Read the full stored bill text
Illinois General Assembly - Full Text of HB3576
Select Language
×
The Illinois General Assembly offers the Google Translate™ service for visitor convenience. In no way should it be considered accurate as to the translation of any content herein.
Visitors of the Illinois General Assembly website are encouraged to use other translation services available on the internet.
The English language version is always the official and authoritative version of this website.
NOTE: To return to the original English language version, select the "Show Original" button on the Google Translate™ menu bar at the top of the window.
Choose Language
English
Afrikaans
Albanian
Arabic
Armenian
Azerbaijani
Basque
Bengali
Bosnian
Catalan
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hungarian
Icelandic
Indonesian
Interlingua
Interlingue
Inuktitut
Irish
Italian
Japanese
Javanese
Kannada
Khmer
Korean
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malayalam
Maltese
Maori
Marathi
Myanmar
Nepali
Norwegian
Odia
Pashto
Punjabi
Romanian
Russian
Samoan
Sango
Sanskrit
Sardinian
Sindhi
Sinhala
Slovak
Slovenian
Somali
Southern Sotho
Spanish
Sundanese
Swahili
Swedish
Tamil
Telugu
Thai
Tigrinya
Tonga
Turkish
Ukrainian
Urdu
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
Powered by
Translate
Close
Illinois General Assembly
Top Navigation Bar
Translate
Learn
Select General Assembly
Search the 104th General Assembly
Enter search terms for legislation, members, committees, or schedules.
ILGA.GOV
LEGISLATION & LAWS
Bills & Resolutions
Public Acts
Illinois Compiled Statutes
Illinois Constitution
Search Legislation
Glossary
Guide
Reports & Inquiry
Legislative Reports
Special Reports
FTP Site
Legislator Lookup
Capitol Complex Phone Numbers
Rules & Regulations
Illinois Register
Administrative Rules
Senate
Members
Schedules
Committees
Request for Remote Testimony
Journals
Transcripts
Rules
Audio/Video
FOIA Information
Senate Employment Opportunities
Media Guidelines
House
Members
Schedules
Committees
Submit testimony for House Committees
Journals
Transcripts
Rules
Audio/Video
FOIA Information
House Employment Opportunities
Log In
Mobile Top Bar
Search the 104th General Assembly
Enter keywords to search the Illinois General Assembly website.
Full Text of HB3576
Home
Legislation
Full Text
HB3576 - 104th General Assembly
Bill Status
Full Text
Votes
Witness Slips
Select Menu
Bill Status
Full Text
Votes
Witness Slips
Printer Friendly Version
Introduced
Printer Friendly Version
Introduced
Open PDF
104TH GENERAL ASSEMBLY
State of Illinois
2025 and 2026
HB3576
Introduced 2/18/2025, by Rep. Dagmara Avelar
SYNOPSIS AS INTRODUCED:
220 ILCS 5/4-101
from Ch. 111 2/3, par. 4-101
220 ILCS 5/4-102 new
Amends the Public Utilities Act. Provides that, within 120 days after
the effective date of the amendatory provisions, each water purveyor shall
develop a cybersecurity program that defines and implements organizational
accountabilities and responsibilities for cyber risk management
activities, and establishes policies, plans, processes, and procedures for
identifying and mitigating cyber risk to its public community water
system. Provides that, within certain time periods after the effective
date of the amendatory provisions, a water purveyor shall create a
cybersecurity incident reporting process; obtain a cybersecurity insurance
policy that meets certain standards; reasonably conform to the most recent
version of one or more of specified industry-recognized cybersecurity
frameworks; submit a compliance report; submit an incident report; and
submit an annual status report. Sets forth provisions concerning
violations of the amendatory provisions and rulemaking abilities of the
Department of Natural Resources and the Illinois Commerce Commission.
Makes other changes.
LRB104 08875 AAS 18930 b
A BILL FOR
HB3576
LRB104 08875 AAS 18930 b
1
AN ACT concerning regulation.
2
Be it enacted by the People of the State of Illinois,
3
represented in the General Assembly:
4
Section 5.
The Public Utilities Act is amended by changing
5
Section 4-101 and by adding Section 4-102 as follows:
6
(220 ILCS 5/4-101)
(from Ch. 111 2/3, par. 4-101)
7
Sec. 4-101.
The Commerce Commission shall have general
8
supervision of all public utilities, except as otherwise
9
provided in this Act, shall inquire into the management of the
10
business thereof and shall keep itself informed as to the
11
manner and method in which the business is conducted. It shall
12
examine those public utilities and keep informed as to their
13
general condition, their franchises, capitalization, rates and
14
other charges, and the manner in which their plants, equipment
15
and other property owned, leased, controlled or operated are
16
managed, conducted and operated, not only with respect to the
17
adequacy, security and accommodation afforded by their service
18
but also with respect to their compliance with this Act and any
19
other law, with the orders of the Commission and with the
20
charter and franchise requirements.
21
Whenever the Commission is authorized or required by law
22
to consider some aspect of criminal history record information
23
for the purpose of carrying out its statutory powers and
HB3576
- 2 -
LRB104 08875 AAS 18930 b
1
responsibilities, then, upon request and payment of fees in
2
conformance with the requirements of Section 2605-400 of the
3
Illinois State Police Law, the Illinois State Police is
4
authorized to furnish, pursuant to positive identification,
5
such information contained in State files as is necessary to
6
fulfill the request.
7
The Commission shall require all public utilities to
8
establish a security policy that includes on-site safeguards
9
to restrict physical or electronic access to critical
10
infrastructure and computerized control and data systems. The
11
Commission shall maintain a record of and each regulated
12
entity shall provide to the Commission an annual affidavit
13
signed by a representative of the regulated entity that
14
states:
15
(1) that the entity has a security policy in place;
16
(2) that the entity has conducted at least one
17
practice exercise based on the security policy within the
18
12 months immediately preceding the date of the affidavit;
19
and
20
(3) with respect to any entity that is an electric
21
public utility, that the entity follows, at a minimum, the
22
most current security standards set forth by the North
23
American Electric Reliability Council.
24
A water public utility's security policy shall also meet
25
the requirements set forth in Section 4-102.
26
(Source: P.A. 102-538, eff. 8-20-21.)
HB3576
- 3 -
LRB104 08875 AAS 18930 b
1
(220 ILCS 5/4-102 new)
2
Sec. 4-102.
Cybersecurity policy for water purveyors.
3
(a) As used in this Section:
4
"Cybersecurity incident" means an event occurring on or
5
conducted through a computer network that jeopardizes the
6
integrity, confidentiality, or availability of computers,
7
information systems, communications systems, networks,
8
physical or virtual infrastructure controlled by computers or
9
information systems, or information residing on such computers
10
or information systems.
11
"Cybersecurity insurance policy" means an insurance policy
12
designed to mitigate losses from cybersecurity incidents,
13
including, but not limited to, data breaches, business
14
interruption, and network damage.
15
"Department" means the Department of Natural Resources.
16
"Industrial control system" means an information system
17
used to control industrial processes such as manufacturing,
18
product handling, production, or distribution.
19
"Industrial control system" includes supervisory control
20
and data acquisition systems used to control geographically
21
dispersed assets, and distributed control systems and smaller
22
control systems using programmable logic controllers to
23
control localized processes.
24
"Information resource" means information and related
25
resources, such as personnel, equipment, funds, and
HB3576
- 4 -
LRB104 08875 AAS 18930 b
1
information technology.
2
"Information system" means a discrete set of information
3
resources organized for the collection, processing,
4
maintenance, use, sharing, dissemination, or disposition of
5
information.
6
"Public community water system" means a public water
7
system which serves at least 15 service connections used by
8
year-round residents or regularly serves at least 25
9
year-round residents.
10
"Public water system" means a system for the provision to
11
the public of water for human consumption through pipes or
12
other constructed conveyances, if such system has at least 15
13
service connections or regularly serves an average of at least
14
25 individuals daily at least 60 days out of the year. "Public
15
water system" includes (i) any collection, treatment, storage
16
and distribution facilities under control of the operator of
17
such system and used primarily in connection with such system,
18
and (ii) any collection or pre-treatment storage facilities
19
not under such control which are used primarily in connection
20
with such system.
21
"Water purveyor" means any person that owns a public
22
community water system with more than 500 service connections.
23
(b) Within 120 days after the effective date of this
24
amendatory Act of the 104th General Assembly, each water
25
purveyor shall develop a cybersecurity program that defines
26
and implements organizational accountabilities and
HB3576
- 5 -
LRB104 08875 AAS 18930 b
1
responsibilities for cyber risk management activities, and
2
establishes policies, plans, processes, and procedures for
3
identifying and mitigating cyber risk to the water purveyor's
4
public community water system. As part of the cybersecurity
5
program, a water purveyor shall do the following:
6
(1) identify the individual directly responsible for
7
ensuring that the policies, plans, processes, and
8
procedures established pursuant to this Section are
9
executed in a timely manner;
10
(2) conduct risk assessments and implement appropriate
11
controls to mitigate identified risks to the public
12
community water system;
13
(3) maintain situational awareness of cyber threats
14
and vulnerabilities to the public community water system;
15
and
16
(4) create and exercise incident response and recovery
17
plans.
18
A water purveyor shall submit a copy of the cybersecurity
19
program developed pursuant to this subsection (b) to the
20
Commission in a form and manner as determined by the
21
Commission.
22
(c) Within 60 days after developing the cybersecurity
23
program required pursuant to subsection (b) of this Section,
24
each water purveyor shall create a cybersecurity incident
25
reporting process.
26
(d) No later than 180 days after the effective date of this
HB3576
- 6 -
LRB104 08875 AAS 18930 b
1
amendatory Act of the 104th General Assembly, each water
2
purveyor shall obtain a cybersecurity insurance policy that
3
meets any applicable standards adopted by the Commission.
4
(e) No later than 180 days after the effective date of this
5
amendatory Act of the 104th General Assembly, each water
6
purveyor shall update its cybersecurity program developed
7
pursuant to this Section to apply to all of the public
8
community water system's industrial control systems and to
9
reasonably conform to the most recent version of one or more of
10
the following industry-recognized cybersecurity frameworks:
11
(1) the Framework for Improving Critical
12
Infrastructure Cybersecurity developed by the National
13
Institute of Standards and Technology;
14
(2) the Center for Internet Security Critical Security
15
Controls for Effective Cyber Defense; or
16
(3) the International Organization for Standardization
17
and International Electrotechnical Commission 27000 family
18
of standards for an information security management
19
system.
20
Whenever a final revision to one or more of the frameworks
21
listed in this subsection (e) is published, a water purveyor
22
whose cybersecurity program conformed to that framework shall
23
revise its cybersecurity program to reasonably conform to the
24
revised framework, and submit a copy of the revised
25
cybersecurity program to the Commission, no later than 180
26
days after publication of the revised framework.
HB3576
- 7 -
LRB104 08875 AAS 18930 b
1
(f) No later than one year after the effective date of this
2
amendatory Act of the 104th General Assembly, and each year
3
thereafter, each water purveyor shall submit to the Department
4
and the Commission a certification demonstrating that the
5
water purveyor is in compliance with the requirements of this
6
Section. The certification shall be made in a form and manner
7
as determined by the Department, in consultation with the
8
Commission. The certification shall be signed by a senior
9
executive responsible for security of the regulated entity.
10
(g) The Commission shall cause to be audited any public
11
community water system that fails to submit a cybersecurity
12
program, a revision, or a certification pursuant to this
13
Section. Any audit shall be conducted by a qualified and
14
independent cybersecurity company, at the water purveyor's
15
expense. Following the audit, the water purveyor shall submit
16
the audit and any corrective action plans derived from the
17
audit to the Commission.
18
(h) A water purveyor shall, upon the request of the
19
Department or the Commission, provide proof of compliance with
20
the requirements of this Section, in a form and manner as
21
determined by the Department or by the Commission.
22
(i) On and after 90 days after the effective date of this
23
amendatory Act of the 104th General Assembly, a water purveyor
24
shall inform the Commission, in a written or oral report,
25
within 48 hours or as soon as practicable after the discovery
26
or occurrence of any notable, unusual, or significant
HB3576
- 8 -
LRB104 08875 AAS 18930 b
1
cybersecurity incident or any cybersecurity incident that must
2
be reported to another regulatory agency, including the
3
following:
4
(1) any cybersecurity incident that results in the
5
compromise of the confidentiality, integrity,
6
availability, or privacy of the water purveyor's utility
7
billing, communications, data management, or business
8
information systems, or the information on such systems;
9
and
10
(2) any cybersecurity incident against the water
11
purveyor's industrial control systems, including
12
monitoring, operations, and centralized control systems,
13
that adversely impacts, disables, or manipulates
14
infrastructure, resulting in loss of service,
15
contamination of finished water, or damage to
16
infrastructure.
17
(j) No later than 30 days after receiving a report of a
18
cybersecurity incident from a water purveyor pursuant to
19
subsection (i), the Commission shall cause to be audited the
20
water purveyor's cybersecurity program and any actions the
21
water purveyor took in response to the cybersecurity incident.
22
The audit shall identify cyber threats and vulnerabilities to
23
the public community water system, weaknesses in the public
24
community water system's cybersecurity program, and strategies
25
to address those weaknesses so as to protect the public
26
community water system from the threat of future cybersecurity
HB3576
- 9 -
LRB104 08875 AAS 18930 b
1
incidents. Any audit shall be conducted by a qualified and
2
independent cybersecurity company at the water purveyor's
3
expense. After the completion of the audit, the water purveyor
4
shall submit the audit and any corrective action plans derived
5
from the audit to the Commission.
6
(k) By July 31 of each year, a water purveyor shall provide
7
to the Commission a report that identifies the following:
8
(1) an overview of the water purveyor's approach to
9
cybersecurity awareness and protection;
10
(2) a description of cybersecurity awareness training
11
efforts for the water purveyor's staff members,
12
specialized cybersecurity training for cybersecurity
13
personnel, and participation by the water purveyor's
14
cybersecurity staff in emergency preparedness exercises in
15
the previous calendar year;
16
(3) an organizational diagram of the water purveyor's
17
cybersecurity organization, including positions and
18
contact information for primary and secondary
19
cybersecurity emergency contacts;
20
(4) a description of the water purveyor's internal and
21
external communications plan regarding unauthorized
22
actions that result in interruption, degradation of
23
service, financial harm, or breach of sensitive business
24
or customer data, including the water purveyor's plan for
25
notifying the Commission and customers;
26
(5) a redacted summary of any unauthorized actions
HB3576
- 10 -
LRB104 08875 AAS 18930 b
1
that resulted in material interruption, financial harm, or
2
breach of sensitive business or customer data, including
3
the parties that were notified of the unauthorized action
4
and any remedial actions undertaken;
5
(6) key performance indicators and other metrics
6
related to physical security and cybersecurity;
7
(7) any notable cybersecurity information not included
8
in paragraphs (1) through (6); and
9
(8) any other information as directed by the
10
Commission.
11
(l) The Department or the Commission shall create a
12
centralized portal allowing for electronic submittal of the
13
report required under this Section. The lack of a centralized
14
portal pursuant to this subsection (l) shall not negate the
15
requirement for a water purveyor to submit a report.
16
(m) Any person who violates the provisions of this
17
Section, or any rule or regulation adopted pursuant thereto,
18
shall be subject to the penalties and other remedies set forth
19
in Sections 4-202 and Section 4-203. No later than 18 months
20
after the effective date of this amendatory Act of the 104th
21
General Assembly, the Department shall adopt a schedule of
22
civil administrative penalties for specific violations of this
23
Section.
24
(n) Reports and other submissions made under this Section
25
shall not be open to public inspection unless otherwise
26
ordered by the Commission. Regulated entities shall not report
HB3576
- 11 -
LRB104 08875 AAS 18930 b
1
information otherwise required under this Section if
2
prohibited by law or court order or instructed otherwise by
3
law enforcement personnel.
4
(o) The Department or the Commission may adopt rules to
5
implement this Section.
Footer
Disclaimer
This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster
ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies
ILGA.GOV
2026 ILGA.gov | All Rights Reserved |
ADA
|
Disclaimers
|
Learn
This site is maintained for the Illinois General Assembly by the
Legislative Information System, 705 Stratton Building, Springfield, Illinois 62706.
Contact ILGA Webmaster
ILGA.gov uses cookies to ensure you get the best experience on our website. By continuing to browse ILGA.gov you consent to our use of cookies.
Read About Cookies
ILGA.GOV
2026 ILGA.gov | All Rights Reserved |
ADA
|
Disclaimers
|
Learn