IL HB3030

Creates the Cybersecurity Compliance Act establishing an affirmative defense for businesses that implement written cybersecurity programs with administrative, technical, and physical safeguards conforming to industry-recognized frameworks.

Defines "covered entities" as any business accessing, maintaining, or processing personal information or restricted information, and establishes requirements for their cybersecurity programs based on entity size, complexity, information sensitivity, and available resources.

Recognizes multiple industry-standard cybersecurity frameworks including NIST standards, FedRAMP, Center for Internet Security Controls, ISO/IEC 27000 series, HIPAA, Gramm-Leach-Bliley Act, FISMA, and PCI data security standards as meeting compliance requirements.

Provides covered entities satisfying program requirements with an affirmative defense against tort claims alleging failure to implement reasonable information security controls resulted in data breaches involving personal or restricted information.

Requires covered entities to update their programs within one year when recognized frameworks are revised or amended; does not create a private right of action under the Act.