| ||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||
| 1 | AN ACT concerning transportation. | |||||||||||||||||||||||||||
| 2 | Be it enacted by the People of the State of Illinois, | |||||||||||||||||||||||||||
| 3 | represented in the General Assembly: | |||||||||||||||||||||||||||
| 4 | Section 5. The Illinois State Auditing Act is amended by | |||||||||||||||||||||||||||
| 5 | changing Sections 3-2.4, 3-4, 3-14, 3-15, and 6-1 as follows: | |||||||||||||||||||||||||||
| 6 | (30 ILCS 5/3-2.4) | |||||||||||||||||||||||||||
| 7 | Sec. 3-2.4. Cybersecurity audit. | |||||||||||||||||||||||||||
| 8 | (a) In conjunction with its annual compliance examination | |||||||||||||||||||||||||||
| 9 | program, the Auditor General shall review State agencies and | |||||||||||||||||||||||||||
| 10 | their cybersecurity programs and practices, with a particular | |||||||||||||||||||||||||||
| 11 | focus on agencies holding large volumes of personal | |||||||||||||||||||||||||||
| 12 | information. | |||||||||||||||||||||||||||
| 13 | (b) The review required under this Section shall, at a | |||||||||||||||||||||||||||
| 14 | minimum, assess the following: | |||||||||||||||||||||||||||
| 15 | (1) the effectiveness of State agency cybersecurity | |||||||||||||||||||||||||||
| 16 | practices; | |||||||||||||||||||||||||||
| 17 | (2) the risks or vulnerabilities of the cybersecurity | |||||||||||||||||||||||||||
| 18 | systems used by State agencies; | |||||||||||||||||||||||||||
| 19 | (3) the types of information that are most susceptible | |||||||||||||||||||||||||||
| 20 | to attack; | |||||||||||||||||||||||||||
| 21 | (4) ways to improve cybersecurity and eliminate | |||||||||||||||||||||||||||
| 22 | vulnerabilities to State cybersecurity systems; and | |||||||||||||||||||||||||||
| 23 | (5) any other information concerning the cybersecurity | |||||||||||||||||||||||||||
| |||||||
| |||||||
| 1 | of State agencies that the Auditor General deems necessary | ||||||
| 2 | and proper. | ||||||
| 3 | (c) In order to protect and preserve the integrity, | ||||||
| 4 | security, and confidentiality of the network, infrastructure, | ||||||
| 5 | and data of a State agency, any Any findings resulting from the | ||||||
| 6 | testing conducted under this Section shall be included within | ||||||
| 7 | the applicable State agency's compliance examination report | ||||||
| 8 | and made available only to the applicable State agency under | ||||||
| 9 | review. Each compliance examination report shall be issued in | ||||||
| 10 | accordance with the provisions of Section 3-14. A copy of the | ||||||
| 11 | report shall also be delivered to the head of the applicable | ||||||
| 12 | State agency and posted on the Auditor General's website. | ||||||
| 13 | (Source: P.A. 100-914, eff. 1-1-19.) | ||||||
| 14 | (30 ILCS 5/3-4) (from Ch. 15, par. 303-4) | ||||||
| 15 | Sec. 3-4. Investigations. | ||||||
| 16 | The Auditor General shall make such investigations as are | ||||||
| 17 | directed by either house of the General Assembly or by the | ||||||
| 18 | Commission in a resolution specifying the acts, transactions | ||||||
| 19 | or practices to be the subject of the investigation. | ||||||
| 20 | The resolution directing such an investigation may specify | ||||||
| 21 | to whom the Auditor General shall make his findings and | ||||||
| 22 | recommendations after the investigation and whether those | ||||||
| 23 | findings and recommendations are to be made public. | ||||||
| 24 | Unless the resolution directing the investigation provides | ||||||
| 25 | otherwise, the Auditor General shall direct and provide his | ||||||
| |||||||
| |||||||
| 1 | findings and recommendations to the Commission, to the | ||||||
| 2 | Governor, to the official in charge of each agency included in | ||||||
| 3 | the investigation and to each person who was named | ||||||
| 4 | individually as a subject of investigation by the directing | ||||||
| 5 | resolution, except as restricted hereunder. No other publicity | ||||||
| 6 | shall be given to the report and recommendations other than is | ||||||
| 7 | provided by this paragraph. | ||||||
| 8 | The Auditor General may recommend to the Commission that | ||||||
| 9 | an investigation be directed with regard to any matter which | ||||||
| 10 | he believes to be in the public interest to investigate. | ||||||
| 11 | In order to protect and preserve the integrity, security, | ||||||
| 12 | and confidentiality of the network, infrastructure, and data | ||||||
| 13 | of a State agency, any investigations, findings, and | ||||||
| 14 | recommendations pertaining to State agencies and their | ||||||
| 15 | information technology controls, privacy programs and | ||||||
| 16 | practices, and cybersecurity programs and practices, must be | ||||||
| 17 | redacted and withheld from public disclosure. | ||||||
| 18 | Investigations, findings, and recommendations under this | ||||||
| 19 | Section, pertaining to State agencies and their information | ||||||
| 20 | technology controls, privacy programs and practices, and | ||||||
| 21 | cybersecurity programs and practices, shall be made available | ||||||
| 22 | only to the applicable State agency under review, shall be | ||||||
| 23 | delivered to the official in charge of the agency included | ||||||
| 24 | within the investigation, and shall be delivered to each | ||||||
| 25 | person who was named individually as a subject of the | ||||||
| 26 | investigation by the directing resolution. | ||||||
| |||||||
| |||||||
| 1 | When investigations are directed under this Section, and | ||||||
| 2 | pertain to State agencies and their information technology | ||||||
| 3 | controls, privacy programs and practices, and cybersecurity | ||||||
| 4 | programs and practices, the Auditor General shall direct and | ||||||
| 5 | provide the numerical number of findings and affirmatively | ||||||
| 6 | state whether recommendations were made, to those specified by | ||||||
| 7 | the resolution directing such an investigation and all others | ||||||
| 8 | required by this Section. At no time may the Auditor General | ||||||
| 9 | disclose the contents of the specific findings or | ||||||
| 10 | recommendations except as permitted hereunder. | ||||||
| 11 | (Source: P.A. 78-884.) | ||||||
| 12 | (30 ILCS 5/3-14) (from Ch. 15, par. 303-14) | ||||||
| 13 | Sec. 3-14. Audit reports. Upon completion of any audit the | ||||||
| 14 | Auditor General shall issue an audit report which shall | ||||||
| 15 | include: a precise statement of the scope of the audit or | ||||||
| 16 | review, a statement of the material findings resulting from | ||||||
| 17 | the audit, a statement of the underlying cause, evaluative | ||||||
| 18 | criteria used and the current and prospective significance | ||||||
| 19 | thereof and a statement of explanation or rebuttal which may | ||||||
| 20 | have been submitted by the agency audited relevant to the | ||||||
| 21 | audit findings included in the report. | ||||||
| 22 | As part of this report the Auditor General shall prepare a | ||||||
| 23 | signed digest of the legislatively significant matters of the | ||||||
| 24 | report and, as may be applicable, a concise statement of (1) | ||||||
| 25 | any actions taken or contemplated by persons or agencies | ||||||
| |||||||
| |||||||
| 1 | subsequent to the completion of the audit but prior to the | ||||||
| 2 | release of the report, which bear on matters in the report, (2) | ||||||
| 3 | any actions the Auditor General considers necessary or | ||||||
| 4 | desirable, and (3) any other information the Auditor General | ||||||
| 5 | deems useful to the General Assembly in order to understand or | ||||||
| 6 | act on any matters presented in the audit. | ||||||
| 7 | The Auditor General shall submit a copy of each audit | ||||||
| 8 | report to the Commission, the Governor, the Speaker and | ||||||
| 9 | minority leader of the House of Representatives and the | ||||||
| 10 | President and minority leader of the Senate. | ||||||
| 11 | All audit reports shall be maintained in the Office of the | ||||||
| 12 | Auditor General as a public record, subject to Section 3-11. | ||||||
| 13 | In order to protect and preserve the integrity, security, | ||||||
| 14 | and confidentiality of the network, infrastructure, and data | ||||||
| 15 | of a State agency, all audit reports containing findings and | ||||||
| 16 | recommendations pertaining to State agencies and their | ||||||
| 17 | information technology controls, privacy programs and | ||||||
| 18 | practices, and cybersecurity programs and practices, must be | ||||||
| 19 | redacted and withheld from public disclosure. The unredacted | ||||||
| 20 | findings and recommendations pertaining to State agencies and | ||||||
| 21 | their cybersecurity programs and practices shall be made | ||||||
| 22 | available only to the applicable State agency under review; | ||||||
| 23 | provided however, a State agency may disclose findings and | ||||||
| 24 | recommendations to a duly authorized third-party who is | ||||||
| 25 | providing services or otherwise assisting the State agency | ||||||
| 26 | subject to the findings and recommendations with its | ||||||
| |||||||
| |||||||
| 1 | cybersecurity plan and operations. | ||||||
| 2 | All audit reports shall be maintained in the Office of the | ||||||
| 3 | Auditor General as a public record, subject to Section 3-11. | ||||||
| 4 | If the post audit of a State agency discloses an apparent | ||||||
| 5 | violation of a penal statute or an apparent instance of | ||||||
| 6 | misfeasance, malfeasance or nonfeasance, by any person, | ||||||
| 7 | relating to the obligation, expenditure, receipt or use of | ||||||
| 8 | public funds of the State, the Auditor General shall | ||||||
| 9 | immediately make a written report to the Commission and the | ||||||
| 10 | Governor stating that to be the case and setting forth the | ||||||
| 11 | underlying facts that have led to that conclusion. | ||||||
| 12 | (Source: P.A. 82-368.) | ||||||
| 13 | (30 ILCS 5/3-15) (from Ch. 15, par. 303-15) | ||||||
| 14 | Sec. 3-15. Reports of Auditor General. By March 1, each | ||||||
| 15 | year, the Auditor General shall submit to the Commission, the | ||||||
| 16 | General Assembly and the Governor an annual report summarizing | ||||||
| 17 | all audits, investigations and special studies made under this | ||||||
| 18 | Act during the last preceding calendar year. | ||||||
| 19 | As it relates to information technology controls, privacy | ||||||
| 20 | programs and practices, and cybersecurity findings and | ||||||
| 21 | recommendations, in order to protect and preserve the | ||||||
| 22 | integrity, security, and confidentiality of the network, | ||||||
| 23 | infrastructure, and data of a State agency, reports under this | ||||||
| 24 | Section may only contain the numerical number of information | ||||||
| 25 | technology controls, privacy programs and practices, and | ||||||
| |||||||
| |||||||
| 1 | cybersecurity findings and affirmatively state whether | ||||||
| 2 | recommendations were made. At no time may the Auditor General | ||||||
| 3 | disclose the contents of the specific findings or | ||||||
| 4 | recommendations except as permitted hereunder. | ||||||
| 5 | Once each 3 months, the Auditor General shall submit to | ||||||
| 6 | the Commission a quarterly report concerning the operation of | ||||||
| 7 | his office, including relevant fiscal and personnel matters, | ||||||
| 8 | details of any contractual services utilized during that | ||||||
| 9 | period, a summary of audits and studies still in process and | ||||||
| 10 | such other information as the Commission requires. | ||||||
| 11 | The Auditor General shall prepare and distribute such | ||||||
| 12 | other reports as may be required by the Commission. | ||||||
| 13 | All post audits directed by resolution of the House or | ||||||
| 14 | Senate shall be reported to the members of the General | ||||||
| 15 | Assembly, unless the directing resolution specifies otherwise. | ||||||
| 16 | The requirement for reporting to the General Assembly | ||||||
| 17 | shall be satisfied by filing copies of the report as required | ||||||
| 18 | by Section 3.1 of the General Assembly Organization Act, and | ||||||
| 19 | filing such additional copies with the State Government Report | ||||||
| 20 | Distribution Center for the General Assembly as is required | ||||||
| 21 | under paragraph (t) of Section 7 of the State Library Act. | ||||||
| 22 | (Source: P.A. 100-1148, eff. 12-10-18.) | ||||||
| 23 | (30 ILCS 5/6-1) (from Ch. 15, par. 306-1) | ||||||
| 24 | Sec. 6-1. Effect on other laws. The powers and duties of | ||||||
| 25 | the Auditor General under this Act and the system of audits | ||||||
| |||||||
| |||||||
| 1 | established by this Act are in addition to any other powers, | ||||||
| 2 | duties or audits required or authorized by law. | ||||||
| 3 | Where records or information are classified as | ||||||
| 4 | confidential, legally protected, or records or information | ||||||
| 5 | with maintain an equivalent or greater privacy designation, by | ||||||
| 6 | or pursuant to law, such records or information shall be | ||||||
| 7 | disclosed to the Office of the Auditor General as necessary | ||||||
| 8 | and to the extent required for the performance of an | ||||||
| 9 | authorized post audit. Federal tax information shall only be | ||||||
| 10 | provided in accordance with federal law and regulation | ||||||
| 11 | applicable to the safeguarding of federal tax information. | ||||||
| 12 | Where records or information are required to be disclosed, | ||||||
| 13 | the Office of the Auditor General shall collect, maintain, and | ||||||
| 14 | store, all records or information classified as confidential, | ||||||
| 15 | legally protected, or with maintaining an equivalent or | ||||||
| 16 | greater privacy designation, under the same or greater privacy | ||||||
| 17 | and security requirements to which such records or information | ||||||
| 18 | were disclosed by the State agency to the Office of the Auditor | ||||||
| 19 | General. | ||||||
| 20 | Confidential records or information disclosed to the | ||||||
| 21 | Office of the Auditor General shall be subject to the same | ||||||
| 22 | legal, confidentiality, legal confidentiality and protective | ||||||
| 23 | restrictions in the Office of the Auditor General as such | ||||||
| 24 | records and information have in the hands of the official | ||||||
| 25 | authorized custodian. Any penalties applicable to the | ||||||
| 26 | officially authorized custodian or his employees for the | ||||||
| |||||||
| |||||||
| 1 | violation of any confidentiality or protective restrictions | ||||||
| 2 | applicable to such records or information shall also apply to | ||||||
| 3 | the officers, employees, contractors, and agents of the Office | ||||||
| 4 | of the Auditor General. | ||||||
| 5 | The Office of the Auditor General may not publish any | ||||||
| 6 | confidential legally protected, or records or information with | ||||||
| 7 | an equivalent or greater privacy designation, information or | ||||||
| 8 | records in any report, including data and statistics, if such | ||||||
| 9 | information as published is directly or indirectly matchable | ||||||
| 10 | to any individual. | ||||||
| 11 | The Office of the Auditor General may not publish any | ||||||
| 12 | records or information in any report, generated by, through, | ||||||
| 13 | in conjunction with, or on behalf of the Office of the Auditor | ||||||
| 14 | General, which includes any of the following data disclosed by | ||||||
| 15 | a State agency: Cybersecurity assessments, cybersecurity | ||||||
| 16 | measures, and cybersecurity response policies or plans and the | ||||||
| 17 | like, that are designed to identify, prevent, or respond to | ||||||
| 18 | potential cyberattacks upon a public body or agency's | ||||||
| 19 | personnel or systems, facilities, or installations, the | ||||||
| 20 | destruction or exploitation of which would constitute a clear | ||||||
| 21 | and present danger to the health, safety or security of the | ||||||
| 22 | public body or agency. For the purposes of this Section, | ||||||
| 23 | records and information detailing the mobilization and | ||||||
| 24 | deployment of personnel, vendors, teams, or equipment in | ||||||
| 25 | preparation or response to a cybersecurity policy or plan and | ||||||
| 26 | the like, the cybersecurity or privacy product and solutions | ||||||
| |||||||
| |||||||
| 1 | names or configurations and the like, the operation of | ||||||
| 2 | communication systems or protocols and the like, or other | ||||||
| 3 | cybersecurity operations and the like, may not be published. | ||||||
| 4 | Inside the Office of the Auditor General, confidential | ||||||
| 5 | legally protected, or records or information with an | ||||||
| 6 | equivalent or greater privacy designation, records or | ||||||
| 7 | information may be used only for official purposes. | ||||||
| 8 | Any officer, employee, contractor, or agent of the Office | ||||||
| 9 | of the Auditor General who violates any legal confidentiality | ||||||
| 10 | or protective restriction, or privacy and security | ||||||
| 11 | requirement, governing any records or information shall be | ||||||
| 12 | guilty of a Class A misdemeanor unless a greater penalty is | ||||||
| 13 | otherwise provided by law. | ||||||
| 14 | Where this Act expressly governs or grants authority for | ||||||
| 15 | regulations to govern other auditing procedures, this Act | ||||||
| 16 | supersedes all other statutes to the contrary. To the extent | ||||||
| 17 | that this Act conflicts with another statute, this Act | ||||||
| 18 | prevails. | ||||||
| 19 | Except as provided in this Section, this Act does not | ||||||
| 20 | supersede or repeal by implication any other statute. | ||||||
| 21 | (Source: P.A. 102-61, eff. 7-9-21.) | ||||||
| 22 | Section 99. Effective date. This Act takes effect upon | ||||||
| 23 | becoming law. | ||||||