Illinois tightens cybersecurity breach disclosure requirements
State agencies in Illinois are now required to report cybersecurity breaches to residents within five days.
Introduced by Democratic Sen. Michael Hastings and supported by both sides of the aisle through passage, Senate Bill 707 was signed into law Friday, finalizing a clear reporting timeline for any state agency housing personal data. The law updates wording in a Personal Information Protection Act that requires all taxpayer funded agencies to disclose incidents that affect more than 250 residents “in the most expedient time possible and without unreasonable delay.”
The legislation follows a monthlong July 2016 cyberattack on the Illinois State Board of Elections in which attackers gained access to state databases that contained names, dates of birth, genders, driver’s licenses and partial Social Security numbers of about 15 million people and that ultimately compromised as many as 90,000 voter records.
“The people of Illinois deserve to know if a security breach has taken place at a taxpayer funded agencies,” Hastings said. “Illinois residents deserve to not only be informed of all cybersecurity breaches but be reassured the proper steps were taken to make sure similar attacks will not happen again.”
The law also tightens the internal reporting timeline, with a requirement that all breaches be reported to the Office of the Chief Information Security Officer (CISO) in the state technology office within 72 hours, at which point it is left to the CISO to determine whether releasing information about the breach would further jeopardize security.
Since last year’s attack, the state has passed several other measures, including mandatory cybersecurity training for all state employees and a statewide strategy announced in March designed to unify cybersecurity operations across the state’s 62 agencies.