81R8189 MCK-F
By: McCall H.B. No. 3187
A BILL TO BE ENTITLED
AN ACT
relating to information technology security practices of state
agencies.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 411.081(i), Government Code, is amended
to read as follows:
(i) A criminal justice agency may disclose criminal history
record information that is the subject of an order of nondisclosure
to the following noncriminal justice agencies or entities only:
(1) the State Board for Educator Certification;
(2) a school district, charter school, private school,
regional education service center, commercial transportation
company, or education shared service arrangement;
(3) the Texas Medical Board;
(4) the Texas School for the Blind and Visually
Impaired;
(5) the Board of Law Examiners;
(6) the State Bar of Texas;
(7) a district court regarding a petition for name
change under Subchapter B, Chapter 45, Family Code;
(8) the Texas School for the Deaf;
(9) the Department of Family and Protective Services;
(10) the Texas Youth Commission;
(11) the Department of Assistive and Rehabilitative
Services;
(12) the Department of State Health Services, a local
mental health service, a local mental retardation authority, or a
community center providing services to persons with mental illness
or retardation;
(13) the Texas Private Security Board;
(14) a municipal or volunteer fire department;
(15) the Texas Board of Nursing;
(16) a safe house providing shelter to children in
harmful situations;
(17) a public or nonprofit hospital or hospital
district;
(18) the Texas Juvenile Probation Commission;
(19) the securities commissioner, the banking
commissioner, the savings and mortgage lending commissioner, or the
credit union commissioner;
(20) the Texas State Board of Public Accountancy;
(21) the Texas Department of Licensing and Regulation;
(22) the Health and Human Services Commission;
(23) the Department of Aging and Disability Services;
[and]
(24) the Texas Education Agency; and
(25) the Department of Information Resources.
SECTION 2. Subchapter F, Chapter 411, Government Code, is
amended by adding Section 411.14055 to read as follows:
Sec. 411.14055. ACCESS TO CRIMINAL HISTORY RECORD
INFORMATION: DEPARTMENT OF INFORMATION RESOURCES. (a) The
Department of Information Resources is entitled to obtain from the
department or another law enforcement agency the criminal history
record information maintained by the department or other law
enforcement agency that relates to a person who:
(1) is an employee or an applicant for employment with
the Department of Information Resources;
(2) may perform services for the Department of
Information Resources; or
(3) is an employee or subcontractor, or an applicant
to be an employee or subcontractor, of a contractor that provides
services to the Department of Information Resources.
(b) Criminal history record information obtained by the
Department of Information Resources under Subsection (a) may be
used only to evaluate:
(1) an employee or an applicant for employment with
the Department of Information Resources;
(2) a person who may perform services for the
Department of Information Resources; or
(3) a person who is an employee or subcontractor, or an
applicant to be an employee or subcontractor, of a contractor that
provides services to the Department of Information Resources.
(c) Criminal history record information obtained by the
Department of Information Resources under this section may not be
released or disclosed to any person or agency except on court order
or with the consent of the person who is the subject of the
information.
(d) The Department of Information Resources shall destroy
the criminal history record information obtained under this section
after the information is used for the purposes authorized by this
section.
SECTION 3. Subchapter D, Chapter 551, Government Code, is
amended by adding Section 551.089 to read as follows:
Sec. 551.089. DEPARTMENT OF INFORMATION RESOURCES. This
chapter does not require the governing board of the Department of
Information Resources to conduct an open meeting to deliberate:
(1) security assessments or deployments relating to
information resources technology;
(2) network security information as described by
Section 2059.055(b); or
(3) the deployment, or specific occasions for
implementation, of security personnel, critical infrastructure, or
security devices.
SECTION 4. Section 552.139, Government Code, is amended to
read as follows:
Sec. 552.139. EXCEPTION: GOVERNMENT INFORMATION RELATED TO
SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS. (a) Information
is excepted from the requirements of Section 552.021 if it is
information that relates to computer network security, to
restricted information under Section 2059.055, or to the design,
operation, or defense of a computer network.
(b) The following information is confidential:
(1) a computer network vulnerability report; and
(2) any other assessment of the extent to which data
processing operations, a computer, [or] a computer program,
network, system, or system interface, or software of a governmental
body or of a contractor of a governmental body is vulnerable to
unauthorized access or harm, including an assessment of the extent
to which the governmental body's or contractor's electronically
stored information containing sensitive or critical information is
vulnerable to alteration, damage, [or] erasure, or inappropriate
use.
(c) Notwithstanding the confidential nature of the
information described by this section, the information may be
disclosed to a bidder if the governmental body determines that
providing the information is necessary for the bidder to provide an
accurate bid. A disclosure under this subsection is not a voluntary
disclosure for purposes of Section 552.007.
SECTION 5. Sections 2054.077(b), (d), and (e), Government
Code, are amended to read as follows:
(b) In addition to any assessment required under other law,
the [The] information resources manager of a state agency may
prepare or have prepared a report, including an executive summary
of the findings of the report, assessing the extent to which a
computer, a computer program, a computer network, a computer
system, an interface to a computer system, computer software, or
data processing of the agency or of a contractor of the agency is
vulnerable to unauthorized access or harm, including the extent to
which the agency's or contractor's electronically stored
information containing sensitive or critical information is
vulnerable to alteration, damage, [or] erasure, or inappropriate
use.
(d) The [On request, the] information resources manager
shall provide an electronic [a] copy of the vulnerability report on
its completion to:
(1) the department;
(2) the state auditor; [and]
(3) the agency's executive director; and
(4) any other information technology security
oversight group specifically authorized by the legislature to
receive the report.
(e) Separate from the executive summary described by
Subsection (b), a [A] state agency whose information resources
manager has prepared or has had prepared a vulnerability report
shall prepare a summary of the report that does not contain any
information the release of which might compromise the security of
the state agency's or state agency contractor's computers, computer
programs, computer networks, computer systems, computer software,
data processing, or electronically stored information. The summary
is available to the public on request.
SECTION 6. This Act takes effect September 1, 2009.