SB0553sam001 93rd General Assembly


093_SB0553sam001

 










                                     LRB093 10793 MKM 13848 a

 1                    AMENDMENT TO SENATE BILL 553

 2        AMENDMENT NO.     .  Amend Senate Bill  553  on  page  1,
 3    immediately below line 5, by inserting the following:

 4        "Section 5.  Findings. The General Assembly finds that:
 5        (a)  The  Massachusetts  Institute  of  Technology,  in a
 6    recent study, discovered that many companies and  individuals
 7    are  regularly  selling or donating computer hard drives with
 8    sensitive information still on  them,  such  as  credit  card
 9    numbers, bank and medical records, and personal e-mail.
10        (b)  Illinois   currently  has  no  law  addressing  data
11    security  and  removal  of  data  from  surplus   State-owned
12    computers  that  are to be (i) disposed of by sale, donation,
13    or transfer or (ii) relinquished  to  a  successor  executive
14    administration.
15        (c)  In  order  to  ensure  the  protection  of sensitive
16    information relating to the State and  its  citizens,  it  is
17    necessary  to  implement  policies  to (i) overwrite all hard
18    drives of  surplus  State-owned  electronic  data  processing
19    equipment  that  are  to be sold, donated, or transferred and
20    (ii)  preserve  the  data  on  State-owned  electronic   data
21    processing   equipment  that  is  to  be  relinquished  to  a
22    successor executive  administration  for  the  continuity  of
23    government functions.
 
                            -2-      LRB093 10793 MKM 13848 a
 1        Section  10.  Purpose.  The purpose of this Act is to (i)
 2    require the Department of Central Management Services or  any
 3    other  authorized  agency that disposes of surplus electronic
 4    data processing equipment by sale, donation, or  transfer  to
 5    implement  a  policy  mandating  that  computer  hardware  be
 6    cleared  of  all  data  and software before disposal by sale,
 7    donation, or transfer and  (ii)  require  the  head  of  each
 8    Agency   to   establish  a  system  for  the  protection  and
 9    preservation of State data  on  State-owned  electronic  data
10    processing   equipment   necessary   for  the  continuity  of
11    government functions upon relinquishment of the equipment  to
12    a successor executive administration.

13        Section 15.  Definitions. As used in this Act:
14        "Agency"  means all parts, boards, and commissions of the
15    executive branch of  State  government,  including,  but  not
16    limited   to,  State  colleges  and  universities  and  their
17    governing boards and all departments established by the Civil
18    Administrative Code of Illinois.
19        "Disposal by sale, donation, or transfer"  includes,  but
20    is not limited to, the sale, donation, or transfer of surplus
21    electronic  data  processing  equipment  to  other  agencies,
22    schools, individuals, and not-for-profit agencies.
23        "Electronic  data  processing equipment" includes, but is
24    not limited to, computer (CPU) mainframes, and  any  form  of
25    magnetic storage media.
26        "Authorized  agency"  means  an  agency authorized by the
27    Department of Central Management Services to sell or transfer
28    electronic data processing equipment under Sections 5010.1210
29    and 5010.1220 of Title  44  of  the  Illinois  Administrative
30    Code.
31        "Department"  means  the Department of Central Management
32    Services.
33        "Overwrite" means the replacement  of  previously  stored
 
                            -3-      LRB093 10793 MKM 13848 a
 1    information  with  a  pre-determined  pattern  of meaningless
 2    information.

 3        Section 20.  Establishment and implementation.  The  Data
 4    Security  on  State  Computers  Act is established to protect
 5    sensitive  data  stored  on   State-owned   electronic   data
 6    processing equipment to be (i) disposed of by sale, donation,
 7    or  transfer  or  (ii)  relinquished to a successor executive
 8    administration.  This  Act  shall  be  administered  by   the
 9    Department  or  an  authorized  agency.  The Department or an
10    authorized agency shall implement a policy  to  mandate  that
11    all   hard  drives  of  surplus  electronic  data  processing
12    equipment be cleared of all data and  software  before  being
13    prepared  for  sale, donation, or transfer by (i) overwriting
14    the previously stored data on a drive or a disk at  least  10
15    times  and  (ii)  certifying  in writing that the overwriting
16    process  has  been  completed  by  providing  the   following
17    information:  (1)  the serial number of the computer or other
18    surplus electronic data processing equipment; (2) the name of
19    the overwriting software used; and (3) the  name,  date,  and
20    signature  of  the person performing the overwriting process.
21    The head of each State agency shall establish  a  system  for
22    the  protection and preservation of State data on State-owned
23    electronic  data  processing  equipment  necessary  for   the
24    continuity of government functions upon it being relinquished
25    to a successor executive administration.

26        Section  99.  Effective  date. This Act takes effect upon
27    becoming law.".