| |||||||
| |||||||
| |||||||
| 1 | AN ACT concerning State government.
| ||||||
| 2 | Be it enacted by the People of the State of Illinois,
| ||||||
| 3 | represented in the General Assembly:
| ||||||
| 4 | Section 5. The Data Security on State Computers Act is | ||||||
| 5 | amended by changing Section 20 as follows:
| ||||||
| 6 | (20 ILCS 450/20)
| ||||||
| 7 | Sec. 20. Establishment and implementation. The Data | ||||||
| 8 | Security on
State Computers Act is established to protect | ||||||
| 9 | sensitive data stored on
State-owned electronic data | ||||||
| 10 | processing equipment to be (i) disposed of by
sale, donation, | ||||||
| 11 | or
transfer or (ii) relinquished to a successor executive | ||||||
| 12 | administration. This Act
shall be administered by the | ||||||
| 13 | Department or an authorized
agency. The governing board of each | ||||||
| 14 | public university in this State must implement and administer | ||||||
| 15 | the provisions of this Act with respect to State-owned | ||||||
| 16 | electronic data processing equipment utilized by the | ||||||
| 17 | university. The Department or an authorized agency shall
| ||||||
| 18 | implement a policy
to mandate that all hard drives of surplus | ||||||
| 19 | electronic data processing equipment
be erased, wiped, | ||||||
| 20 | sanitized, or destroyed in a manner that prevents retrieval of | ||||||
| 21 | sensitive cleared of all data and software before being sold, | ||||||
| 22 | donated, or transferred prepared for sale, donation,
or | ||||||
| 23 | transfer
by
(i) overwriting the previously stored data on a | ||||||
| |||||||
| |||||||
| 1 | drive or a disk at least 3 10
times
or physically destroying | ||||||
| 2 | the hard drive and (ii)
certifying in writing that the | ||||||
| 3 | overwriting process has been completed by
providing
the | ||||||
| 4 | following information: (1) the serial number of the computer or | ||||||
| 5 | other
surplus
electronic data processing equipment; (2) the | ||||||
| 6 | name of the overwriting software or physical destruction | ||||||
| 7 | process
used; and (3) the name, date, and signature of the | ||||||
| 8 | person performing the
overwriting or destruction process.
The | ||||||
| 9 | head of each State agency shall
establish a system for the | ||||||
| 10 | protection and preservation of State
data on State-owned | ||||||
| 11 | electronic data processing equipment necessary for the
| ||||||
| 12 | continuity of
government functions upon it being relinquished | ||||||
| 13 | to a successor executive
administration.
| ||||||
| 14 | For purposes of this Act and any other State directive | ||||||
| 15 | requiring the clearing of data and software from State-owned | ||||||
| 16 | electronic data processing equipment prior to sale, donation, | ||||||
| 17 | or transfer by the General Assembly or a public university in | ||||||
| 18 | this State, the General Assembly or the governing board of the | ||||||
| 19 | university shall have and maintain responsibility for the | ||||||
| 20 | implementation and administration of the requirements for | ||||||
| 21 | clearing State-owned electronic data processing equipment | ||||||
| 22 | utilized by the General Assembly or the university. | ||||||
| 23 | (Source: P.A. 96-45, eff. 7-15-09.)
| ||||||
| 24 | Section 99. Effective date. This Act takes effect upon | ||||||
| 25 | becoming law.
| ||||||