093_SB0553eng

 
SB553 Engrossed                      LRB093 10793 MKM 11219 b

 1        AN ACT concerning security on State computers.

 2        Be  it  enacted  by  the People of the State of Illinois,
 3    represented in the General Assembly:

 4        Section 1.  Short title.  This Act may be  cited  as  the
 5    Data Security on State Computers Act.

 6        Section 5.  Findings. The General Assembly finds that:
 7        (a)  The  Massachusetts  Institute  of  Technology,  in a
 8    recent study, discovered that many companies and  individuals
 9    are  regularly  selling or donating computer hard drives with
10    sensitive information still on  them,  such  as  credit  card
11    numbers, bank and medical records, and personal e-mail.
12        (b)  Illinois   currently  has  no  law  addressing  data
13    security  and  removal  of  data  from  surplus   State-owned
14    computers  that  are to be (i) disposed of by sale, donation,
15    or transfer or (ii) relinquished  to  a  successor  executive
16    administration.
17        (c)  In  order  to  ensure  the  protection  of sensitive
18    information relating to the State and  its  citizens,  it  is
19    necessary  to  implement  policies  to (i) overwrite all hard
20    drives of  surplus  State-owned  electronic  data  processing
21    equipment  that  are  to be sold, donated, or transferred and
22    (ii)  preserve  the  data  on  State-owned  electronic   data
23    processing   equipment  that  is  to  be  relinquished  to  a
24    successor executive  administration  for  the  continuity  of
25    government functions.

26        Section  10.  Purpose.  The purpose of this Act is to (i)
27    require the Department of Central Management Services or  any
28    other  authorized  agency that disposes of surplus electronic
29    data processing equipment by sale, donation, or  transfer  to
30    implement  a  policy  mandating  that  computer  hardware  be
 
SB553 Engrossed             -2-      LRB093 10793 MKM 11219 b
 1    cleared  of  all  data  and software before disposal by sale,
 2    donation, or transfer and  (ii)  require  the  head  of  each
 3    Agency   to   establish  a  system  for  the  protection  and
 4    preservation of State data  on  State-owned  electronic  data
 5    processing   equipment   necessary   for  the  continuity  of
 6    government functions upon relinquishment of the equipment  to
 7    a successor executive administration.

 8        Section 15.  Definitions. As used in this Act:
 9        "Agency"  means all parts, boards, and commissions of the
10    executive branch of  State  government,  including,  but  not
11    limited   to,  State  colleges  and  universities  and  their
12    governing boards and all departments established by the Civil
13    Administrative Code of Illinois.
14        "Disposal by sale, donation, or transfer"  includes,  but
15    is not limited to, the sale, donation, or transfer of surplus
16    electronic  data  processing  equipment  to  other  agencies,
17    schools, individuals, and not-for-profit agencies.
18        "Electronic  data  processing equipment" includes, but is
19    not limited to, computer (CPU) mainframes, and  any  form  of
20    magnetic storage media.
21        "Authorized  agency"  means  an  agency authorized by the
22    Department of Central Management Services to sell or transfer
23    electronic data processing equipment under Sections 5010.1210
24    and 5010.1220 of Title  44  of  the  Illinois  Administrative
25    Code.
26        "Department"  means  the Department of Central Management
27    Services.
28        "Overwrite" means the replacement  of  previously  stored
29    information  with  a  pre-determined  pattern  of meaningless
30    information.

31        Section 20.  Establishment and implementation.  The  Data
32    Security  on  State  Computers  Act is established to protect
 
SB553 Engrossed             -3-      LRB093 10793 MKM 11219 b
 1    sensitive  data  stored  on   State-owned   electronic   data
 2    processing equipment to be (i) disposed of by sale, donation,
 3    or  transfer  or  (ii)  relinquished to a successor executive
 4    administration.  This  Act  shall  be  administered  by   the
 5    Department  or  an  authorized  agency.  The Department or an
 6    authorized agency shall implement a policy  to  mandate  that
 7    all   hard  drives  of  surplus  electronic  data  processing
 8    equipment be cleared of all data and  software  before  being
 9    prepared  for  sale, donation, or transfer by (i) overwriting
10    the previously stored data on a drive or a disk at  least  10
11    times  and  (ii)  certifying  in writing that the overwriting
12    process  has  been  completed  by  providing  the   following
13    information:  (1)  the serial number of the computer or other
14    surplus electronic data processing equipment; (2) the name of
15    the overwriting software used; and (3) the  name,  date,  and
16    signature  of  the person performing the overwriting process.
17    The head of each State agency shall establish  a  system  for
18    the  protection and preservation of State data on State-owned
19    electronic  data  processing  equipment  necessary  for   the
20    continuity of government functions upon it being relinquished
21    to a successor executive administration.

22        Section  99.  Effective  date. This Act takes effect upon
23    becoming law.