(20 ILCS 450/1)
Sec. 1.
Short title.
This Act may be cited as the Data Security on State
Computers Act.
(Source: P.A. 93-306, eff. 7-23-03.)
|
(20 ILCS 450/5)
Sec. 5.
Findings.
The General Assembly finds that:
(a) The Massachusetts Institute of Technology, in a recent study,
discovered that many companies and individuals are regularly selling or
donating
computer hard drives with sensitive information still on them, such as
credit
card numbers, bank and medical records, and personal e-mail.
(b) Illinois currently has no law addressing data security and
removal of data from surplus State-owned computers that are to be (i) disposed
of
by sale, donation, or transfer or (ii) relinquished to a successor executive
administration.
(c) In order to ensure the protection of sensitive information relating to
the
State and its citizens, it is necessary to implement policies to (i) overwrite
all hard
drives of surplus State-owned electronic data processing equipment that are to
be sold, donated, or transferred and (ii) preserve the data on State-owned
electronic data processing
equipment that is to be relinquished to a successor executive administration
for the continuity of government functions.
(Source: P.A. 93-306, eff. 7-23-03.)
|
(20 ILCS 450/10)
Sec. 10.
Purpose.
The purpose of this Act is to (i) require the
Department
of Central Management Services or any other authorized agency that disposes of
surplus electronic data processing equipment by sale, donation, or transfer to
implement a
policy mandating that computer hardware be cleared of all data and software
before disposal by sale, donation, or transfer
and (ii) require the head of each Agency to establish a system for the
protection
and preservation of State data on State-owned electronic data processing
equipment necessary for the continuity of government functions upon
relinquishment of the equipment to a successor executive
administration.
(Source: P.A. 93-306, eff. 7-23-03.)
|
(20 ILCS 450/15)
Sec. 15. Definitions. As used in this Act:
"Agency" means all parts, boards, and commissions of the executive
branch of State government, other than public universities or their governing boards, including, but not limited to, all departments established by the
Civil Administrative Code of Illinois.
"Disposal by sale, donation, or transfer" includes, but is not limited to,
the
sale, donation, or
transfer
of surplus electronic data processing equipment to other agencies, schools,
individuals, and
not-for-profit agencies.
"Electronic data processing equipment" includes, but is not limited to,
computer (CPU) mainframes, and any form of magnetic storage media.
"Authorized agency" means an agency authorized by the Department of
Central Management Services to sell or transfer electronic data processing
equipment under Sections 5010.1210 and 5010.1220 of Title 44 of the Illinois
Administrative Code.
"Department" means the Department of Central Management Services.
"Overwrite" means the replacement of previously stored information with
a pre-determined pattern of meaningless information.
(Source: P.A. 96-45, eff. 7-15-09.)
|
(20 ILCS 450/17) Sec. 17. Exemption from Act. This Act does not apply to the legislative branch of State government, the Office of the Lieutenant Governor, the Office of the Attorney General, the Office of the Secretary of State, the Office of the State Comptroller, or the Office of the State Treasurer.
(Source: P.A. 96-45, eff. 7-15-09.) |
(20 ILCS 450/20)
Sec. 20. Establishment and implementation. The Data Security on
State Computers Act is established to protect sensitive data stored on
State-owned electronic data processing equipment to be (i) disposed of by
sale, donation, or
transfer or (ii) relinquished to a successor executive administration. This Act
shall be administered by the Department or an authorized
agency. The governing board of each public university in this State must implement and administer the provisions of this Act with respect to State-owned electronic data processing equipment utilized by the university. The Department or an authorized agency shall
implement a policy
to mandate that all hard drives of surplus electronic data processing equipment
be erased, wiped, sanitized, or destroyed in a manner that prevents retrieval of sensitive data and software before being sold, donated, or transferred
by
(i) overwriting the previously stored data on a drive or a disk at least 3
times
or physically destroying the hard drive and (ii)
certifying in writing that the overwriting process has been completed by
providing
the following information: (1) the serial number of the computer or other
surplus
electronic data processing equipment; (2) the name of the overwriting software or physical destruction process
used; and (3) the name, date, and signature of the person performing the
overwriting or destruction process.
The head of each State agency shall
establish a system for the protection and preservation of State
data on State-owned electronic data processing equipment necessary for the
continuity of
government functions upon it being relinquished to a successor executive
administration.
For purposes of this Act and any other State directive requiring the clearing of data and software from State-owned electronic data processing equipment prior to sale, donation, or transfer by the General Assembly or a public university in this State, the General Assembly or the governing board of the university shall have and maintain responsibility for the implementation and administration of the requirements for clearing State-owned electronic data processing equipment utilized by the General Assembly or the university. (Source: P.A. 96-45, eff. 7-15-09; 97-390, eff. 8-15-11.)
|
(20 ILCS 450/25) Sec. 25. Mandatory State employee training. (a) As used in this Section, "employee" has the meaning ascribed to it in Section 1-5 of the State Officials and Employees Ethics Act, but does not include an employee of the legislative branch, the judicial branch, a public university of the State, or a constitutional officer other than the Governor. (b) Every employee shall annually undergo training by the Department of Innovation and Technology concerning cybersecurity. The Department may, in its discretion, make the training an online course. The training shall include, but need not be limited to, detecting phishing scams, preventing spyware infections and identity theft, and preventing and responding to data breaches. (c) The Department of Innovation and Technology may adopt rules to implement the requirements of this Section.
(Source: P.A. 100-40, eff. 1-1-18 .) |
(20 ILCS 450/50)
Sec. 50.
(Amendatory provisions; text omitted).
(Source: P.A. 93-306, eff. 7-23-03; text omitted.)
|
(20 ILCS 450/99)
Sec. 99.
Effective date.
This Act takes effect upon becoming law.
(Source: P.A. 93-306, eff. 7-23-03.)
|