Regular Session 2021-2022 Senate Bill 1018 P.N. 1331

PRINTER'S NO. 1331

THE GENERAL ASSEMBLY OF PENNSYLVANIA

SENATE BILL

No.

1018

Session of

2022

INTRODUCED BY AUMENT, YAW, MARTIN, ARGALL, BARTOLOTTA, ROBINSON,

J. WARD, SCAVELLO, REGAN, BROOKS, PITTMAN, STEFANO, MASTRIANO

AND PHILLIPS-HILL, JANUARY 20, 2022

REFERRED TO STATE GOVERNMENT, JANUARY 20, 2022

AN ACT

Amending Title 25 (Elections) of the Pennsylvania Consolidated

Statutes, in registration system, providing for updating the

SURE system; and making inconsistent repeals.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Title 25 of the Pennsylvania Consolidated

Statutes is amended by adding a section to read:

§ 1224. Updating the SURE system.

(a) Creation of new system.--The department shall begin the

process for replacing the current SURE system. The new system

shall incorporate all of the following improvements:

(1) Automated processes, including a hard stop, to

prevent the inclusion of duplicate driver's license numbers.

(2) Automated processes in the replacement system for

SURE to prevent the recording of obviously inaccurate date of

births and voter registration dates.

(3) Current leading security features.

(b) Changes for new and existing system.--The department

shall incorporate the following information technology

enhancements into the design of the replacement SURE system

and implement some or all of the following enhancements into

the current SURE system:

(1) A Geographic Information System feature and related

enhancements that would check addresses to:

(i) Ensure the address is within the county

identified on the application.

(ii) Ensure that electronic applications are

forwarded to the correct county for processing.

(iii) In the case of paper applications, ensure that

county staff can be immediately alerted if the address

posted to SURE is not within the county listed on the

application.

(2) An edit check that would alert or prevent county

staff from approving applications that have non-Pennsylvania

states or zip codes within the residential addresses.

(3) A read-only feature for certain data fields that

typically do not change, including date of birth, driver's

license number and Social Security number to prevent

unintended edits. These fields may be edited only by

designated management staff along with documenting the reason

for the edit.

(4) A hard-stop feature in the SURE system that would

prevent county staff from canceling voter records using

unallowable codes within 90 days of an election.

(5) A declination notice to be automatically generated

and mailed to individuals that are not currently registered

to vote but submit a change of address request for their

voter registration record. This will assist in notifying

20220SB1018PN1331 - 2 -

those individuals that they are not registered to vote.

(6) The ability for department and county staff to build

and run their own reports.

updates to the SURE system:

(1) Require the provision of specific policies and

direction from Federal authorities supporting the

department's position in the event that the secretary

believes the department cannot provide information due to

security concerns.

(2) Evaluate the lists of voter registration records

with the same driver's license numbers and potential

duplicate cases provided by the Department of the Auditor

General and work with the county election offices to

investigate and eliminate the specific duplicate information

identified during the audit.

(3) Perform additional data analysis and cleansing

procedures and work with the counties to remove duplicate and

incorrect data from the SURE system before migration into the

replacement system for SURE.

(4) Evaluate and update, as needed, the instructions

provided to the counties in the SURE job aids to ensure the

instructions provide adequate guidance on how to check for

duplicates in the SURE system or the replacement system for

SURE.

(5) Work with the Department of Health to ensure the

process is working properly regarding forwarding death

records to the department with all relevant, appropriate and

corrected information so that counties can evaluate the

information and cancel the voter registrations of deceased

20220SB1018PN1331 - 3 -

individuals.

(6) Ensure agreements with other agencies include

requirements that vendors comply with all Commonwealth

security policies and that the agencies update vendor

contracts to include the most recent Department of General

Services Information Technology's Contracts Terms and

Conditions policy for security, confidentiality and audit

provisions.

(7) Implement the security guidelines issued by the

United States Department of Homeland Security, Cybersecurity

and Infrastructure Security Agency in May 2019, entitled Best

Practices for Securing Election Systems.

(8) Monitor vendors through a documented process that

complies with Management Directive 325.13, Service

Organization Controls, including documented reviews of

service organization control reports.

(9) Collaborate with the Department of Transportation

and Governor's Office of Administration, Office for

Information Technology, to identify key contacts at each

agency and delivery center who would provide oversight and

evaluation of each service organization's internal controls.

Specific consideration should be given to the following:

(i) Timely reviewing Service Organization Controls

reports and documenting the assessment of the review.

(ii) Reviewing Service Organization Controls reports

for noted exceptions that may affect department processes

and follow up with the vendor's corrective action plans.

(iii) Reviewing Service Organization Controls

reports' complementary user entity controls to ensure

those controls are in place and operating effectively at

20220SB1018PN1331 - 4 -

agencies or applicable sub-service organizations.

(iv) Ensuring Service Organization Controls report

results are communicated to all affected agencies and

escalation procedures exist when the report includes

control objective exceptions, testing deviations or a

qualified opinion.

(10) Update the SURE equipment use policy to address the

risk of counties connecting county-owned equipment to the

SURE system or deviating from the preferred architectural

model.

(11) Ensure that all county users, including county

administrators and vendors, review and sign an updated

version of the SURE equipment use policy.

(12) Correct the reference to the SURE user and

equipment policy on the SURE user ID request form to

eliminate confusion as to policy requirements applicable to

county users of the SURE system.

(13) Create a master list of all SURE system policies

applicable to the counties and the county's information

technology vendors, which clearly specifies the most recent

approved versions for each policy.

(14) Emphasize to the counties the vital need and

importance of having a second person review the data entered

into SURE to reduce data entry errors and increase the

accuracy of voter records.

(15) Request that legal counsel make a determination as

to whether the department can:

(i) Direct the counties to review pending

applications and reject them.

(ii) Establish a time period for requiring counties

20220SB1018PN1331 - 5 -

to process, or reject if applicable, all applications

placed into pending status.

(16) Instruct the counties to review the applications in

pending status to determine if another application for the

person has been approved which would then lead the county to

reject the initial application currently in pending status.

(17) Develop detailed written procedures, including

detailed processes to be performed and by whom, regarding the

department monitoring the activities of the counties to

ensure required processes are completed properly and timely.

(18) Instruct the counties that have not been updating

the status of voters from active to inactive, for those

voters who meet the criteria of an inactive voter, to perform

list maintenance and update voters' status as necessary. The

department shall determine the deadline for counties to

complete this update. A formal reminder shall be sent to each

county on the importance of the need to perform this type of

list maintenance.

(19) Instruct the counties that have not been canceling

the records of the inactive voters who meet the criteria for

cancellation to perform list maintenance and update voters'

status as necessary. The department shall determine the

deadline for counties to complete this update. A formal

reminder shall be sent to each county on the importance of

the need to perform this type of list maintenance.

(20) Utilize information available from the Electronic

Registration Information Center to assist in improving the

accuracy of voter registration records.

(21) Forward information for the four voting records

that contained non-Pennsylvania residential information to

20220SB1018PN1331 - 6 -

the applicable counties for follow up and possible

cancellation.

(22) Forward information for the 23 voting records that

appeared to contain inaccurate non-Pennsylvania residential

data to the specific counties to research or correct the

state name or zip code within SURE.

(23) Formally remind counties of the need to properly

code transactions when they cancel voter registrations as a

result of list maintenance in order to reduce the number of

cancellations with no reason code or incorrect reason codes.

(24) Continue to offer hands-on training on the SURE

system and ensure that each county is made aware of the

availability of this training.

(25) Update the applicable job aids as appropriate to

reflect changes in processes, including added steps for

identifying duplicate voters when processing applications or

linking a Department of Health death record with a registered

voter.

(26) Include an issued date on all job aids distributed

to the counties and an indexed list of all job aids readily

available on the department's publicly accessible Internet

website to provide a reference as to which version of a job

aid is the most current and the date of the revision.

(27) Provide guidance to the counties regarding the

maximum length of time that an application can remain in

pending status and how to appropriately determine whether the

application should be approved or rejected, if it is

determined that the department has the legal authority.

(d) Audits, studies and reviews.--The department shall

implement the following:

20220SB1018PN1331 - 7 -

(1) Require an annual independent audit of each part of

the SURE system, supporting architecture and connected

systems using a comprehensive framework of security standards

which includes a test of the information technology's general

controls, tests of cyber-security controls, vulnerability

assessments and penetration testing. The following shall

apply:

(i) Require that auditors have full and confidential

access to all information and documents.

(ii) Require sufficient and appropriate evidence to

back up assertions that the disclosure of certain

information to auditing agencies is legally impossible.

(iii) Require counties, the Department of

Transportation and other related agencies involved in

voter registration to cooperate with future audits.

(iv) Require results of audits be provided to those

in charge of the governance of the SURE system.

(2) After conducting cleansing procedures in preparation

for migrating to the replacement system for SURE, perform

periodic data analysis to ensure that duplicate records

created in error are identified and removed from SURE in a

timely manner.

(3) Evaluate the lists of voter records provided by DAG

with a date of birth listed in SURE as January 1, 1800,

January 1, 1900, or January 1, 1901, and who appear to be 100

years of age or older and instruct the counties to determine

the correct date of birth and ensure the record is still

valid and the voter is not deceased.

(4) Evaluate the lists of potentially deceased voters

provided by the Department of the Auditor General and

20220SB1018PN1331 - 8 -

instruct the counties to investigate and take appropriate

action to cancel deceased voters' records in SURE.

(5) Study the benefits of an additional periodic

comparison of the cumulative file of deaths received from the

Department of Health to records in SURE to identify any

voters that may have been missed during past reviews. The

department should consider performing the match using data

analysis techniques and provide matching records to the

counties for follow-up.

(6) Study the creation of an oversight body to regularly

meet about the SURE system consisting of members with SURE

system knowledge, relevant expertise and the appropriate

independence to perform oversight duties. The secretary may

appoint members who represent all key stakeholders of the

SURE system, including the counties and the Governor's Office

of Administration, Office for Information Technology.

(7) Study instituting the use of a form for counties to

request and receive approval from the department for

deviations from the approved network architectural model or

the use of county-owned equipment.

(8) Study supplementing the data analysis by contracting

with a third-party vendor to periodically perform analysis on

the data in SURE to identify potentially inaccurate or

missing data for the department or counties to investigate

and resolve.

(9) Study working with the Department of Transportation

to revise the voter registration process to ensure all

required voter registration information is obtained when an

individual requests to update an individual's voter

registration address.

20220SB1018PN1331 - 9 -

(10) Develop an effective audit trail for registration

applications received through the Electronic Registration

Information Center to enable either department or county

election staff to review and confirm the accuracy of

information in SURE to the original point of entry of

information by the registrant in accordance with the

following:

(i) (Reserved).

(ii) If the department is unable to implement this

policy electronically, the department should develop a

policy requiring county election staff to print out and

scan into SURE voter registration related documents that

are received through the Electronic Registration

Information Center and attach the documents to the

voter's record.

(11) Develop and issue a directive regarding records

retention for SURE and work with the Pennsylvania Historical

and Museum Commission to confirm that the County Records

Manual regarding election records is entirely uniform with

the SURE records retention directive to help ensure

consistency of records retention amongst all the counties.

The directive shall be in accordance with the following:

(i) The availability of source documentation for

purposes of evaluating accuracy of the voter registration

information by an external party must be considered.

(ii) The directive should be placed in a prominent

location on the department's publicly accessible Internet

website.

(iii) Require that the directive be sent at least

yearly to all county election offices.

20220SB1018PN1331 - 10 -

(12) Update the SURE regulations to ensure that the

records are in accordance with the newly developed and

distributed record retention policy and the updated

Pennsylvania Historical and Museum Commission's County

Records Manual.

Section 2. The department may promulgate rules and

regulations to administer and enforce this act.

Section 3. The following acts and parts of acts are repealed

insofar as they are inconsistent with this act:

(1) 25 Pa.C.S. § 1323(a)(1).

(2) 25 Pa.C.S. § 1328(c).

(3) 25 Pa.C.S. § 1401(c).

(4) 25 Pa.C.S. § 1402(b)(3).

(5) 25 Pa.C.S. § 1405(c).

(6) 25 Pa.C.S. § 1707.

(7) 25 Pa.C.S. § 1901(b)(1)(i).

Section 4. This act shall take effect in 60 days.

20220SB1018PN1331 - 11 -