HB3391 - Security of Connected Devices Act

• Requires manufacturers of connected devices sold in Illinois to equip devices with reasonable security features appropriate to the device's nature, function, and data.

• Security features must be designed to protect the device and information contained within it from unauthorized access, destruction, use, modification, or disclosure.

• Connected devices with remote authentication capability must either use unique preprogrammed passwords for each device or require users to generate new authentication credentials before first-time access.

• Exempts devices subject to federal security requirements, third-party software added by users, and health care entities covered under HIPAA.

• Grants the Illinois Attorney General exclusive enforcement authority as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act; provides no private right of action.