LEGISLATIVE BUDGET BOARD Austin, Texas FISCAL NOTE, 81ST LEGISLATIVE REGULAR SESSION April 9, 2009 TO: Honorable Burt R. Solomons, Chair, House Committee on State Affairs FROM: John S. O'Brien, Director, Legislative Budget Board IN RE:HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information.), Committee Report 1st House, Substituted No significant fiscal implication to the State is anticipated. The bill would amend the Government Code to require state agencies and local governments to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, financial account information, or certain health information. Notice shall be given as proscribed by current requirements in Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state. The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future. The Department of Information Resources reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources. If an agency chose to send written notice by mail, then it is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State. Local Government Impact The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals. Source Agencies:212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission LBB Staff: JOB, PJK, KJG, SD, TP
LEGISLATIVE BUDGET BOARD
Austin, Texas
FISCAL NOTE, 81ST LEGISLATIVE REGULAR SESSION
April 9, 2009
TO: Honorable Burt R. Solomons, Chair, House Committee on State Affairs FROM: John S. O'Brien, Director, Legislative Budget Board IN RE:HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information.), Committee Report 1st House, Substituted
TO: Honorable Burt R. Solomons, Chair, House Committee on State Affairs
FROM: John S. O'Brien, Director, Legislative Budget Board
IN RE: HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information.), Committee Report 1st House, Substituted
Honorable Burt R. Solomons, Chair, House Committee on State Affairs
Honorable Burt R. Solomons, Chair, House Committee on State Affairs
John S. O'Brien, Director, Legislative Budget Board
John S. O'Brien, Director, Legislative Budget Board
HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information.), Committee Report 1st House, Substituted
HB2004 by McCall (Relating to a breach of computer security involving sensitive personal information.), Committee Report 1st House, Substituted
No significant fiscal implication to the State is anticipated.
No significant fiscal implication to the State is anticipated.
The bill would amend the Government Code to require state agencies and local governments to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, financial account information, or certain health information. Notice shall be given as proscribed by current requirements in Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state. The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future. The Department of Information Resources reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources. If an agency chose to send written notice by mail, then it is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State.
The bill would amend the Government Code to require state agencies and local governments to notify affected individuals of a computer security breach which discloses sensitive personal information, such as an individuals name and Social Security number, drivers license number, financial account information, or certain health information.
Notice shall be given as proscribed by current requirements in Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state.
The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future.
The Department of Information Resources reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources.
If an agency chose to send written notice by mail, then it is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State.
Local Government Impact
The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals.
The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals.
Source Agencies: 212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission
212 Office of Court Administration, Texas Judicial Council, 301 Office of the Governor, 302 Office of the Attorney General, 303 Facilities Commission, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 327 Employees Retirement System, 405 Department of Public Safety, 452 Department of Licensing and Regulation, 504 Texas State Board of Dental Examiners, 520 Board of Examiners of Psychologists, 529 Health and Human Services Commission
LBB Staff: JOB, PJK, KJG, SD, TP
JOB, PJK, KJG, SD, TP