Arkansas 2023 Regular Session

Arkansas House Bill HB1555 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1		Stricken language would be deleted from and underlined language would be added to present law.
2		-	Act 510 of the Regular Session
3	2		ANS240 03-14-2023 09:29:09 ANS240
4	3
5	4		State of Arkansas As Engrossed: H3/14/23 1
6	5		94th General Assembly A Bill 2
7	6		Regular Session, 2023 HOUSE BILL 1555 3
8	7		4
9	8		By: Representative S. Meeks 5
10	9		By: Senator J. English 6
11	10		7
12	11		For An Act To Be Entitled 8
13	12		AN ACT TO AMEND THE REQUIREMENTS FOR MEE TINGS TO 9
14	13		ADDRESS A CYBERSECUR ITY INCIDENT INVOLVI NG, OR A 10
15	14		CYBERATTACK ON, A PU BLIC ENTITY; TO CLAR IFY THAT 11
16	15		CERTAIN INTERNAL POL ICIES OR INTERNAL GU IDELINES 12
17	16		CONCERNING A CYBERSE CURITY INCIDENT INVO LVING, OR A 13
18	17		CYBERATTACK ON, A PUBLIC ENT ITY ARE NOT CONSIDER ED 14
19	18		RULES; TO ALLOW THE JOINT COMMITTEE ON A DVANCED 15
20	19		COMMUNICATIONS AND I NFORMATION TECHNOLOG Y TO MEET IN 16
21	20		CLOSED MEETINGS ON M ATTERS CONCERNING A CYBERSECURITY 17
22	21		INCIDENT INVOLVING, OR A CYBERATTACK ON, A PUBLIC 18
23	22		ENTITY; AND FOR OTHER PURPOS ES. 19
24	23		20
25	24		21
26	25		Subtitle 22
27	26		TO REGULATE MEETINGS, INTERNAL POLICIES 23
28	27		AND GUIDELINES, AND REPORTS TO ADDRESS A 24
29	28		CYBERSECURITY INCIDENT INVOLVING, OR A 25
30	29		CYBERATTACK ON, A PUBLIC ENTITY. 26
31	30		27
32	31		28
33	32		BE IT ENACTED BY THE GENERAL ASSEMBLY OF THE STATE OF ARKANSAS: 29
34	33		30
35	34		SECTION 1. Arkansas Code § 10 -3-309(b)(1)(B), concerning the 31
36	35		definition of "rule" used for review and approval of state agency rules, is 32
37	36		amended to add an additional subdivision to read as follows: 33
38	37		(v) An internal policy or the intern al guidelines of 34
39	38		a state agency related to a cybersecurity incident involving, or a 35
40	39		cyberattack on, a state agency. 36 As Engrossed: H3/14/23 HB1555
41	40
42	41		2 03-14-2023 09:29:09 ANS240
43	42
44	43
45	44		1
46	45		SECTION 2. Arkansas Code Title 10, Chapter 3, Subchapter 17, is 2
47	46		amended to add an additional section to read as follows: 3
48	47		10-3-1708. Joint Committee on Advanced Communications and Information 4
49	48		Technology — Cybersecurity incidents and cyberattacks — Meetings in executive 5
50	49		session — Definitions. 6
51	50		(a) As used in this section: 7
52	51		(1) "County" means any county of this state; 8
53	52		(2) "Municipality" means: 9
54	53		(A) A city of the first class; 10
55	54		(B) A city of the second class; or 11
56	55		(C) An incorporated town; 12
57	56		(3) "Public entity" means: 13
58	57		(A) A county; 14
59	58		(B) A municipality; 15
60	59		(C) A school district; or 16
61	60		(D) The state; and 17
62	61		(4) "School district" means a school district or open enrollment 18
63	62		public charter school in this state. 19
64	63		(b)(1) The meetings of the Joint Committee on Advanced Communications 20
65	64		and Information Technology to review a cybersecurity incident involving, or a 21
66	65		cyberattack on, a public entity are closed and are exempt from public 22
67	66		observance under the Freedom of Information Act of 1967, § 25 -19-101 et seq. 23
68	67		(2) Any member of the General Assembly may attend the closed 24
69	68		hearing under subdivision (b)(1) of this section of the Joint Co mmittee on 25
70	69		Advanced Communications and Information Technology. 26
71	70		(3) An individual may attend a closed hearing under subdivision 27
72	71		(b)(1) of this section at the invitation of either of the cochairs of the 28
73	72		Joint Committee on Advanced Communications and Infor mation Technology. 29
74	73		(4) The Joint Committee on Advanced Communications and 30
75	74		Information Technology shall not disclose any information concerning an 31
76	75		internal policy or the internal guidelines established to address a 32
77	76		cybersecurity incident involving, or a cyberattack on, a public entity. 33
78	77		(5) If the Joint Committee on Advanced Communications and 34
79	78		Information Technology meets in a closed meeting under subdivision (b)(1) of 35
80	79		this section, the Joint Committee on Advanced Communications and Information 36 As Engrossed: H3/14/23 HB1555
81	80
82	81		3 03-14-2023 09:29:09 ANS240
83	82
84	83
85	84		Technology may discuss only a cybersecurity incident involving, or 1
86	85		cyberattack on, a public entity or any cybersecurity policy. 2
87	86		(c)(1) An internal policy or the internal guidelines that are 3
88	87		established concerning a cybersecurity incident involving, or a cyberattack 4
89	88		on, a public entity is: 5
90	89		(A) Confidential; and 6
91	90		(B) Exempt from the Freedom of Information Act of 1967, § 7
92	91		25-19-101 et seq. 8
93	92		(2) An internal policy or the internal guidelines of a public 9
94	93		entity established to address a cybersecurity incident involving, or a 10
95	94		cyberattack on, a public entity are not considered a rule under § 10 -3-309 or 11
96	95		the Arkansas Administrative Procedure Act, § 25 -15-201 et seq. 12
97	96		13
98	97		SECTION 3. Arkansas Code § 25 -15-202(9)(B), concerning the definition 14
99	98		of "rule" under the Arkansas Administrative Procedure Act, is amended to add 15
100	99		an additional subdivision to read as follows: 16
101	100		(viii) An internal policy or the internal guidelines 17
102	101		of a state agency related to a cybersecurity incident involving, or a 18
103	102		cyberattack on, a stat e agency. 19
104	103		20
105	104		/s/S. Meeks 21
106	105		22
107	106		23
108		-	~~APPROVED: 4/10/23~~ 24
	107	+	24
109	108		25
110	109		26
111	110		27
112	111		28
113	112		29
114	113		30
115	114		31
116	115		32
117	116		33
118	117		34
119	118		35
120	119		36