Public Act 93-0306

SB553 Enrolled                       LRB093 10793 MKM 11219 b

    AN ACT concerning computer technology.

    Be it enacted by the People of  the  State  of  Illinois,
represented in the General Assembly:

    Section  1.  Short  title.   This Act may be cited as the
Data Security on State Computers Act.

    Section 5.  Findings. The General Assembly finds that:
    (a)  The Massachusetts  Institute  of  Technology,  in  a
recent  study, discovered that many companies and individuals
are regularly selling or donating computer hard  drives  with
sensitive  information  still  on  them,  such as credit card
numbers, bank and medical records, and personal e-mail.
    (b)  Illinois  currently  has  no  law  addressing   data
security   and  removal  of  data  from  surplus  State-owned
computers that are to be (i) disposed of by  sale,  donation,
or  transfer  or  (ii)  relinquished to a successor executive
administration.
    (c)  In order  to  ensure  the  protection  of  sensitive
information  relating  to  the  State and its citizens, it is
necessary to implement policies to  (i)  overwrite  all  hard
drives  of  surplus  State-owned  electronic  data processing
equipment that are to be sold, donated,  or  transferred  and
(ii)   preserve  the  data  on  State-owned  electronic  data
processing  equipment  that  is  to  be  relinquished  to   a
successor  executive  administration  for  the  continuity of
government functions.

    Section 10.  Purpose. The purpose of this Act is  to  (i)
require  the Department of Central Management Services or any
other authorized agency that disposes of  surplus  electronic
data  processing  equipment by sale, donation, or transfer to
implement  a  policy  mandating  that  computer  hardware  be
cleared of all data and software  before  disposal  by  sale,
donation,  or  transfer  and  (ii)  require  the head of each
Agency  to  establish  a  system  for  the   protection   and
preservation  of  State  data  on State-owned electronic data
processing  equipment  necessary  for   the   continuity   of
government  functions upon relinquishment of the equipment to
a successor executive administration.

    Section 15.  Definitions. As used in this Act:
    "Agency" means all parts, boards, and commissions of  the
executive  branch  of  State  government,  including, but not
limited  to,  State  colleges  and  universities  and   their
governing boards and all departments established by the Civil
Administrative Code of Illinois.
    "Disposal  by  sale, donation, or transfer" includes, but
is not limited to, the sale, donation, or transfer of surplus
electronic  data  processing  equipment  to  other  agencies,
schools, individuals, and not-for-profit agencies.
    "Electronic data processing equipment" includes,  but  is
not  limited  to,  computer (CPU) mainframes, and any form of
magnetic storage media.
    "Authorized agency" means an  agency  authorized  by  the
Department of Central Management Services to sell or transfer
electronic data processing equipment under Sections 5010.1210
and  5010.1220  of  Title  44  of the Illinois Administrative
Code.
    "Department" means the Department of  Central  Management
Services.
    "Overwrite"  means  the  replacement of previously stored
information with  a  pre-determined  pattern  of  meaningless
information.

    Section  20.  Establishment  and implementation. The Data
Security on State Computers Act  is  established  to  protect
sensitive   data   stored   on  State-owned  electronic  data
processing equipment to be (i) disposed of by sale, donation,
or transfer or (ii) relinquished  to  a  successor  executive
administration.   This  Act  shall  be  administered  by  the
Department or an authorized  agency.  The  Department  or  an
authorized  agency  shall  implement a policy to mandate that
all  hard  drives  of  surplus  electronic  data   processing
equipment  be  cleared  of all data and software before being
prepared for sale, donation, or transfer by  (i)  overwriting
the  previously  stored data on a drive or a disk at least 10
times and (ii) certifying in  writing  that  the  overwriting
process   has  been  completed  by  providing  the  following
information: (1) the serial number of the computer  or  other
surplus electronic data processing equipment; (2) the name of
the  overwriting  software  used; and (3) the name, date, and
signature of the person performing the  overwriting  process.
The  head  of  each State agency shall establish a system for
the protection and preservation of State data on  State-owned
electronic   data  processing  equipment  necessary  for  the
continuity of government functions upon it being relinquished
to a successor executive administration.

    Section 50.  The  Public  Utilities  Act  is  amended  by
changing Section 13-301.3 as follows:

    (220 ILCS 5/13-301.3)
    (Section scheduled to be repealed on July 1, 2005)
    Sec.  13-301.3. Digital Divide Elimination Infrastructure
Program.
    (a)  The Digital Divide Elimination  Infrastructure  Fund
is  created  as  a  special  fund  in the State treasury. All
moneys in the Fund shall be used, subject  to  appropriation,
by  the  Commission  to  fund  the construction of facilities
specified in Commission rules adopted under this Section. The
Commission may accept private  and  public  funds,  including
federal   funds,   for   deposit   into  the  Fund.  Earnings
attributable to moneys in the Fund shall  be  deposited  into
the Fund.
    (b)  The Commission shall adopt rules under which it will
make grants out of funds appropriated from the Digital Divide
Elimination  Infrastructure  Fund  to  eligible  entities  as
specified  in  the  rules  for the construction of high-speed
data transmission facilities in eligible areas of the  State.
For  purposes  of  determining whether an area is an eligible
area, the Commission  shall  consider,  among  other  things,
whether   (i)   in  such  area,  advanced  telecommunications
services, as defined in subsection (c) of Section  13-517  of
this Act, are under-provided to residential or small business
end  users, either directly or indirectly through an Internet
Service  Provider,  (ii)  such  area  has  a  low  population
density,  and  (iii)  such  area  has  not  yet  developed  a
competitive market for advanced services.  In addition, if an
entity seeking a grant  of  funds  from  the  Digital  Divide
Elimination Infrastructure Fund is an for which the incumbent
local  exchange  carrier  having the duty to serve such area,
and the obligation to provide advanced services to such  area
pursuant  to  Section  13-517  of  this Act, the entity shall
demonstrate that it has sought and obtained an exemption from
such obligation pursuant to subsection (b) of Section 13-517.
Any entity seeking a grant of funds from the  Digital  Divide
Elimination  Infrastructure  Fund  shall  demonstrate  to the
Commission that the grant shall be used for the  construction
of  high-speed  data  transmission  facilities in an eligible
area  and  demonstrate   that   it   satisfies    all   other
requirements of the Commission's rules.  The Commission shall
determine  the  information  that it deems necessary to award
grants pursuant to this  Section.  based  upon  a  Commission
finding that provision of such advanced services to customers
in such area is either unduly economically burdensome or will
impose  a  significant  adverse  economic  impact on users of
telecommunications services generally.
    (c)  The rules of the Commission shall  provide  for  the
competitive  selection of recipients of grant funds available
from  the  Digital  Divide  Elimination  Infrastructure  Fund
pursuant to the Illinois Procurement Code.  Grants  shall  be
awarded  to  bidders  chosen  on  the  basis  of the criteria
established in such rules.
    (d)  All entities awarded grant moneys under this Section
shall maintain all records required by  Commission  rule  for
the period of time specified in the rules. Such records shall
be  subject  to  audit  by  the  Commission,  by  any auditor
appointed by the State, or by any State officer authorized to
conduct audits.
(Source: P.A. 92-22, eff. 6-30-01.)

    Section 99. Effective date. This Act  takes  effect  upon
becoming law.