WeVote

Bill

Bill

HB 3576

Relating to funding for deflection programs; declaring an emergency.

2025 Regular Session Introduced by April Dobson and 4 co-sponsors

HB 3576 requires large water systems to implement and report cybersecurity programs, risk controls, incident response, and annual attestations to state regulators.

In committee upon adjournment.
0
WeVote Research Nonpartisan
Bill Summary · HB 3576

Summary — HB 3576 (104th General Assembly)

Status: In committee upon adjournment (last action 2025-06-28)
Introduced: Feb 18, 2025; Filed Mar 3, 2025
Primary sponsor listed: April Dobson. Introduced by Rep. Dagmara Avelar.
Title: Relating to funding for deflection programs; declaring an emergency.

Purpose / Intent

HB 3576 amends the Public Utilities Act to require large water system owners (water purveyors) to develop and maintain defined cybersecurity programs and reporting procedures to protect public community water systems from cyber threats. The bill strengthens regulatory oversight and requires routine attestations and reports to state regulators. The title includes an emergency declaration to make the law effective immediately upon enactment.

Key provisions

  • Adds a new Section 4-102 to the Public Utilities Act establishing cybersecurity requirements for "water purveyors" (defined in the bill as owners of public community water systems with more than 500 service connections).
  • Definitions provided: "cybersecurity incident", "cybersecurity insurance policy", "industrial control system", "information system", "public water system" and "public organized community water system" (15 connections or 25 people served as statutory definitions).
  • Cybersecurity program: Within 120 days after the bill’s effective date, each covered water purveyor must develop a cybersecurity program that:
    • Defines organizational accountability for cyber risk management;
    • Establishes policies, plans, processes, and procedures to identify and mitigate cyber risks;
    • Identifies the individual responsible for timely execution of policies;
    • Conducts risk assessments and implements controls;
    • Maintains threat/vulnerability situational awareness; and
    • Creates and exercises incident response and recovery plans.
  • Additional requirements (timing summarized in the bill): after program development, water purveyors must create an incident reporting process, obtain cybersecurity insurance that meets specified standards, reasonably conform to one or more recognized industry cybersecurity frameworks (e.g., NIST, ISO, etc.), submit compliance reports, submit incident reports when appropriate, and file annual status reports with the Commission.
  • Amends Section 4-101 to require an annual affidavit from regulated entities attesting that a security policy is in place, that at least one practice exercise occurred in the prior 12 months, and that electric utilities comply with NERC standards; water utilities’ security policies must comply with Section 4-102.
  • Grants rulemaking authority to the Department of Natural Resources and the Illinois Commerce Commission to implement provisions and sets out that violations are subject to enforcement (specific penalties are referenced in the bill text).

Who is affected

  • Primary: Water purveyors operating public community water systems with more than 500 service connections.
  • Secondary: The Illinois Commerce Commission (ICC) and Department of Natural Resources (DNR) for oversight and rulemaking; insurers (cybersecurity policies); vendors and consultants assisting with assessments, controls, and incident response.
  • Potential benefits accrue to consumers and public health through improved resiliency of water infrastructure.

Compliance timeline & reporting

  • 120 days from effective date: develop cybersecurity program.
  • Subsequent specified shorter timeframes (per bill text) for incident reporting process, insurance procurement, framework alignment, and initial compliance reports; then ongoing incident reporting and annual status reports.
  • Emergency clause indicates immediate enforceability upon enactment.

Potential impacts and considerations

  • Costs: implementation (staff, technology, assessments), insurance premiums, and ongoing reporting/compliance expenses for affected water purveyors.
  • Benefits: improved protection against cyberattacks on water infrastructure, faster incident detection/response, and standardized regulatory oversight.
  • Rulemaking: DNR and ICC will need to issue implementing rules and define reporting forms/manners; enforcement mechanisms referenced in the bill will determine penalties for noncompliance.

Legislative status / recent actions

Key actions include first reading (Feb–Mar 2025), multiple committee referrals (Rules; Cybersecurity, Data Analytics & IT; Transportation; Addiction & Community Safety Response), public hearings on Apr 10, 2025, and the bill was in committee upon adjournment as of Jun 28, 2025.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.