By: Ellis S.B. No. 2164
A BILL TO BE ENTITLED
AN ACT
relating to information technology security practices of state
agencies.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 411.081(i), Government Code, is amended
to read as follows:
(i) A criminal justice agency may disclose criminal history
record information that is the subject of an order of nondisclosure
to the following noncriminal justice agencies or entities only:
(1) the State Board for Educator Certification;
(2) a school district, charter school, private school,
regional education service center, commercial transportation
company, or education shared service arrangement;
(3) the Texas Medical Board;
(4) the Texas School for the Blind and Visually
Impaired;
(5) the Board of Law Examiners;
(6) the State Bar of Texas;
(7) a district court regarding a petition for name
change under Subchapter B, Chapter 45, Family Code;
(8) the Texas School for the Deaf;
(9) the Department of Family and Protective Services;
(10) the Texas Youth Commission;
(11) the Department of Assistive and Rehabilitative
Services;
(12) the Department of State Health Services, a local
mental health service, a local mental retardation authority, or a
community center providing services to persons with mental illness
or retardation;
(13) the Texas Private Security Board;
(14) a municipal or volunteer fire department;
(15) the Texas Board of Nursing;
(16) a safe house providing shelter to children in
harmful situations;
(17) a public or nonprofit hospital or hospital
district;
(18) the Texas Juvenile Probation Commission;
(19) the securities commissioner, the banking
commissioner, the savings and mortgage lending commissioner, or the
credit union commissioner;
(20) the Texas State Board of Public Accountancy;
(21) the Texas Department of Licensing and Regulation;
(22) the Health and Human Services Commission;
(23) the Department of Aging and Disability Services;
[and]
(24) the Texas Education Agency; and
(25) the Texas Department of Information Resources
regarding an employee, applicant for employment, contractor,
subcontractor, intern, or volunteer that provides network security
services under Chapter 2059, Government Code, to:
(A) the Department of Information Resources; or
(B) a contractor or subcontractor of the
Department of Information Resources.
SECTION 2. Subchapter F, Chapter 411, Government Code, is
amended by adding Section 411.1404 to read as follows:
Sec. 411.1404. ACCESS TO CRIMINAL HISTORY RECORD
INFORMATION: DEPARTMENT OF INFORMATION RESOURCES. (a) The
Department of Information Resources is entitled to obtain from the
department or the Federal Bureau of Investigation identification
division the criminal history record information maintained by the
department that relates to a person who is an employee, applicant
for employment, contractor, subcontractor, intern, or volunteer of
the Department of Information Resources or a contractor or
subcontractor that provides services to the Department of
Information Resources.
(b) Criminal history record information obtained by the
Department of Information Resources under this section may not be
released or disclosed except by court order or with the consent of
the person who is the subject of the information.
(c) The Department of Information Resources shall destroy
criminal history record information obtained under this section
that relates to a person after the information is used to make an
employment decision or to take a personnel action relating to the
person who is the subject of the information.
(d) The Department of Information Resources may not obtain
criminal history record information under this section unless the
Department of Information Resources first adopts policies and
procedures that provide that evidence of a criminal conviction or
other relevant information obtained from the criminal history
record information does not automatically disqualify an individual
from employment. The policies and procedures adopted under this
subsection must provide that the hiring official will determine, on
a case-by-case basis, whether the individual is qualified for
employment based on factors that include:
(1) the specific duties of the position;
(2) the number of offenses committed by the
individual;
(3) the nature and seriousness of each offense;
(4) the length of time between the offense and the
employment decision;
(5) the efforts by the individual at rehabilitation;
and
(6) the accuracy of the information on the
individual's employment application.
SECTION 3. Subchapter D, Chapter 551, Government Code, is
amended by adding Section 551.089 to read as follows:
Sec. 551.089. DEPARTMENT OF INFORMATION RESOURCES. This
chapter does not require the governing board of the Department of
Information Resources to conduct an open meeting to deliberate:
(1) security assessments or deployments relating to
information resources technology;
(2) network security information as described by
Section 2059.055(b); or
(3) the deployment, or specific occasions for
implementation, of security personnel, critical infrastructure, or
security devices.
SECTION 4. Section 552.139, Government Code, is amended to
read as follows:
Sec. 552.139. EXCEPTION: GOVERNMENT INFORMATION RELATED TO
SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS. (a) Information
is excepted from the requirements of Section 552.021 if it is
information that relates to computer network security, to
restricted information under Section 2059.055, or to the design,
operation, or defense of a computer network.
(b) The following information is confidential:
(1) a computer network vulnerability report; and
(2) any other assessment of the extent to which data
processing operations, a computer, [or] a computer program,
network, system, or system interface, or software of a governmental
body or of a contractor of a governmental body is vulnerable to
unauthorized access or harm, including an assessment of the extent
to which the governmental body's or contractor's electronically
stored information containing sensitive or critical information is
vulnerable to alteration, damage, [or] erasure, or inappropriate
use.
(c) Notwithstanding the confidential nature of the
information described in this section, the information may be
disclosed to a bidder if the governmental body determines that
providing the information is necessary for the bidder to provide an
accurate bid. A disclosure under this subsection is not a voluntary
disclosure for purposes of Section 552.007.
SECTION 5. Sections 2054.077(b), (d), and (e), Government
Code, are amended to read as follows:
(b) The information resources manager of a state agency may
prepare or have prepared a report, including an executive summary
of the findings of the report, assessing the extent to which a
computer, a computer program, a computer network, a computer
system, an interface to a computer system, computer software, or
data processing of the agency or of a contractor of the agency is
vulnerable to unauthorized access or harm, including the extent to
which the agency's or contractor's electronically stored
information is vulnerable to alteration, damage, [or] erasure, or
inappropriate use.
(d) The [On request, the] information resources manager
shall provide an electronic [a] copy of the vulnerability report on
its completion to:
(1) the department;
(2) the state auditor; [and]
(3) the agency's executive director; and
(4) any other information technology security
oversight group specifically authorized by the legislature to
receive the report.
(e) Separate from the executive summary described by
Subsection (b), a [A] state agency whose information resources
manager has prepared or has had prepared a vulnerability report
shall prepare a summary of the report that does not contain any
information the release of which might compromise the security of
the state agency's or state agency contractor's computers, computer
programs, computer networks, computer systems, computer software,
data processing, or electronically stored information. The summary
is available to the public on request.
SECTION 6. This Act takes effect September 1, 2009.