We wanted to remind Illinois municipalities and counties of a state law that became effective earlier this year that imposes new cybersecurity requirements, including annual cybersecurity training for municipal and county employees and for some municipalities and all counties, the appointment of a cybersecurity designee.
P.A. 102-0753 was enacted last year and became effective January 1, 2023. The Act includes the following changes and new obligations.
First, the Act requires that every employee of a municipality or county complete an annual cybersecurity training program. That training must include, at a minimum, the following:
  • detecting phishing scams;
  • preventing spyware infections and identity theft; and
  • preventing and responding to data breaches.
Second, the Act requires the “principal executive officer, or his or her designee” of any municipality with a population of 35,000 or greater and all counties to designate a local official or employee as the primary point of contact for local cybersecurity issues and to provide the name and contact information to the Department of Innovation and Technology (a state agency). 
Third, the Act amended FOIA to expand the security plans and policies exception of section 7(1)(v) of FOIA to cover policies and plans addressing cybersecurity vulnerabilities so that these records are now exempt from release under FOIA.
Finally, the Act directs the Department to put together a cybersecurity training program and make it available to municipalities and counties. As an alternative, the Act does allow counties and municipalities to create their own training program.