Stricken language would be deleted from and underlined language would be added to present law.
*ANS240* 03-14-2023 09:29:09 ANS240
State of Arkansas As Engrossed: H3/14/23 1
94th General Assembly A Bill 2
Regular Session, 2023 HOUSE BILL 1555 3
4
By: Representative S. Meeks 5
By: Senator J. English 6
7
For An Act To Be Entitled 8
AN ACT TO AMEND THE REQUIREMENTS FOR MEE TINGS TO 9
ADDRESS A CYBERSECUR ITY INCIDENT INVOLVI NG, OR A 10
CYBERATTACK ON, A PU BLIC ENTITY; TO CLAR IFY THAT 11
CERTAIN INTERNAL POL ICIES OR INTERNAL GU IDELINES 12
CONCERNING A CYBERSE CURITY INCIDENT INVO LVING, OR A 13
CYBERATTACK ON, A PUBLIC ENT ITY ARE NOT CONSIDER ED 14
RULES; TO ALLOW THE JOINT COMMITTEE ON A DVANCED 15
COMMUNICATIONS AND I NFORMATION TECHNOLOG Y TO MEET IN 16
CLOSED MEETINGS ON M ATTERS CONCERNING A CYBERSECURITY 17
INCIDENT INVOLVING, OR A CYBERATTACK ON, A PUBLIC 18
ENTITY; AND FOR OTHER PURPOS ES. 19
20
21
Subtitle 22
TO REGULATE MEETINGS, INTERNAL POLICIES 23
AND GUIDELINES, AND REPORTS TO ADDRESS A 24
CYBERSECURITY INCIDENT INVOLVING, OR A 25
CYBERATTACK ON, A PUBLIC ENTITY. 26
27
28
BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 29
30
SECTION 1. Arkansas Code § 10 -3-309(b)(1)(B), concerning the 31
definition of "rule" used for review and approval of state agency rules, is 32
amended to add an additional subdivision to read as follows: 33
(v) An internal policy or the intern al guidelines of 34
a state agency related to a cybersecurity incident involving, or a 35
cyberattack on, a state agency. 36 As Engrossed: H3/14/23 HB1555
2 03-14-2023 09:29:09 ANS240
1
SECTION 2. Arkansas Code Title 10, Chapter 3, Subchapter 17, is 2
amended to add an additional section to read as follows: 3
10-3-1708. Joint Committee on Advanced Communications and Information 4
Technology — Cybersecurity incidents and cyberattacks — Meetings in executive 5
session — Definitions. 6
(a) As used in this section: 7
(1) "County" means any county of this state; 8
(2) "Municipality" means: 9
(A) A city of the first class; 10
(B) A city of the second class; or 11
(C) An incorporated town; 12
(3) "Public entity" means: 13
(A) A county; 14
(B) A municipality; 15
(C) A school district; or 16
(D) The state; and 17
(4) "School district" means a school district or open enrollment 18
public charter school in this state. 19
(b)(1) The meetings of the Joint Committee on Advanced Communications 20
and Information Technology to review a cybersecurity incident involving, or a 21
cyberattack on, a public entity are closed and are exempt from public 22
observance under the Freedom of Information Act of 1967, § 25 -19-101 et seq. 23
(2) Any member of the General Assembly may attend the closed 24
hearing under subdivision (b)(1) of this section of the Joint Co mmittee on 25
Advanced Communications and Information Technology. 26
(3) An individual may attend a closed hearing under subdivision 27
(b)(1) of this section at the invitation of either of the cochairs of the 28
Joint Committee on Advanced Communications and Infor mation Technology. 29
(4) The Joint Committee on Advanced Communications and 30
Information Technology shall not disclose any information concerning an 31
internal policy or the internal guidelines established to address a 32
cybersecurity incident involving, or a cyberattack on, a public entity. 33
(5) If the Joint Committee on Advanced Communications and 34
Information Technology meets in a closed meeting under subdivision (b)(1) of 35
this section, the Joint Committee on Advanced Communications and Information 36 As Engrossed: H3/14/23 HB1555
3 03-14-2023 09:29:09 ANS240
Technology may discuss only a cybersecurity incident involving, or 1
cyberattack on, a public entity or any cybersecurity policy. 2
(c)(1) An internal policy or the internal guidelines that are 3
established concerning a cybersecurity incident involving, or a cyberattack 4
on, a public entity is: 5
(A) Confidential; and 6
(B) Exempt from the Freedom of Information Act of 1967, § 7
25-19-101 et seq. 8
(2) An internal policy or the internal guidelines of a public 9
entity established to address a cybersecurity incident involving, or a 10
cyberattack on, a public entity are not considered a rule under § 10 -3-309 or 11
the Arkansas Administrative Procedure Act, § 25 -15-201 et seq. 12
13
SECTION 3. Arkansas Code § 25 -15-202(9)(B), concerning the definition 14
of "rule" under the Arkansas Administrative Procedure Act, is amended to add 15
an additional subdivision to read as follows: 16
(viii) An internal policy or the internal guidelines 17
of a state agency related to a cybersecurity incident involving, or a 18
cyberattack on, a stat e agency. 19
20
/s/S. Meeks 21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36