
23 "Record" means information that is inscribed, stored, or
24 otherwise fixed on a tangible medium or that is stored in an
25 electronic or other medium and is retrievable in perceivable
26 form.
27 "Repository" means a system for storing and retrieving
28 certificates or other information relevant to certificates,
29 including information relating to the status of a
30 certificate.
31 "Revoke a certificate" means to permanently end the
32 operational period of a certificate from a specified time
33 forward.
34 "Rule of law" means any statute, ordinance, common law
HB3180 Engrossed -5- LRB9009236JSmg
1 rule, court decision, or other rule of law enacted,
2 established or promulgated by the State of Illinois, or any
3 agency, commission, department, court, other authority or
4 political subdivision of the State of Illinois.
5 "Security procedure" means a methodology or procedure
6 used for the purpose of (1) verifying that an electronic
7 record is that of a specific person and (2) detecting error
8 or alteration in the communication, content, or storage of an
9 electronic record since a specific point in time. A security
10 procedure may require the use of algorithms or codes,
11 identifying words or numbers, encryption, answer back or
12 acknowledgment procedures, or similar security devices.
13 "Signature device" means unique information, such as
14 codes, algorithms, letters, numbers, private keys, or PINs,
15 or a uniquely configured physical device, that is required,
16 alone or in conjunction with other information or devices, in
17 order to create an electronic signature attributable to a
18 specific person.
19 "Signed" or "signature" includes any symbol executed or
20 adopted, or any security procedure employed or adopted, using
21 electronic means or otherwise, by or on behalf of a person
22 with intent to authenticate a record.
23 "State agency" means and includes all officers, boards,
24 commissions, courts, and agencies created by the Illinois
25 Constitution, whether in the executive, legislative or
26 judicial branch, all officers, departments, boards,
27 commissions, agencies, institutions, authorities,
28 universities, bodies politic and corporate of the State; and
29 administrative units or corporate outgrowths of the State
30 government which are created by or pursuant to statute, other
31 than units of local government and their officers, school
32 districts and boards of election commissioners; all
33 administrative units and corporate outgrowths of the above
34 and as may be created by executive order of the Governor.
HB3180 Engrossed -6- LRB9009236JSmg
1 "Subscriber" means a person who is the subject named or
2 otherwise identified in a certificate, who controls a private
3 key that corresponds to the public key listed in that
4 certificate, and who is the person to whom digitally signed
5 messages verified by reference to such certificate are to be
6 attributed.
7 "Suspend a certificate" means to temporarily suspend the
8 operational period of a certificate for a specified time
9 period or from a specified time forward.
10 "Trustworthy manner" means through the use of computer
11 hardware, software, and procedures that, in the context in
12 which they are used: (a) can be shown to be reasonably
13 resistant to penetration, compromise, and misuse; (b) provide
14 a reasonable level of reliability and correct operation; (c)
15 are reasonably suited to performing their intended functions
16 or serving their intended purposes; (d) comply with
17 applicable agreements between the parties, if any; and (e)
18 adhere to generally accepted security procedures.
19 "Valid certificate" means a certificate that a
20 certification authority has issued and that the subscriber
21 listed in the certificate has accepted.
22 "Verify a digital signature" means to use the public key
23 listed in a valid certificate, along with the appropriate
24 message digest function and asymmetric cryptosystem, to
25 evaluate a digitally signed electronic record, such that the
26 result of the process concludes that the digital signature
27 was created using the private key corresponding to the public
28 key listed in the certificate and the electronic record has
29 not been altered since its digital signature was created.
30 Section 5-110. Legal recognition. Information, records,
31 and signatures shall not be denied legal effect, validity, or
32 enforceability solely on the grounds that they are in
33 electronic form.
HB3180 Engrossed -7- LRB9009236JSmg
1 Section 5-115. Electronic records.
2 (a) Where a rule of law requires information to be
3 "written" or "in writing", or provides for certain
4 consequences if it is not, an electronic record satisfies
5 that rule of law.
6 (b) The provisions of this Section shall not apply:
7 (1) when its application would involve a
8 construction of a rule of law that is clearly
9 inconsistent with the manifest intent of the lawmaking
10 body or repugnant to the context of the same rule of law,
11 provided that the mere requirement that information be
12 "in writing", "written", or "printed" shall not by itself
13 be sufficient to establish such intent;
14 (2) to any rule of law governing the creation or
15 execution of a will or trust, living will, or healthcare
16 power of attorney; and
17 (3) to any record that serves as a unique and
18 transferable instrument of rights and obligations
19 including, without limitation, negotiable instruments and
20 other instruments of title wherein possession of the
21 instrument is deemed to confer title, unless an
22 electronic version of such record is created, stored, and
23 transferred in a manner that allows for the existence of
24 only one unique, identifiable, and unalterable original
25 with the functional attributes of an equivalent physical
26 instrument, that can be possessed by only one person, and
27 which cannot be copied except in a form that is readily
28 identifiable as a copy.
29 Section 5-120. Electronic signatures.
30 (a) Where a rule of law requires a signature, or
31 provides for certain consequences if a document is not
32 signed, an electronic signature satisfies that rule of law.
33 (b) An electronic signature may be proved in any manner,
HB3180 Engrossed -8- LRB9009236JSmg
1 including by showing that a procedure existed by which a
2 party must of necessity have executed a symbol or security
3 procedure for the purpose of verifying that an electronic
4 record is that of such party in order to proceed further with
5 a transaction.
6 (c) The provisions of this Section shall not apply:
7 (1) when its application would involve a
8 construction of a rule of law that is clearly
9 inconsistent with the manifest intent of the lawmaking
10 body or repugnant to the context of the same rule of law,
11 provided that the mere requirement of a "signature" or
12 that a record be "signed" shall not by itself be
13 sufficient to establish such intent;
14 (2) to any rule of law governing the creation or
15 execution of a will or trust, living will, or healthcare
16 power of attorney; and
17 (3) to any record that serves as a unique and
18 transferable instrument of rights and obligations
19 including, without limitation, negotiable instruments and
20 other instruments of title wherein possession of the
21 instrument is deemed to confer title, unless an
22 electronic version of such record is created, stored, and
23 transferred in a manner that allows for the existence of
24 only one unique, identifiable, and unalterable original
25 with the functional attributes of an equivalent physical
26 instrument, that can be possessed by only one person, and
27 which cannot be copied except in a form that is readily
28 identifiable as a copy.
29 Section 5-125. Original.
30 (a) Where a rule of law requires information to be
31 presented or retained in its original form, or provides
32 consequences for the information not being presented or
33 retained in its original form, that rule of law is satisfied
HB3180 Engrossed -9- LRB9009236JSmg
1 by an electronic record if there exists reliable assurance as
2 to the integrity of the information from the time when it was
3 first generated in its final form, as an electronic record or
4 otherwise.
5 (b) The criteria for assessing integrity shall be
6 whether the information has remained complete and unaltered,
7 apart from the addition of any endorsement or other
8 information that arises in the normal course of
9 communication, storage and display. The standard of
10 reliability required shall be assessed in the light of the
11 purpose for which the information was generated and in the
12 light of all the relevant circumstances.
13 (c) The provisions of this Section do not apply to any
14 record that serves as a unique and transferable instrument of
15 rights and obligations including, without limitation,
16 negotiable instruments and other instruments of title wherein
17 possession of the instrument is deemed to confer title,
18 unless an electronic version of such record is created,
19 stored, and transferred in a manner that allows for the
20 existence of only one unique, identifiable, and unalterable
21 original with the functional attributes of an equivalent
22 physical instrument, that can be possessed by only one
23 person, and which cannot be copied except in a form that is
24 readily identifiable as a copy.
25 Section 5-130. Admissibility into evidence.
26 (a) In any legal proceeding, nothing in the application
27 of the rules of evidence shall apply so as to deny the
28 admissibility of an electronic record or electronic signature
29 into evidence:
30 (1) on the sole ground that it is an electronic
31 record or electronic signature; or
32 (2) on the grounds that it is not in its original
33 form or is not an original.
HB3180 Engrossed -10- LRB9009236JSmg
1 (b) Information in the form of an electronic record
2 shall be given due evidentiary weight by the trier of fact.
3 In assessing the evidential weight of an electronic record or
4 electronic signature where its authenticity is in issue, the
5 trier of fact may consider the manner in which it was
6 generated, stored or communicated, the reliability of the
7 manner in which its integrity was maintained, the manner in
8 which its originator was identified or the electronic record
9 was signed, and any other relevant information or
10 circumstances.
11 Section 5-135. Retention of electronic records.
12 (a) Where a rule of law requires that certain documents,
13 records or information be retained, that requirement is met
14 by retaining electronic records of such information in a
15 trustworthy manner, provided that the following conditions
16 are satisfied:
17 (1) the electronic record and the information
18 contained therein are accessible so as to be usable for
19 subsequent reference at all times when such information
20 must be retained;
21 (2) the information is retained in the format in
22 which it was originally generated, sent, or received or
23 in a format that can be demonstrated to represent
24 accurately the information originally generated, sent or
25 received;
26 (3) such data as enables the identification of the
27 origin and destination of the information, the
28 authenticity and integrity of the information, and the
29 date and time when it was sent or received, if any, is
30 retained.
31 (b) An obligation to retain documents, records or
32 information in accordance with subsection (a) does not extend
33 to any data the sole purpose of which is to enable the record
HB3180 Engrossed -11- LRB9009236JSmg
1 to be sent or received.
2 (c) Nothing in this Section shall preclude any State
3 agency from specifying additional requirements for the
4 retention of records that are subject to the jurisdiction of
5 such agency.
6 Section 5-140. Electronic use not required. Nothing in
7 this Act shall be construed to:
8 (1) require any person to create, store, transmit,
9 accept, or otherwise use or communicate information,
10 records, or signatures by electronic means or in
11 electronic form; or
12 (2) prohibit any person engaging in a transaction
13 from establishing reasonable requirements regarding the
14 medium on which it will accept records or the method and
15 type of symbol or security procedure it will accept as a
16 signature.
17 Section 5-145. Applicability of other statutes or rules.
18 Notwithstanding any provisions of this Act, if any other
19 statute or rule requires approval by a State agency prior to
20 the use or retention of electronic records or the use of
21 electronic signatures, the provisions of that other statute
22 or rule shall also apply.
23 ARTICLE 10. SECURE ELECTRONIC RECORDS AND SIGNATURES
24 Section 10-105. Secure electronic record.
25 (a) If, through the use of a qualified security
26 procedure, it can be verified that an electronic record has
27 not been altered since a specified point in time, then such
28 electronic record shall be considered to be a secure
29 electronic record from such specified point in time to the
30 time of verification, if the relying party establishes that
HB3180 Engrossed -12- LRB9009236JSmg
1 the qualified security procedure was:
2 (1) commercially reasonable under the
3 circumstances;
4 (2) applied by the relying party in a trustworthy
5 manner; and
6 (3) reasonably and in good faith relied upon by the
7 relying party.
8 (b) A qualified security procedure for purposes of this
9 Section is a security procedure to detect changes in the
10 content of an electronic record that is:
11 (1) previously agreed to by the parties; or
12 (2) certified by the Secretary of State in
13 accordance with Section 10-135 as being capable of
14 providing reliable evidence that an electronic record has
15 not been altered.
16 Section 10-110. Secure electronic signature.
17 (a) If, through the use of a qualified security
18 procedure, it can be verified that an electronic signature is
19 the signature of a specific person, then such electronic
20 signature shall be considered to be a secure electronic
21 signature at the time of verification, if the relying party
22 establishes that the qualified security procedure was:
23 (1) commercially reasonable under the
24 circumstances;
25 (2) applied by the relying party in a trustworthy
26 manner; and
27 (3) reasonably and in good faith relied upon by the
28 relying party.
29 (b) A qualified security procedure for purposes of this
30 Section is a security procedure for identifying a person that
31 is:
32 (1) previously agreed to by the parties; or
33 (2) certified by the Secretary of State in
HB3180 Engrossed -13- LRB9009236JSmg
1 accordance with Section 10-135 as being capable of
2 creating, in a trustworthy manner, an electronic
3 signature that:
4 (A) is unique to the signer within the context
5 in which it is used;
6 (B) can be used to objectively identify the
7 person signing the electronic record;
8 (C) was reliably created by such identified
9 person, (e.g., because some aspect of the procedure
10 involves the use of a signature device or other
11 means or method that is under the sole control of
12 such person), and that cannot be readily duplicated
13 or compromised; and
14 (D) is created, and is linked to the
15 electronic record to which it relates, in a manner
16 such that if the record or the signature is
17 intentionally or unintentionally changed after
18 signing the electronic signature is invalidated.
19 Section 10-115. Commercially reasonable; reliance.
20 (a) The commercial reasonableness of a security
21 procedure is to be determined by the court in light of the
22 purposes of the procedure and the commercial circumstances at
23 the time the procedure was used, including the nature of the
24 transaction, sophistication of the parties, volume of similar
25 transactions engaged in by either or both of the parties,
26 availability of alternatives offered to but rejected by
27 either of the parties, cost of alternative procedures, and
28 procedures in general use for similar types of transactions.
29 (b) Whether reliance on a security procedure was
30 reasonable and in good faith is to be determined in light of
31 all the circumstances known to the relying party at the time
32 of the reliance, having due regard to the:
33 (1) information that the relying party knew or
HB3180 Engrossed -14- LRB9009236JSmg
1 should have known of at the time of reliance that would
2 suggest that reliance was or was not reasonable;
3 (2) the value or importance of the electronic
4 record, if known;
5 (3) any course of dealing between the relying party
6 and the purported sender and the available indicia of
7 reliability or unreliability apart from the security
8 procedure;
9 (4) any usage of trade, particularly trade
10 conducted by trustworthy systems or other computer-based
11 means; and
12 (5) whether the verification was performed with the
13 assistance of an independent third party.
14 Section 10-120. Presumptions.
15 (a) In resolving a civil dispute involving a secure
16 electronic record, it shall be rebuttably presumed that the
17 electronic record has not been altered since the specific
18 point in time to which the secure status relates.
19 (b) In resolving a civil dispute involving a secure
20 electronic signature, it shall be rebuttably presumed that
21 the secure electronic signature is the signature of the
22 person to whom it correlates.
23 (c) The effect of presumptions provided in this Section
24 is to place on the party challenging the integrity of a
25 secure electronic record or challenging the genuineness of a
26 secure electronic signature both the burden of going forward
27 with evidence to rebut the presumption and the burden of
28 persuading the trier of fact that the nonexistence of the
29 presumed fact is more probable than its existence.
30 (d) In the absence of a secure electronic record or a
31 secure electronic signature, nothing in this Act shall change
32 existing rules regarding legal or evidentiary rules regarding
33 the burden of proving the authenticity and integrity of an
HB3180 Engrossed -15- LRB9009236JSmg
1 electronic record or an electronic signature.
2 Section 10-125. Creation and control of signature
3 devices. Except as otherwise provided by another applicable
4 rule of law, whenever the creation, validity, or reliability
5 of an electronic signature created by a qualified security
6 procedure under Section 10-105 or 10-110 is dependent upon
7 the secrecy or control of a signature device of the signer:
8 (1) the person generating or creating the signature
9 device must do so in a trustworthy manner;
10 (2) the signer and all other persons that rightfully
11 have access to such signature device must exercise reasonable
12 care to retain control and maintain the secrecy of the
13 signature device, and to protect it from any unauthorized
14 access, disclosure, or use, during the period when reliance
15 on a signature created by such device is reasonable;
16 (3) in the event that the signer, or any other person
17 that rightfully has access to such signature device, knows or
18 has reason to know that the secrecy or control of any such
19 signature device has been compromised, such person must make
20 a reasonable effort to promptly notify all persons that such
21 person knows might foreseeably be damaged as a result of such
22 compromise, or where an appropriate publication mechanism is
23 available, to publish notice of the compromise and a
24 disavowal of any signatures created thereafter.
25 Section 10-130. Attribution of signature.
26 (a) Except as provided by another applicable rule of
27 law, a secure electronic signature is attributable to the
28 person to whom it correlates, whether or not authorized, if:
29 (1) the electronic signature resulted from acts of
30 a person that obtained the signature device or other
31 information necessary to create the signature from a
32 source under the control of the alleged signer, creating
HB3180 Engrossed -16- LRB9009236JSmg
1 the appearance that it came from that party;
2 (2) the access or use occurred under circumstances
3 constituting a failure to exercise reasonable care by the
4 alleged signer; and
5 (3) the relying party relied reasonably and in good
6 faith to its detriment on the apparent source of the
7 electronic record.
8 (b) The provisions of this Section shall not apply to
9 transactions intended primarily for personal, family, or
10 household use, or otherwise defined as consumer transactions
11 by applicable law including, but not limited to, credit card
12 and automated teller machine transactions except to the
13 extent allowed by applicable consumer law.
14 Section 10-135. Secretary of State authority to certify
15 security procedures.
16 (a) A security procedure may be certified by the
17 Secretary of State, as a qualified security procedure for
18 purposes of Sections 10-105 or 10-110, following an
19 appropriate investigation or review, if:
20 (1) the security procedure (including any
21 technology and algorithms it employs) is completely open
22 and fully disclosed to the public, and has been so for a
23 sufficient length of time, so as to facilitate a
24 comprehensive review and evaluation of its suitability
25 for the intended purpose by the applicable information
26 security or scientific community; and
27 (2) the security procedure (including any
28 technology and algorithms it employs) has been generally
29 accepted in the applicable information security or
30 scientific community as being capable of satisfying the
31 requirements of Section 10-105 or 10-110, as applicable,
32 in a trustworthy manner.
33 (b) In making a determination regarding whether the
HB3180 Engrossed -17- LRB9009236JSmg
1 security procedure (including any technology and algorithms
2 it employs) has been generally accepted in the applicable
3 information security or scientific community, the Secretary
4 of State shall consider the opinion of independent experts in
5 the applicable field and the published findings of such
6 community, including applicable standards organizations such
7 as the American National Standards Institute (ANSI),
8 International Standards Organization (ISO), International
9 Telecommunications Union (ITU), and the National Institute of
10 Standards and Technology (NIST).
11 (c) Such certification shall be done through the
12 adoption of rules in accordance with the provisions of the
13 Illinois Administrative Procedure Act and shall specify a
14 full and complete identification of the security procedure,
15 including requirements as to how it is to be implemented, if
16 appropriate.
17 (d) The Secretary of State may also decertify a security
18 procedure as a qualified security procedure for purposes of
19 Sections 10-105 or 10-110 following an appropriate
20 investigation or review and the adoption of rules in
21 accordance with the provisions of the Illinois Administrative
22 Procedure Act if subsequent developments establish that the
23 security procedure is no longer sufficiently trustworthy or
24 reliable for its intended purpose, or for any other reason no
25 longer meets the requirements for certification.
26 (e) The Secretary of State shall have exclusive
27 authority to certify security procedures under this Section.
28 Section 10-140. Unauthorized use of signature device.
29 (a) No person shall knowingly or intentionally access,
30 copy, or otherwise obtain possession of or recreate the
31 signature device of another person without authorization for
32 the purpose of creating, or allowing or causing another
33 person to create, an unauthorized electronic signature using
HB3180 Engrossed -18- LRB9009236JSmg
1 such signature device. A person convicted of a violation of
2 this subsection shall be guilty of a Class A misdemeanor.
3 (b) No person shall knowingly alter, disclose, or use
4 the signature device of another person without authorization,
5 or in excess of lawful authorization, for the purpose of
6 creating, or allowing or causing another person to create, an
7 unauthorized electronic signature using such signature
8 device. A person convicted of a violation of this subsection
9 shall be guilty of a Class 4 felony. A person convicted of a
10 violation of this subsection who has previously been
11 convicted of a violation of this subsection or Section 15-210
12 shall be guilty of a Class 3 felony. A person who violates
13 this Section in furtherance of any scheme or artifice to
14 defraud in excess of $50,000 shall be guilty of a Class 2
15 felony.
16 ARTICLE 15. EFFECT OF A DIGITAL SIGNATURE
17 Section 15-101. Secure electronic record. A digital
18 signature that is created using an asymmetric algorithm
19 certified by the Secretary of State under item (2) of
20 subsection (b) of Section 10-105 shall be considered to be a
21 qualified security procedure for purposes of detecting
22 changes in the content of an electronic record under Section
23 10-105 if the digital signature was created during the
24 operational period of a valid certificate, and is verified
25 by reference to the public key listed in such certificate.
26 Section 15-105. Secure electronic signature. A digital
27 signature that is created using an asymmetric algorithm
28 certified by the Secretary of State under item (2) of
29 subsection (b) of Section 10-110 shall be considered to be a
30 qualified security procedure for purposes of identifying a
31 person under Section 10-110 if:
HB3180 Engrossed -19- LRB9009236JSmg
1 (1) the digital signature was created during the
2 operational period of a valid certificate, was used
3 within the scope of any other restrictions specified or
4 incorporated by reference in the certificate, if any, and
5 can be verified by reference to the public key listed in
6 the certificate; and
7 (2) the certificate is considered trustworthy
8 (i.e., an accurate binding of a public key to a person's
9 identity) because the certificate was issued by a
10 certification authority in accordance with standards,
11 procedures, and other requirements specified by the
12 Secretary of State, or the trier of fact independently
13 finds that the certificate was issued in a trustworthy
14 manner by a certification authority that properly
15 authenticated the subscriber and the subscriber's public
16 key, or otherwise finds that the material information set
17 forth in the certificate is true.
18 Section 15-115. Secretary of State authority to adopt
19 rules.
20 (a) The Secretary of State may adopt rules applicable to
21 both the public and private sectors for the purpose of
22 defining when a certificate is considered sufficiently
23 trustworthy under Section 15-105 such that a digital
24 signature verified by reference to such a certificate will be
25 considered a qualified security procedure under Section
26 10-110. The rules may include (1) establishing or adopting
27 standards applicable to certification authorities or
28 certificates, compliance with which may be measured by
29 becoming certified by the Secretary of State, becoming
30 accredited by one or more independent accrediting entities
31 recognized by the Secretary of State, or by other appropriate
32 means and (2) where appropriate, establishing fees to be
33 charged by the Secretary of State to recover all or a portion
HB3180 Engrossed -20- LRB9009236JSmg
1 of its costs in connection therewith.
2 (b) In developing the rules, the Secretary of State
3 shall endeavor to do so in a manner that will provide
4 maximum flexibility to the implementation of digital
5 signature technology and the business models necessary to
6 support it, that will provide a clear basis for the
7 recognition of certificates issued by foreign certification
8 authorities, and, to the extent reasonably possible, that
9 will maximize the opportunities for uniformity with the laws
10 of other jurisdictions (both within the United States and
11 internationally).
12 (c) The Secretary of State shall have exclusive
13 authority to adopt rules authorized by this Section.
14 Section 15-201. Reliance on certificates foreseeable.
15 It is foreseeable that persons relying on a digital signature
16 will also rely on a valid certificate containing the public
17 key by which the digital signature can be verified, during
18 the operational period of such certificate and within any
19 limits specified in such certificate.
20 Section 15-205. Restrictions on publication of
21 certificate. No person may publish a certificate, or
22 otherwise knowingly make it available to anyone likely to
23 rely on the certificate or on a digital signature that is
24 verifiable with reference to the public key listed in the
25 certificate, if such person knows that:
26 (1) the certification authority listed in the
27 certificate has not issued it;
28 (2) the subscriber listed in the certificate has
29 not accepted it; or
30 (3) the certificate has been revoked or suspended,
31 unless such publication is for the purpose of verifying a
32 digital signature created prior to such revocation or
HB3180 Engrossed -21- LRB9009236JSmg
1 suspension, or giving notice of revocation or suspension.
2 Section 15-210. Fraudulent use. No person shall
3 knowingly create, publish, alter, or otherwise use a
4 certificate for any fraudulent or other unlawful purpose. A
5 person convicted of a violation of this Section shall be
6 guilty of a Class 4 felony. A person convicted of a violation
7 of this Section who previously has been convicted of a
8 violation of this Section or Section 10-140 shall be guilty
9 of a Class 3 felony. A person who violates this Section in
10 furtherance of any scheme or artifice to defraud in excess of
11 $50,000 shall be guilty of a Class 2 felony.
12 Section 15-215. False or unauthorized request. No
13 person shall knowingly misrepresent his or her identity or
14 authorization in requesting or accepting a certificate or in
15 requesting suspension or revocation of a certificate. A
16 person convicted of a violation of this Section shall be
17 guilty of a Class A misdemeanor. A person who violates this
18 Section 10 times within one year, or in furtherance of any
19 scheme or artifice to defraud, shall be guilty of a Class 4
20 felony. A person who violates this Section in furtherance of
21 any scheme or artifice to defraud in excess of $50,000 shall
22 be guilty of a Class 2 felony.
23 Section 15-220. Unauthorized use of signature device. No
24 person shall knowingly access, alter, disclose, or use the
25 signature device of a certification authority used to issue
26 certificates without authorization, or in excess of lawful
27 authorization, for the purpose of creating, or allowing or
28 causing another person to create, an unauthorized electronic
29 signature using such signature device. A person convicted of
30 a violation of this Section shall be guilty of a Class 3
31 felony. A person who violates this Section in furtherance of
HB3180 Engrossed -22- LRB9009236JSmg
1 any scheme or artifice to defraud shall be guilty of a Class
2 2 felony.
3 Section 15-301. Trustworthy services. Except as
4 conspicuously set forth in its certification practice
5 statement, a certification authority and a person maintaining
6 a repository must maintain its operations and perform its
7 services in a trustworthy manner.
8 Section 15-305. Disclosure.
9 (a) For each certificate issued by a certification
10 authority with the intention that it will be relied upon by
11 third parties to verify digital signatures created by
12 subscribers, a certification authority must publish or
13 otherwise make available to the subscriber and all such
14 relying parties:
15 (1) its certification practice statement, if any,
16 applicable thereto; and
17 (2) its certificate that identifies the
18 certification authority as a subscriber and that contains
19 the public key corresponding to the private key used by
20 the certification authority to digitally sign the
21 certificate (its "certification authority certificate").
22 (b) In the event of an occurrence that materially and
23 adversely affects a certification authority's operations or
24 system, its certification authority certificate, or any other
25 aspect of its ability to operate in a trustworthy manner, the
26 certification authority must act in accordance with
27 procedures governing such an occurrence specified in its
28 certification practice statement, or in the absence of such
29 procedures, must use reasonable efforts to notify any persons
30 that the certification authority knows might foreseeably be
31 damaged as a result of such occurrence.
HB3180 Engrossed -23- LRB9009236JSmg
1 Section 15-310. Issuance of a certificate. A
2 certification authority may issue a certificate to a
3 prospective subscriber for the purpose of allowing third
4 parties to verify digital signatures created by the
5 subscriber only after:
6 (1) the certification authority has received a request
7 for issuance from the prospective subscriber; and
8 (2) the certification authority has:
9 (A) complied with all of the relevant practices and
10 procedures set forth in its applicable certification
11 practice statement, if any; or
12 (B) in the absence of a certification practice
13 statement addressing these issues, confirmed in a
14 trustworthy manner that:
15 (i) the prospective subscriber is the person
16 to be listed in the certificate to be issued;
17 (ii) the information in the certificate to be
18 issued is accurate;
19 (iii) the prospective subscriber rightfully
20 holds a private key capable of creating a digital
21 signature, and the public key to be listed in the
22 certificate can be used to verify a digital
23 signature affixed by such private key.
24 Section 15-315. Representations upon issuance of
25 certificate.
26 (a) By issuing a certificate with the intention that it
27 will be relied upon by third parties to verify digital
28 signatures created by the subscriber, a certification
29 authority represents to the subscriber, and to any person who
30 reasonably relies on information contained in the
31 certificate, in good faith and during its operational period,
32 that:
33 (1) the certification authority has processed,
HB3180 Engrossed -24- LRB9009236JSmg
1 approved, and issued, and will manage and revoke if
2 necessary, the certificate in accordance with its
3 applicable certification practice statement stated or
4 incorporated by reference in the certificate or of which
5 such person has notice, or in lieu thereof, in accordance
6 with this Act or the law of the jurisdiction governing
7 issuance of the certificate;
8 (2) the certification authority has verified the
9 identity of the subscriber to the extent stated in the
10 certificate or its applicable certification practice
11 statement, or in lieu thereof, that the certification
12 authority has verified the identity of the subscriber in
13 a trustworthy manner;
14 (3) the certification authority has verified that
15 the person requesting the certificate holds the private
16 key corresponding to the public key listed in the
17 certificate; and
18 (4) except as conspicuously set forth in the
19 certificate or its applicable certification practice
20 statement, to the certification authority's knowledge as
21 of the date the certificate was issued, all other
22 information in the certificate is accurate, and not
23 materially misleading.
24 (b) If a certification authority issued the certificate
25 subject to the laws of another jurisdiction, the
26 certification authority also makes all warranties and
27 representations, if any, otherwise applicable under the law
28 governing its issuance.
29 Section 15-320. Revocation of a certificate.
30 (a) During the operational period of a certificate, the
31 certification authority that issued the certificate must
32 revoke the certificate in accordance with the policies and
33 procedures governing revocation specified in its applicable
HB3180 Engrossed -25- LRB9009236JSmg
1 certification practice statement, or in the absence of such
2 policies and procedures, as soon as possible after:
3 (1) receiving a request for revocation by the
4 subscriber named in the certificate, and confirming that
5 the person requesting revocation is the subscriber, or is
6 an agent of the subscriber with authority to request the
7 revocation;
8 (2) receiving a certified copy of an individual
9 subscriber's death certificate, or upon confirming by
10 other reliable evidence that the subscriber is dead;
11 (3) being presented with documents effecting a
12 dissolution of a corporate subscriber, or confirmation by
13 other evidence that the subscriber has been dissolved or
14 has ceased to exist;
15 (4) being served with an order requiring revocation
16 that was issued by a court of competent jurisdiction; or
17 (5) confirmation by the certification authority
18 that:
19 (A) a material fact represented in the
20 certificate is false;
21 (B) a material prerequisite to issuance of the
22 certificate was not satisfied;
23 (C) the certification authority's private key
24 or system operations were compromised in a manner
25 materially affecting the certificate's reliability;
26 or
27 (D) the subscriber's private key was
28 compromised.
29 (b) Upon effecting such a revocation, the certification
30 authority must notify the subscriber and relying parties in
31 accordance with the policies and procedures governing notice
32 of revocation specified in its applicable certification
33 practice statement, or in the absence of such policies and
34 procedures, promptly notify the subscriber, promptly publish
HB3180 Engrossed -26- LRB9009236JSmg
1 notice of the revocation in all repositories where the
2 certification authority previously caused publication of the
3 certificate, and otherwise disclose the fact of revocation on
4 inquiry by a relying party.
5 ARTICLE 20. DUTIES OF SUBSCRIBERS
6 Section 20-101. Obtaining a certificate. All material
7 representations knowingly made by a person to a certification
8 authority for purposes of obtaining a certificate naming such
9 person as a subscriber must be accurate and complete to the
10 best of such person's knowledge and belief.
11 Section 20-105. Acceptance of a certificate.
12 (a) A person accepts a certificate that names such
13 person as a subscriber by publishing or approving publication
14 of it to one or more persons, or in a repository, or
15 otherwise demonstrating approval of it, while knowing or
16 having notice of its contents.
17 (b) By accepting a certificate, the subscriber listed in
18 the certificate represents to any person who reasonably
19 relies on information contained in the certificate, in good
20 faith and during its operational period, that:
21 (1) the subscriber rightfully holds the private key
22 corresponding to the public key listed in the
23 certificate;
24 (2) all representations made by the subscriber to
25 the certification authority and material to the
26 information listed in the certificate are true; and
27 (3) all information in the certificate that is
28 within the knowledge of the subscriber is true.
29 Section 20-110. Revocation of certificate. Except as
30 otherwise provided by another applicable rule of law, if the
HB3180 Engrossed -27- LRB9009236JSmg
1 private key corresponding to the public key listed in a valid
2 certificate is lost, stolen, accessible to an unauthorized
3 person, or otherwise compromised during the operational
4 period of the certificate, a subscriber who has learned of
5 the compromise must promptly request the issuing
6 certification authority to revoke the certificate and publish
7 notice of revocation in all repositories in which the
8 subscriber previously authorized the certificate to be
9 published, or otherwise provide reasonable notice of the
10 revocation.
11 ARTICLE 25. STATE AGENCY USE OF
12 ELECTRONIC RECORDS AND SIGNATURES
13 Section 25-101. State agency use of electronic records.
14 (a) Each State agency shall determine if, and the extent
15 to which, it will send and receive electronic records and
16 electronic signatures to and from other persons and otherwise
17 create, use, store, and rely upon electronic records and
18 electronic signatures.
19 (b) In any case where a State agency decides to send or
20 receive electronic records, or to accept document filings by
21 electronic records, the State agency may, by appropriate
22 agency rule (or court rule where appropriate), giving due
23 consideration to security, specify:
24 (1) the manner and format in which such electronic
25 records must be created, sent, received, and stored;
26 (2) if such electronic records must be signed, the
27 type of electronic signature required, the manner and
28 format in which such signature must be affixed to the
29 electronic record, and the identity of, or criteria that
30 must be met by, any third party used by the person filing
31 the document to facilitate the process;
32 (3) control processes and procedures as appropriate
HB3180 Engrossed -28- LRB9009236JSmg
1 to ensure adequate integrity, security, confidentiality,
2 and auditability of such electronic records; and
3 (4) any other required attributes for such
4 electronic records that are currently specified for
5 corresponding paper documents, or reasonably necessary
6 under the circumstances.
7 (c) All rules adopted by a State agency shall include
8 the relevant minimum security requirements established by the
9 Secretary of State, if any.
10 (d) Whenever any rule of law requires or authorizes the
11 filing of any information, notice, lien, or other document or
12 record with any State agency, a filing made by an electronic
13 record shall have the same force and effect as a filing made
14 on paper in all cases where the State agency has authorized
15 or agreed to such electronic filing and the filing is made in
16 accordance with applicable rules or agreement.
17 (e) Nothing in this Act shall be construed to require
18 any State agency to use or to permit the use of electronic
19 records or electronic signatures.
20 Section 25-105. Secretary of State to adopt State
21 standards.
22 (a) The Secretary of State may adopt rules setting forth
23 minimum security requirements for the use of electronic
24 records and electronic signatures by State agencies.
25 (b) The Secretary of State shall specify appropriate
26 minimum security requirements to be implemented and followed
27 by State agencies for (1) the generation, use, and storage of
28 key pairs, (2) the issuance, acceptance, use, suspension, and
29 revocation of certificates, and (3) the use of digital
30 signatures.
31 (c) Each State agency shall have the authority to issue,
32 or contract for the issuance of, certificates to (i) its
33 employees and agents and (ii) persons conducting business or
HB3180 Engrossed -29- LRB9009236JSmg
1 other transactions with such State agency and to take other
2 actions consistent therewith, including the establishment of
3 repositories and the suspension or revocation of certificates
4 so issued, provided that the foregoing is conducted in
5 accordance with all the rules, procedures, and policies
6 specified by the Secretary of State. The Secretary of State
7 shall have the authority to specify the rules, procedures,
8 and policies whereby State agencies may issue or contract for
9 the issuance of certificates.
10 (d) The Secretary of State may specify appropriate
11 minimum standards and requirements that must be satisfied by
12 a certification authority before:
13 (1) its services are used by any State agency for
14 the issuance, publication, revocation, and suspension of
15 certificates to such agency, or its employees or agents
16 (for official use); or
17 (2) the certificates it issues will be accepted for
18 purposes of verifying digitally signed electronic records
19 sent to any State agency by any person.
20 (e) Where appropriate, the rules adopted by the
21 Secretary of State pursuant to this Section shall specify
22 differing levels of minimum standards from which implementing
23 State agencies can select the standard most appropriate for a
24 particular application.
25 (f) Except as provided in Section 25-101, the Secretary
26 of State shall have exclusive authority to adopt rules
27 authorized by this Section.
28 Section 25-115. Interoperability. To the extent
29 reasonable under the circumstances, rules adopted by the
30 Secretary of State or a State agency relating to the use of
31 electronic records or electronic signatures shall be drafted
32 in a manner designed to encourage and promote consistency and
33 interoperability with similar requirements adopted by
HB3180 Engrossed -30- LRB9009236JSmg
1 government agencies of other states and the federal
2 government.
3 ARTICLE 30. ENFORCEMENT; CIVIL REMEDY; SEVERABILITY
4 Section 30-1. Enforcement. The Secretary of State may
5 investigate complaints or other information indicating
6 violations of rules adopted by the Secretary of State under
7 this Act or otherwise indicating fraudulent or unlawful
8 conduct under this Act. The Secretary of State shall certify
9 to the Attorney General, for such action as the Attorney
10 General may deem appropriate, all information he or she
11 obtains that discloses a violation of any provision of this
12 Act or the rules adopted by the Secretary of State under this
13 Act.
14 Section 30-5. Civil remedy. Whoever suffers loss by
15 reason of a violation of Section 10-140, 15-210, 15-215, or
16 15-220 of this Act or Section 17-3 of the Criminal Code of
17 1961 may, in a civil action against the violator, obtain
18 appropriate relief. In a civil action under this Section,
19 the court may award to the prevailing party reasonable
20 attorneys fees and other litigation expenses.
21 Section 30-110. Severability. The provisions of this
22 Act are severable under Section 1.31 of the Statute on
23 Statutes.
24 ARTICLE 95. AMENDATORY PROVISIONS
25 Section 95-1. The Statute on Statutes is amended by
26 changing Section 1.15 as follows:
27 (5 ILCS 70/1.15) (from Ch. 1, par. 1016)
HB3180 Engrossed -31- LRB9009236JSmg
1 Sec. 1.15. "Written" and "in writing" may include
2 printing, electronic, and any other mode of representing
3 words and letters; but when the written signature of any
4 person is required by law to any official or public writing
5 or bond, required by law, it shall be in the proper
6 handwriting of such person or, in case he is unable to write,
7 his proper mark, except as otherwise provided by law.
8 (Source: P.A. 88-672, eff. 12-14-94.)
9 Section 95-5. The Freedom of Information Act is amended
10 by changing Section 7 as follows:
11 (5 ILCS 140/7) (from Ch. 116, par. 207)
12 Sec. 7. Exemptions.
13 (1) The following shall be exempt from inspection and
14 copying:
15 (a) Information specifically prohibited from
16 disclosure by federal or State law or rules and
17 regulations adopted under federal or State law.
18 (b) Information that, if disclosed, would
19 constitute a clearly unwarranted invasion of personal
20 privacy, unless the disclosure is consented to in writing
21 by the individual subjects of the information. The
22 disclosure of information that bears on the public duties
23 of public employees and officials shall not be considered
24 an invasion of personal privacy. Information exempted
25 under this subsection (b) shall include but is not
26 limited to:
27 (i) files and personal information maintained
28 with respect to clients, patients, residents,
29 students or other individuals receiving social,
30 medical, educational, vocational, financial,
31 supervisory or custodial care or services directly
32 or indirectly from federal agencies or public
HB3180 Engrossed -32- LRB9009236JSmg
1 bodies;
2 (ii) personnel files and personal information
3 maintained with respect to employees, appointees or
4 elected officials of any public body or applicants
5 for those positions;
6 (iii) files and personal information
7 maintained with respect to any applicant, registrant
8 or licensee by any public body cooperating with or
9 engaged in professional or occupational
10 registration, licensure or discipline;
11 (iv) information required of any taxpayer in
12 connection with the assessment or collection of any
13 tax unless disclosure is otherwise required by State
14 statute; and
15 (v) information revealing the identity of
16 persons who file complaints with or provide
17 information to administrative, investigative, law
18 enforcement or penal agencies; provided, however,
19 that identification of witnesses to traffic
20 accidents, traffic accident reports, and rescue
21 reports may be provided by agencies of local
22 government, except in a case for which a criminal
23 investigation is ongoing, without constituting a
24 clearly unwarranted per se invasion of personal
25 privacy under this subsection.
26 (c) Records compiled by any public body for
27 administrative enforcement proceedings and any law
28 enforcement or correctional agency for law enforcement
29 purposes or for internal matters of a public body, but
30 only to the extent that disclosure would:
31 (i) interfere with pending or actually and
32 reasonably contemplated law enforcement proceedings
33 conducted by any law enforcement or correctional
34 agency;
HB3180 Engrossed -33- LRB9009236JSmg
1 (ii) interfere with pending administrative
2 enforcement proceedings conducted by any public
3 body;
4 (iii) deprive a person of a fair trial or an
5 impartial hearing;
6 (iv) unavoidably disclose the identity of a
7 confidential source or confidential information
8 furnished only by the confidential source;
9 (v) disclose unique or specialized
10 investigative techniques other than those generally
11 used and known or disclose internal documents of
12 correctional agencies related to detection,
13 observation or investigation of incidents of crime
14 or misconduct;
15 (vi) constitute an invasion of personal
16 privacy under subsection (b) of this Section;
17 (vii) endanger the life or physical safety of
18 law enforcement personnel or any other person; or
19 (viii) obstruct an ongoing criminal
20 investigation.
21 (d) Criminal history record information maintained
22 by State or local criminal justice agencies, except the
23 following which shall be open for public inspection and
24 copying:
25 (i) chronologically maintained arrest
26 information, such as traditional arrest logs or
27 blotters;
28 (ii) the name of a person in the custody of a
29 law enforcement agency and the charges for which
30 that person is being held;
31 (iii) court records that are public;
32 (iv) records that are otherwise available
33 under State or local law; or
34 (v) records in which the requesting party is
HB3180 Engrossed -34- LRB9009236JSmg
1 the individual identified, except as provided under
2 part (vii) of paragraph (c) of subsection (1) of
3 this Section.
4 "Criminal history record information" means data
5 identifiable to an individual and consisting of
6 descriptions or notations of arrests, detentions,
7 indictments, informations, pre-trial proceedings, trials,
8 or other formal events in the criminal justice system or
9 descriptions or notations of criminal charges (including
10 criminal violations of local municipal ordinances) and
11 the nature of any disposition arising therefrom,
12 including sentencing, court or correctional supervision,
13 rehabilitation and release. The term does not apply to
14 statistical records and reports in which individuals are
15 not identified and from which their identities are not
16 ascertainable, or to information that is for criminal
17 investigative or intelligence purposes.
18 (e) Records that relate to or affect the security
19 of correctional institutions and detention facilities.
20 (f) Preliminary drafts, notes, recommendations,
21 memoranda and other records in which opinions are
22 expressed, or policies or actions are formulated, except
23 that a specific record or relevant portion of a record
24 shall not be exempt when the record is publicly cited and
25 identified by the head of the public body. The exemption
26 provided in this paragraph (f) extends to all those
27 records of officers and agencies of the General Assembly
28 that pertain to the preparation of legislative documents.
29 (g) Trade secrets and commercial or financial
30 information obtained from a person or business where the
31 trade secrets or information are proprietary, privileged
32 or confidential, or where disclosure of the trade secrets
33 or information may cause competitive harm, including all
34 information determined to be confidential under Section
HB3180 Engrossed -35- LRB9009236JSmg
1 4002 of the Technology Advancement and Development Act.
2 Nothing contained in this paragraph (g) shall be
3 construed to prevent a person or business from consenting
4 to disclosure.
5 (h) Proposals and bids for any contract, grant, or
6 agreement, including information which if it were
7 disclosed would frustrate procurement or give an
8 advantage to any person proposing to enter into a
9 contractor agreement with the body, until an award or
10 final selection is made. Information prepared by or for
11 the body in preparation of a bid solicitation shall be
12 exempt until an award or final selection is made.
13 (i) Valuable formulae, designs, drawings and
14 research data obtained or produced by any public body
15 when disclosure could reasonably be expected to produce
16 private gain or public loss.
17 (j) Test questions, scoring keys and other
18 examination data used to administer an academic
19 examination or determined the qualifications of an
20 applicant for a license or employment.
21 (k) Architects' plans and engineers' technical
22 submissions for projects not constructed or developed in
23 whole or in part with public funds and for projects
24 constructed or developed with public funds, to the extent
25 that disclosure would compromise security.
26 (l) Library circulation and order records
27 identifying library users with specific materials.
28 (m) Minutes of meetings of public bodies closed to
29 the public as provided in the Open Meetings Act until the
30 public body makes the minutes available to the public
31 under Section 2.06 of the Open Meetings Act.
32 (n) Communications between a public body and an
33 attorney or auditor representing the public body that
34 would not be subject to discovery in litigation, and
HB3180 Engrossed -36- LRB9009236JSmg
1 materials prepared or compiled by or for a public body in
2 anticipation of a criminal, civil or administrative
3 proceeding upon the request of an attorney advising the
4 public body, and materials prepared or compiled with
5 respect to internal audits of public bodies.
6 (o) Information received by a primary or secondary
7 school, college or university under its procedures for
8 the evaluation of faculty members by their academic
9 peers.
10 (p) Administrative or technical information
11 associated with automated data processing operations,
12 including but not limited to software, operating
13 protocols, computer program abstracts, file layouts,
14 source listings, object modules, load modules, user
15 guides, documentation pertaining to all logical and
16 physical design of computerized systems, employee
17 manuals, and any other information that, if disclosed,
18 would jeopardize the security of the system or its data
19 or the security of materials exempt under this Section.
20 (q) Documents or materials relating to collective
21 negotiating matters between public bodies and their
22 employees or representatives, except that any final
23 contract or agreement shall be subject to inspection and
24 copying.
25 (r) Drafts, notes, recommendations and memoranda
26 pertaining to the financing and marketing transactions of
27 the public body. The records of ownership, registration,
28 transfer, and exchange of municipal debt obligations, and
29 of persons to whom payment with respect to these
30 obligations is made.
31 (s) The records, documents and information relating
32 to real estate purchase negotiations until those
33 negotiations have been completed or otherwise terminated.
34 With regard to a parcel involved in a pending or actually
HB3180 Engrossed -37- LRB9009236JSmg
1 and reasonably contemplated eminent domain proceeding
2 under Article VII of the Code of Civil Procedure,
3 records, documents and information relating to that
4 parcel shall be exempt except as may be allowed under
5 discovery rules adopted by the Illinois Supreme Court.
6 The records, documents and information relating to a real
7 estate sale shall be exempt until a sale is consummated.
8 (t) Any and all proprietary information and records
9 related to the operation of an intergovernmental risk
10 management association or self-insurance pool or jointly
11 self-administered health and accident cooperative or
12 pool.
13 (u) Information concerning a university's
14 adjudication of student or employee grievance or
15 disciplinary cases, to the extent that disclosure would
16 reveal the identity of the student or employee and
17 information concerning any public body's adjudication of
18 student or employee grievances or disciplinary cases,
19 except for the final outcome of the cases.
20 (v) Course materials or research materials used by
21 faculty members.
22 (w) Information related solely to the internal
23 personnel rules and practices of a public body.
24 (x) Information contained in or related to
25 examination, operating, or condition reports prepared by,
26 on behalf of, or for the use of a public body responsible
27 for the regulation or supervision of financial
28 institutions or insurance companies, unless disclosure is
29 otherwise required by State law.
30 (y) Information the disclosure of which is
31 restricted under Section 5-108 of the Public Utilities
32 Act.
33 (z) Manuals or instruction to staff that relate to
34 establishment or collection of liability for any State
HB3180 Engrossed -38- LRB9009236JSmg
1 tax or that relate to investigations by a public body to
2 determine violation of any criminal law.
3 (aa) Applications, related documents, and medical
4 records received by the Experimental Organ
5 Transplantation Procedures Board and any and all
6 documents or other records prepared by the Experimental
7 Organ Transplantation Procedures Board or its staff
8 relating to applications it has received.
9 (bb) Insurance or self insurance (including any
10 intergovernmental risk management association or self
11 insurance pool) claims, loss or risk management
12 information, records, data, advice or communications.
13 (cc) Information and records held by the Department
14 of Public Health and its authorized representatives
15 relating to known or suspected cases of sexually
16 transmissible disease or any information the disclosure
17 of which is restricted under the Illinois Sexually
18 Transmissible Disease Control Act.
19 (dd) Information the disclosure of which is
20 exempted under Section 30 of the Radon Industry Licensing
21 Act.
22 (ee) Firm performance evaluations under Section 55
23 of the Architectural, Engineering, and Land Surveying
24 Qualifications Based Selection Act.
25 (ff) Security portions of system safety program
26 plans, investigation reports, surveys, schedules, lists,
27 data, or information compiled, collected, or prepared by
28 or for the Regional Transportation Authority under
29 Section 2.11 of the Regional Transportation Authority Act
30 or the State of Missouri under the Bi-State Transit
31 Safety Act.
32 (gg) (ff) Information the disclosure of which is
33 restricted and exempted under Section 50 of the Illinois
34 Prepaid Tuition Act.
HB3180 Engrossed -39- LRB9009236JSmg
1 (hh) Information that would disclose or might lead
2 to the disclosure of secret or confidential information,
3 codes, algorithms, programs, or private keys intended to
4 be used to create electronic or digital signatures under
5 the Electronic Commerce Security Act.
6 (2) This Section does not authorize withholding of
7 information or limit the availability of records to the
8 public, except as stated in this Section or otherwise
9 provided in this Act.
10 (Source: P.A. 90-262, eff. 7-30-97; 90-273, eff. 7-30-97;
11 90-546, eff. 12-1-97; revised 12-24-97.)
12 Section 95-10. The State Comptroller Act is amended by
13 changing Section 14.01 as follows:
14 (15 ILCS 405/14.01)
15 Sec. 14.01. Digital signatures.
16 (a) In any communication between a State agency and the
17 Comptroller in which a signature is required or used, any
18 party to the communication may affix a signature by use of a
19 digital signature that complies with the requirements of this
20 Section. The use of a digital signature shall have the same
21 force and effect as the use of a manual signature if and only
22 if it embodies all of the following attributes:
23 (1) It is unique to the person using it.
24 (2) It is capable of verification.
25 (3) It is under the sole control of the person
26 using it.
27 (4) It is linked to data in such a manner that if
28 the data are changed, the digital signature is
29 invalidated.
30 (5) It conforms to regulations adopted by the
31 Comptroller, which shall not conflict with the minimum
32 security requirements specified by the Secretary of State
HB3180 Engrossed -40- LRB9009236JSmg
1 under the Electronic Commerce Security Act.
2 (b) The use or acceptance of a digital signature shall
3 be at the option of the parties. Nothing in this Section
4 shall require a State agency to use or permit the use of a
5 digital signature.
6 (c) "Digital signature" has the meaning ascribed to that
7 term in the Electronic Commerce Security Act means an
8 electronic identifier, created by computer, intended by the
9 party using it to have the same force and effect as the use
10 of a manual signature.
11 (Source: P.A. 90-37, eff. 6-27-97.)
12 Section 95-15. The Criminal Code of 1961 is amended by
13 changing Section 17-3 as follows:
14 (720 ILCS 5/17-3) (from Ch. 38, par. 17-3)
15 Sec. 17-3. Forgery.
16 (a) A person commits forgery when, with intent to
17 defraud, he knowingly:
18 (1) makes or alters any document apparently capable
19 of defrauding another in such manner that it purports to
20 have been made by another or at another time, or with
21 different provisions, or by authority of one who did not
22 give such authority; or
23 (2) issues or delivers such document knowing it to
24 have been thus made or altered; or
25 (3) possesses, with intent to issue or deliver, any
26 such document knowing it to have been thus made or
27 altered; or.
28 (4) unlawfully uses the signature device of another
29 to create an electronic signature of that other person,
30 as those terms are defined in the Electronic Commerce
31 Security Act.
32 (b) An intent to defraud means an intention to cause
HB3180 Engrossed -41- LRB9009236JSmg
1 another to assume, create, transfer, alter or terminate any
2 right, obligation or power with reference to any person or
3 property.
4 (c) A document apparently capable of defrauding another
5 includes, but is not limited to, one by which any right,
6 obligation or power with reference to any person or property
7 may be created, transferred, altered or terminated. A
8 document includes any record or electronic record as those
9 terms are defined in the Electronic Commerce Security Act.
10 (d) Sentence.
11 Forgery is a Class 3 felony.
12 (Source: P.A. 77-2638.)
13 ARTICLE 99. EFFECTIVE DATE
14 Section 99-1. Effective date. This Act takes effect
15 July 1, 1999.