LEGISLATIVE BUDGET BOARD Austin, Texas FISCAL NOTE, 81ST LEGISLATIVE REGULAR SESSION March 30, 2009 TO: Honorable Burt R. Solomons, Chair, House Committee on State Affairs FROM: John S. O'Brien, Director, Legislative Budget Board IN RE:HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information maintained by a state agency or local government.), As Introduced No significant fiscal implication to the State is anticipated. The bill would amend the Government Code by adding a chapter that requires state agencies and local governments to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, or financial account information. Notice shall be given as soon as practicable after discovering the breach, unless law enforcement requests a delay due to an ongoing investigation. Notice may be provided by mail, telephone, or by email, internet posting, or through the media if the cost of the notice exceeds $50,000, the breach affects more than 100,000 people, or there is limited contact information. Agencies and local governments would be exempt if they use more stringent notification requirements. The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but as this bill outlines, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future. The Department of Information Resources (DIR) reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources. It is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State. Local Government Impact The bill would require local governmental entities to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, or financial account information. The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals. Source Agencies:212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission LBB Staff: JOB, KJG, SD, PJK, TP
LEGISLATIVE BUDGET BOARD
Austin, Texas
FISCAL NOTE, 81ST LEGISLATIVE REGULAR SESSION
March 30, 2009
TO: Honorable Burt R. Solomons, Chair, House Committee on State Affairs FROM: John S. O'Brien, Director, Legislative Budget Board IN RE:HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information maintained by a state agency or local government.), As Introduced
TO: Honorable Burt R. Solomons, Chair, House Committee on State Affairs
FROM: John S. O'Brien, Director, Legislative Budget Board
IN RE: HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information maintained by a state agency or local government.), As Introduced
Honorable Burt R. Solomons, Chair, House Committee on State Affairs
Honorable Burt R. Solomons, Chair, House Committee on State Affairs
John S. O'Brien, Director, Legislative Budget Board
John S. O'Brien, Director, Legislative Budget Board
HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information maintained by a state agency or local government.), As Introduced
HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information maintained by a state agency or local government.), As Introduced
No significant fiscal implication to the State is anticipated.
No significant fiscal implication to the State is anticipated.
The bill would amend the Government Code by adding a chapter that requires state agencies and local governments to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, or financial account information. Notice shall be given as soon as practicable after discovering the breach, unless law enforcement requests a delay due to an ongoing investigation. Notice may be provided by mail, telephone, or by email, internet posting, or through the media if the cost of the notice exceeds $50,000, the breach affects more than 100,000 people, or there is limited contact information. Agencies and local governments would be exempt if they use more stringent notification requirements. The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but as this bill outlines, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future. The Department of Information Resources (DIR) reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources. It is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State.
The bill would amend the Government Code by adding a chapter that requires state agencies and local governments to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, or financial account information. Notice shall be given as soon as practicable after discovering the breach, unless law enforcement requests a delay due to an ongoing investigation.
Notice may be provided by mail, telephone, or by email, internet posting, or through the media if the cost of the notice exceeds $50,000, the breach affects more than 100,000 people, or there is limited contact information.
Agencies and local governments would be exempt if they use more stringent notification requirements.
The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but as this bill outlines, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future.
The Department of Information Resources (DIR) reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources.
It is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State.
Local Government Impact
The bill would require local governmental entities to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, or financial account information. The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals.
The bill would require local governmental entities to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, or financial account information.
The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals.
Source Agencies: 212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission
212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission
LBB Staff: JOB, KJG, SD, PJK, TP
JOB, KJG, SD, PJK, TP