Bill Text: TX SB64 | 2019-2020 | 86th Legislature | Enrolled
Bill Title: Relating to cybersecurity for information resources.
Sponsorship: Partisan Bill (Republican 2)
Status: (Passed) 2019-06-07 - Effective on 9/1/19 [SB64 Detail]
Download: Texas-2019-SB64-Enrolled.html
| S.B. No. 64 | ||
|
|
||
| relating to cybersecurity for information resources. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Subchapter C, Chapter 61, Education Code, is | ||
| amended by adding Sections 61.09091 and 61.09092 to read as | ||
| follows: | ||
| Sec. 61.09091. STRATEGIES TO INCENTIVIZE CYBERSECURITY | ||
| DEGREE PROGRAMS. (a) The board in collaboration with the | ||
| Department of Information Resources shall identify and develop | ||
| strategies to incentivize institutions of higher education to | ||
| develop degree programs in cybersecurity. | ||
| (b) The board shall consult with institutions of higher | ||
| education as necessary to carry out its duties under this section. | ||
| (c) Not later than September 1, 2020, the board shall submit | ||
| a written report detailing the strategies identified under this | ||
| section to the lieutenant governor, the speaker of the house of | ||
| representatives, the presiding officer of each legislative | ||
| standing committee with primary jurisdiction over higher | ||
| education, and each governing board of an institution of higher | ||
| education. | ||
| (d) This section expires September 1, 2021. | ||
| Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK | ||
| DEVELOPMENT. (a) In this section, "lower-division institution of | ||
| higher education" means a public junior college, public state | ||
| college, or public technical institute. | ||
| (b) The board, in consultation with the Department of | ||
| Information Resources, shall coordinate with lower-division | ||
| institutions of higher education and entities that administer or | ||
| award postsecondary industry certifications or other workforce | ||
| credentials in cybersecurity to develop certificate programs or | ||
| other courses of instruction leading toward those certifications or | ||
| credentials that may be offered by lower-division institutions of | ||
| higher education. | ||
| (c) The board may adopt rules as necessary for the | ||
| administration of this section. | ||
| SECTION 2. Section 418.004(1), Government Code, is amended | ||
| to read as follows: | ||
| (1) "Disaster" means the occurrence or imminent threat | ||
| of widespread or severe damage, injury, or loss of life or property | ||
| resulting from any natural or man-made cause, including fire, | ||
| flood, earthquake, wind, storm, wave action, oil spill or other | ||
| water contamination, volcanic activity, epidemic, air | ||
| contamination, blight, drought, infestation, explosion, riot, | ||
| hostile military or paramilitary action, extreme heat, | ||
| cybersecurity event, other public calamity requiring emergency | ||
| action, or energy emergency. | ||
| SECTION 3. Subchapter F, Chapter 437, Government Code, is | ||
| amended by adding Section 437.255 to read as follows: | ||
| Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER | ||
| OPERATIONS. To serve the state and safeguard the public from | ||
| malicious cyber activity, the governor may command the Texas | ||
| National Guard to assist the Texas State Guard with defending the | ||
| state's cyber operations. | ||
| SECTION 4. The heading to Section 656.047, Government Code, | ||
| is amended to read as follows: | ||
| Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION | ||
| EXAMINATION EXPENSES. | ||
| SECTION 5. Section 656.047, Government Code, is amended by | ||
| adding Subsection (a-1) to read as follows: | ||
| (a-1) A state agency may spend public funds as appropriate | ||
| to reimburse a state agency employee or administrator who serves in | ||
| an information technology, cybersecurity, or other cyber-related | ||
| position for fees associated with industry-recognized | ||
| certification examinations. | ||
| SECTION 6. Section 815.103, Government Code, is amended by | ||
| adding Subsection (g) to read as follows: | ||
| (g) The retirement system shall comply with cybersecurity | ||
| and information security standards established by the Department of | ||
| Information Resources under Chapter 2054. | ||
| SECTION 7. Section 825.103, Government Code, is amended by | ||
| amending Subsection (e) and adding Subsection (e-1) to read as | ||
| follows: | ||
| (e) Except as provided by Subsection (e-1), Chapters 2054 | ||
| and 2055 do not apply to the retirement system. The board of | ||
| trustees shall control all aspects of information technology and | ||
| associated resources relating to the retirement system, including | ||
| computer, data management, and telecommunication operations, | ||
| procurement of hardware, software, and middleware, and | ||
| telecommunication equipment and systems, location, operation, and | ||
| replacement of computers, computer systems, and telecommunication | ||
| systems, data processing, security, disaster recovery, and | ||
| storage. The Department of Information Resources shall assist the | ||
| retirement system at the request of the retirement system, and the | ||
| retirement system may use any service that is available through | ||
| that department. | ||
| (e-1) The retirement system shall comply with cybersecurity | ||
| and information security standards established by the Department of | ||
| Information Resources under Chapter 2054. | ||
| SECTION 8. Section 2054.0075, Government Code, is amended | ||
| to read as follows: | ||
| Sec. 2054.0075. EXCEPTION: PUBLIC JUNIOR COLLEGE. This | ||
| chapter does not apply to a public junior college or a public junior | ||
| college district, except as necessary to comply with information | ||
| security standards and for participation in shared technology | ||
| services, including the electronic government project implemented | ||
| under Subchapter I and statewide technology centers under | ||
| Subchapter L [ |
||
| SECTION 9. Section 2054.0591(a), Government Code, is | ||
| amended to read as follows: | ||
| (a) Not later than November 15 of each even-numbered year, | ||
| the department shall submit to the governor, the lieutenant | ||
| governor, the speaker of the house of representatives, and the | ||
| standing committee of each house of the legislature with primary | ||
| jurisdiction over state government operations a report identifying | ||
| preventive and recovery efforts the state can undertake to improve | ||
| cybersecurity in this state. The report must include: | ||
| (1) an assessment of the resources available to | ||
| address the operational and financial impacts of a cybersecurity | ||
| event; | ||
| (2) a review of existing statutes regarding | ||
| cybersecurity and information resources technologies; | ||
| (3) recommendations for legislative action to | ||
| increase the state's cybersecurity and protect against adverse | ||
| impacts from a cybersecurity event; and | ||
| (4) an evaluation of a program that provides an | ||
| information security officer to assist small state agencies and | ||
| local governments that are unable to justify hiring a full-time | ||
| information security officer [ |
||
|
|
||
| [ |
||
|
|
||
| SECTION 10. Section 2054.0594, Government Code, is amended | ||
| to read as follows: | ||
| Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS | ||
| ORGANIZATION [ |
||
| information sharing and analysis organization [ |
||
| forum for state agencies, local governments, public and private | ||
| institutions of higher education, and the private sector to share | ||
| information regarding cybersecurity threats, best practices, and | ||
| remediation strategies. | ||
| (b) [ |
||
|
|
||
|
|
||
| [ |
||
|
|
||
| shall provide administrative support to the information sharing and | ||
| analysis organization [ |
||
| (c) A participant in the information sharing and analysis | ||
| organization shall assert any exception available under state or | ||
| federal law, including Section 552.139, in response to a request | ||
| for public disclosure of information shared through the | ||
| organization. Section 552.007 does not apply to information | ||
| described by this subsection. | ||
| SECTION 11. Section 2054.068(e), Government Code, is | ||
| amended to read as follows: | ||
| (e) The consolidated report required by Subsection (d) | ||
| must: | ||
| (1) include an analysis and assessment of each state | ||
| agency's security and operational risks; and | ||
| (2) for a state agency found to be at higher security | ||
| and operational risks, include a detailed analysis of agency | ||
| efforts to address the risks and related vulnerabilities[ |
||
|
|
||
| [ |
||
|
|
||
| [ |
||
|
|
||
| [ |
||
|
|
||
| [ |
||
| [ |
||
|
|
||
| SECTION 12. Subchapter C, Chapter 2054, Government Code, is | ||
| amended by adding Section 2054.069 to read as follows: | ||
| Sec. 2054.069. PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM | ||
| PROJECTS REPORT. (a) Not later than October 1 of each | ||
| even-numbered year, the department shall submit a report to the | ||
| Legislative Budget Board that prioritizes, for the purpose of | ||
| receiving funding, state agency: | ||
| (1) cybersecurity projects; and | ||
| (2) projects to modernize or replace legacy systems, | ||
| as defined by Section 2054.571. | ||
| (b) Each state agency shall coordinate with the department | ||
| to implement this section. | ||
| (c) A state agency shall assert any exception available | ||
| under state or federal law, including Section 552.139, in response | ||
| to a request for public disclosure of information contained in or | ||
| written, produced, collected, assembled, or maintained in | ||
| connection with the report under Subsection (a). Section 552.007 | ||
| does not apply to information described by this subsection. | ||
| SECTION 13. Sections 2054.077(b) and (d), Government Code, | ||
| are amended to read as follows: | ||
| (b) The information security officer [ |
||
| a state agency shall prepare or have prepared a report, including an | ||
| executive summary of the findings of the biennial report, not later | ||
| than October 15 of each even-numbered year, assessing the extent to | ||
| which a computer, a computer program, a computer network, a | ||
| computer system, a printer, an interface to a computer system, | ||
| including mobile and peripheral devices, computer software, or data | ||
| processing of the agency or of a contractor of the agency is | ||
| vulnerable to unauthorized access or harm, including the extent to | ||
| which the agency's or contractor's electronically stored | ||
| information is vulnerable to alteration, damage, erasure, or | ||
| inappropriate use. | ||
| (d) The information security officer [ |
||
| shall provide an electronic copy of the vulnerability report on its | ||
| completion to: | ||
| (1) the department; | ||
| (2) the state auditor; | ||
| (3) the agency's executive director; | ||
| (4) the agency's designated information resources | ||
| manager; and | ||
| (5) [ |
||
| oversight group specifically authorized by the legislature to | ||
| receive the report. | ||
| SECTION 14. Section 2054.1125, Government Code, is amended | ||
| by amending Subsection (b) and adding Subsection (c) to read as | ||
| follows: | ||
| (b) A state agency that owns, licenses, or maintains | ||
| computerized data that includes sensitive personal information, | ||
| confidential information, or information the disclosure of which is | ||
| regulated by law shall, in the event of a breach or suspected breach | ||
| of system security or an unauthorized exposure of that information: | ||
| (1) comply with the notification requirements of | ||
| Section 521.053, Business & Commerce Code, to the same extent as a | ||
| person who conducts business in this state; and | ||
| (2) not later than 48 hours after the discovery of the | ||
| breach, suspected breach, or unauthorized exposure, notify: | ||
| (A) the department, including the chief | ||
| information security officer [ |
||
|
|
||
| (B) if the breach, suspected breach, or | ||
| unauthorized exposure involves election data, the secretary of | ||
| state. | ||
| (c) Not later than the 10th business day after the date of | ||
| the eradication, closure, and recovery from a breach, suspected | ||
| breach, or unauthorized exposure, a state agency shall notify the | ||
| department, including the chief information security officer, of | ||
| the details of the event and include in the notification an analysis | ||
| of the cause of the event. | ||
| SECTION 15. Section 2054.133(e), Government Code, is | ||
| amended to read as follows: | ||
| (e) Each state agency shall include in the agency's | ||
| information security plan a written document that is signed by | ||
| [ |
||
| agency, the chief financial officer, and each executive manager | ||
| [ |
||
| have been made aware of the risks revealed during the preparation of | ||
| the agency's information security plan. | ||
| SECTION 16. Section 2054.516, Government Code, as added by | ||
| Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th | ||
| Legislature, Regular Session, 2017, is reenacted and amended to | ||
| read as follows: | ||
| Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE | ||
| APPLICATIONS. (a) Each state agency[ |
||
|
|
||
| Internet website or mobile application that processes any sensitive | ||
| personal or personally identifiable information or confidential | ||
| information must: | ||
| (1) submit a biennial data security plan to the | ||
| department not later than October 15 of each even-numbered year to | ||
| establish planned beta testing for the website or application; and | ||
| (2) subject the website or application to a | ||
| vulnerability and penetration test and address any vulnerability | ||
| identified in the test. | ||
| (b) The department shall review each data security plan | ||
| submitted under Subsection (a) and make any recommendations for | ||
| changes to the plan to the state agency as soon as practicable after | ||
| the department reviews the plan. | ||
| SECTION 17. Subchapter N-1, Chapter 2054, Government Code, | ||
| is amended by adding Section 2054.519 to read as follows: | ||
| Sec. 2054.519. CYBERSTAR PROGRAM; CERTIFICATE OF APPROVAL. | ||
| (a) The state cybersecurity coordinator, in collaboration with | ||
| the cybersecurity council and public and private entities in this | ||
| state, shall develop best practices for cybersecurity that include: | ||
| (1) measureable, flexible, and voluntary | ||
| cybersecurity risk management programs for public and private | ||
| entities to adopt to prepare for and respond to cyber incidents that | ||
| compromise the confidentiality, integrity, and availability of the | ||
| entities' information systems; | ||
| (2) appropriate training and information for | ||
| employees or other individuals who are most responsible for | ||
| maintaining security of the entities' information systems; | ||
| (3) consistency with the National Institute of | ||
| Standards and Technology standards for cybersecurity; | ||
| (4) public service announcements to encourage | ||
| cybersecurity awareness; and | ||
| (5) coordination with local and state governmental | ||
| entities. | ||
| (b) The state cybersecurity coordinator shall establish a | ||
| cyberstar certificate program to recognize public and private | ||
| entities that implement the best practices for cybersecurity | ||
| developed in accordance with Subsection (a). The program must | ||
| allow a public or private entity to submit to the department a form | ||
| certifying that the entity has complied with the best practices and | ||
| the department to issue a certificate of approval to the entity. | ||
| The entity may include the certificate of approval in | ||
| advertisements and other public communications. | ||
| SECTION 18. Chapter 2054, Government Code, is amended by | ||
| adding Subchapter R to read as follows: | ||
| SUBCHAPTER R. INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES | ||
| Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each | ||
| state agency and local government shall, in the administration of | ||
| the agency or local government, consider using next generation | ||
| technologies, including cryptocurrency, blockchain technology, and | ||
| artificial intelligence. | ||
| Sec. 2054.602. LIABILITY EXEMPTION. A person who in good | ||
| faith discloses to a state agency or other governmental entity | ||
| information regarding a potential security issue with respect to | ||
| the agency's or entity's information resources technologies is not | ||
| liable for any civil damages resulting from disclosing the | ||
| information unless the person stole, retained, or sold any data | ||
| obtained as a result of the security issue. | ||
| SECTION 19. Section 2059.058(b), Government Code, is | ||
| amended to read as follows: | ||
| (b) In addition to the department's duty to provide network | ||
| security services to state agencies under this chapter, the | ||
| department by agreement may provide network security to: | ||
| (1) each house of the legislature; | ||
| (2) an agency that is not a state agency, including a | ||
| legislative agency; | ||
| (3) a political subdivision of this state, including a | ||
| county, municipality, or special district; [ |
||
| (4) an independent organization, as defined by Section | ||
| 39.151, Utilities Code; and | ||
| (5) a public junior college. | ||
| SECTION 20. Section 1702.104, Occupations Code, is amended | ||
| by adding Subsection (c) to read as follows: | ||
| (c) The review and analysis of computer-based data for the | ||
| purpose of preparing for or responding to a cybersecurity event | ||
| does not constitute an investigation for purposes of this section | ||
| and does not require licensing under this chapter. | ||
| SECTION 21. Chapter 31, Utilities Code, is amended by | ||
| designating Sections 31.001 through 31.005 as Subchapter A and | ||
| adding a subchapter heading to read as follows: | ||
| SUBCHAPTER A. GENERAL PROVISIONS | ||
| SECTION 22. Chapter 31, Utilities Code, is amended by | ||
| adding Subchapter B to read as follows: | ||
| SUBCHAPTER B. CYBERSECURITY | ||
| Sec. 31.051. DEFINITION. In this subchapter, "utility" | ||
| means: | ||
| (1) an electric cooperative; | ||
| (2) an electric utility; | ||
| (3) a municipally owned electric utility; or | ||
| (4) a transmission and distribution utility. | ||
| Sec. 31.052. CYBERSECURITY COORDINATION PROGRAM FOR | ||
| UTILITIES. (a) The commission shall establish a program to | ||
| monitor cybersecurity efforts among utilities in this state. The | ||
| program shall: | ||
| (1) provide guidance on best practices in | ||
| cybersecurity and facilitate the sharing of cybersecurity | ||
| information between utilities; and | ||
| (2) provide guidance on best practices for | ||
| cybersecurity controls for supply chain risk management of | ||
| cybersecurity systems used by utilities, which may include, as | ||
| applicable, best practices related to: | ||
| (A) software integrity and authenticity; | ||
| (B) vendor risk management and procurement | ||
| controls, including notification by vendors of incidents related to | ||
| the vendor's products and services; and | ||
| (C) vendor remote access. | ||
| (b) The commission may collaborate with the state | ||
| cybersecurity coordinator and the cybersecurity council | ||
| established under Chapter 2054, Government Code, in implementing | ||
| the program. | ||
| SECTION 23. Section 39.151, Utilities Code, is amended by | ||
| adding Subsections (o) and (p) to read as follows: | ||
| (o) An independent organization certified by the commission | ||
| under this section shall: | ||
| (1) conduct internal cybersecurity risk assessment, | ||
| vulnerability testing, and employee training to the extent the | ||
| independent organization is not otherwise required to do so under | ||
| applicable state and federal cybersecurity and information | ||
| security laws; and | ||
| (2) submit a report annually to the commission on the | ||
| independent organization's compliance with applicable | ||
| cybersecurity and information security laws. | ||
| (p) Information submitted in a report under Subsection (o) | ||
| is confidential and not subject to disclosure under Chapter 552, | ||
| Government Code. | ||
| SECTION 24. Sections 2054.119, 2054.513, and 2054.517, | ||
| Government Code, are repealed. | ||
| SECTION 25. To the extent of any conflict, this Act prevails | ||
| over another Act of the 86th Legislature, Regular Session, 2019, | ||
| relating to nonsubstantive additions and corrections in enacted | ||
| codes. | ||
| SECTION 26. This Act takes effect September 1, 2019. | ||
| ______________________________ | ______________________________ | |
| President of the Senate | Speaker of the House | |
| I hereby certify that S.B. No. 64 passed the Senate on | ||
| April 26, 2019, by the following vote: Yeas 30, Nays 0; and that | ||
| the Senate concurred in House amendments on May 24, 2019, by the | ||
| following vote: Yeas 31, Nays 0. | ||
| ______________________________ | ||
| Secretary of the Senate | ||
| I hereby certify that S.B. No. 64 passed the House, with | ||
| amendments, on May 22, 2019, by the following vote: Yeas 142, | ||
| Nays 1, two present not voting. | ||
| ______________________________ | ||
| Chief Clerk of the House | ||
| Approved: | ||
| ______________________________ | ||
| Date | ||
| ______________________________ | ||
| Governor | ||
