(20 ILCS 450/1) Sec. 1. Short title. This Act may be cited as the Data Security on State Computers Act. (Source: P.A. 93-306, eff. 7-23-03.)
(20 ILCS 450/5) Sec. 5. Findings. The General Assembly finds that: (a) The Massachusetts Institute of Technology, in a recent study, discovered that many companies and individuals are regularly selling or donating computer hard drives with sensitive information still on them, such as credit card numbers, bank and medical records, and personal e-mail. (b) Illinois currently has no law addressing data security and removal of data from surplus State-owned computers that are to be (i) disposed of by sale, donation, or transfer or (ii) relinquished to a successor executive administration. (c) In order to ensure the protection of sensitive information relating to the State and its citizens, it is necessary to implement policies to (i) overwrite all hard drives of surplus State-owned electronic data processing equipment that are to be sold, donated, or transferred and (ii) preserve the data on State-owned electronic data processing equipment that is to be relinquished to a successor executive administration for the continuity of government functions. (Source: P.A. 93-306, eff. 7-23-03.)
(20 ILCS 450/10) Sec. 10. Purpose. The purpose of this Act is to (i) require the Department of Central Management Services or any other authorized agency that disposes of surplus electronic data processing equipment by sale, donation, or transfer to implement a policy mandating that computer hardware be cleared of all data and software before disposal by sale, donation, or transfer and (ii) require the head of each Agency to establish a system for the protection and preservation of State data on State-owned electronic data processing equipment necessary for the continuity of government functions upon relinquishment of the equipment to a successor executive administration. (Source: P.A. 93-306, eff. 7-23-03.)
(20 ILCS 450/15) Sec. 15. Definitions. As used in this Act: "Agency" means all parts, boards, and commissions of the executive branch of State government, other than public universities or their governing boards, including, but not limited to, all departments established by the Civil Administrative Code of Illinois. "Disposal by sale, donation, or transfer" includes, but is not limited to, the sale, donation, or transfer of surplus electronic data processing equipment to other agencies, schools, individuals, and not-for-profit agencies. "Electronic data processing equipment" includes, but is not limited to, computer (CPU) mainframes, and any form of magnetic storage media. "Authorized agency" means an agency authorized by the Department of Central Management Services to sell or transfer electronic data processing equipment under Sections 5010.1210 and 5010.1220 of Title 44 of the Illinois Administrative Code. "Department" means the Department of Central Management Services. "Overwrite" means the replacement of previously stored information with a pre-determined pattern of meaningless information. (Source: P.A. 96-45, eff. 7-15-09.)
(20 ILCS 450/17) Sec. 17. Exemption from Act. This Act does not apply to the legislative branch of State government, the Office of the Lieutenant Governor, the Office of the Attorney General, the Office of the Secretary of State, the Office of the State Comptroller, or the Office of the State Treasurer. (Source: P.A. 96-45, eff. 7-15-09.)
(20 ILCS 450/20) Sec. 20. Establishment and implementation. The Data Security on State Computers Act is established to protect sensitive data stored on State-owned electronic data processing equipment to be (i) disposed of by sale, donation, or transfer or (ii) relinquished to a successor executive administration. This Act shall be administered by the Department or an authorized agency. The governing board of each public university in this State must implement and administer the provisions of this Act with respect to State-owned electronic data processing equipment utilized by the university. The Department or an authorized agency shall implement a policy to mandate that all hard drives of surplus electronic data processing equipment be erased, wiped, sanitized, or destroyed in a manner that prevents retrieval of sensitive data and software before being sold, donated, or transferred by (i) overwriting the previously stored data on a drive or a disk at least 3 times or physically destroying the hard drive and (ii) certifying in writing that the overwriting process has been completed by providing the following information: (1) the serial number of the computer or other surplus electronic data processing equipment; (2) the name of the overwriting software or physical destruction process used; and (3) the name, date, and signature of the person performing the overwriting or destruction process. The head of each State agency shall establish a system for the protection and preservation of State data on State-owned electronic data processing equipment necessary for the continuity of government functions upon it being relinquished to a successor executive administration. For purposes of this Act and any other State directive requiring the clearing of data and software from State-owned electronic data processing equipment prior to sale, donation, or transfer by the General Assembly or a public university in this State, the General Assembly or the governing board of the university shall have and maintain responsibility for the implementation and administration of the requirements for clearing State-owned electronic data processing equipment utilized by the General Assembly or the university. (Source: P.A. 96-45, eff. 7-15-09; 97-390, eff. 8-15-11.)
(20 ILCS 450/25) Sec. 25. Mandatory State employee training.(a) As used in this Section, "employee" has the meaning ascribed to it in Section 1-5 of the State Officials and Employees Ethics Act, but does not include an employee of the legislative branch, the judicial branch, a public university of the State, or a constitutional officer other than the Governor.(b) Every employee shall annually undergo training by the Department of Innovation and Technology concerning cybersecurity. The Department may, in its discretion, make the training an online course. The training shall include, but need not be limited to, detecting phishing scams, preventing spyware infections and identity theft, and preventing and responding to data breaches.(c) The Department of Innovation and Technology may adopt rules to implement the requirements of this Section. (Source: P.A. 100-40, eff. 1-1-18.)
(20 ILCS 450/50) Sec. 50. (Amendatory provisions; text omitted). (Source: P.A. 93-306, eff. 7-23-03; text omitted.)
(20 ILCS 450/99) Sec. 99. Effective date. This Act takes effect upon becoming law. (Source: P.A. 93-306, eff. 7-23-03.)