Supplement: TX HB4944 | 2023-2024 | 88th Legislature | Fiscal Note (Introduced)

For additional supplements on Texas HB4944 please see the Bill Drafting List
Bill Title: Relating to public school cybersecurity controls, student data privacy protection, and requirements and technical assistance and cybersecurity risk assessments for public schools provided by the Department of Information Resources.

Status: 2023-05-09 - Committee report sent to Calendars [HB4944 Detail]

Download: Texas-2023-HB4944-Fiscal_Note_Introduced_.html
LEGISLATIVE BUDGET BOARD
Austin, Texas
 
FISCAL NOTE, 88TH LEGISLATIVE REGULAR SESSION
 
April 25, 2023

TO:
Honorable Brad Buckley, Chair, House Committee on Public Education
 
FROM:
Jerry McGinty, Director, Legislative Budget Board
 
IN RE:
HB4944 by Buckley (Relating to public school cybersecurity controls and requirements and technical assistance and cybersecurity risk assessments for public schools provided by the Department of Information Resources.), As Introduced


Estimated Two-year Net Impact to General Revenue Related Funds for HB4944, As Introduced : a negative impact of ($54,813,144) through the biennium ending August 31, 2025.

The bill would make no appropriation but could provide the legal basis for an appropriation of funds to implement the provisions of the bill.

General Revenue-Related Funds, Five- Year Impact:

Fiscal Year Probable Net Positive/(Negative) Impact to
General Revenue Related Funds
2024($31,583,441)
2025($23,229,703)
2026($149,957)
2027($149,957)
2028($149,957)

All Funds, Five-Year Impact:

Fiscal Year Probable Savings/(Cost) from
General Revenue Fund
1

Change in Number of State Employees from FY 2023
2024($31,583,441)2.0
2025($23,229,703)2.0
2026($149,957)1.0
2027($149,957)1.0
2028($149,957)1.0


Fiscal Analysis

The bill would assist districts with cybersecurity defense. The bill would require the commissioner of the Texas Education Agency (TEA) to adopt cybersecurity controls and requirements for districts. The bill would allow TEA to contract with a regional education service center (ESC), a private entity, or a regional network security center. The Department of Information Resources (DIR) would be allowed to provide technical support to districts to implement TEA's cybersecurity requirements. 

Methodology

This analysis assumes TEA would contract with permitted entities to assist in procurement and implementation of endpoint detection response (EDR) and network detection response (NDR) and to provide technical assistance to local education agencies (LEAs) at a cost of approximately $27.1 million in fiscal year 2024 and $18.9 million in fiscal year 2025. Additionally, TEA indicates that cybersecurity assessments for LEAs would incur a Capital Data Center Services fee of $4.3 million in fiscal year 2024 and $4.1 million in fiscal year 2025. 

Based on information provided by TEA, this analysis assumes that this funding would provide ESC cybersecurity specialist staffing, risk assessments for approximately half of the LEAs,  and allow for the purchase of EDR/NDR hardware and monitoring services for approximately half of the LEAs.

DIR indicates that costs associated with implementation of the bill would be able to be absorbed by the available resources of the Chief Information Security Office. 

This analysis assumes that 2.0 full-time-equivalent (FTE) staff would be required for implementation of the bill to adopt cybersecurity requirements and support implementation among LEAs. This analysis assumes the cost for these 2 FTEs would be approximately $0.2 million for fiscal years 2024 and 2025, including salaries benefits, and operating costs. For required updates to rules and requirements, this analysis assumes 1 FTE would be required at a total cost of approximately $150,000 per fiscal year beginning in 2026. 

Future updates to cybersecurity controls and requirements could result in significant additional costs after the 2024-25 biennium, but cannot be determined and are not included in assumptions for this analysis. 

Local Government Impact

Districts would be required to implement cybersecurity controls and requirements adopted by the commissioner. While the cost to districts would be significant, they cannot be determined. TEA indicates that implementation costs for some LEAs would be funded through the agency at a minimal fiscal impact locally. 


Source Agencies:
313 Department of Information Resources, 575 Texas Division of Emergency Management, 701 Texas Education Agency, 710 Texas A&M University System Administrative and General Offices, 768 Texas Tech University System Administration
LBB Staff:
JMc, ASA, ENA, CMA
feedback