| 1 | 1 | | By: Blanco H.B. No. 4597 |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | A BILL TO BE ENTITLED |
|---|
| 5 | 5 | | AN ACT |
|---|
| 6 | 6 | | relating to cybersecurity of state agencies. |
|---|
| 7 | 7 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 8 | 8 | | SECTION 1. Section 552. 139 (b), Government Code, is |
|---|
| 9 | 9 | | amended to read as follows: |
|---|
| 10 | 10 | | (b) The following information is confidential: |
|---|
| 11 | 11 | | (1) a computer network vulnerability report; |
|---|
| 12 | 12 | | (2) any other assessment of the extent to which data |
|---|
| 13 | 13 | | processing operations, a computer, a computer program, network, |
|---|
| 14 | 14 | | system, or system interface, or software of a governmental body or |
|---|
| 15 | 15 | | of a contractor of a governmental body is vulnerable to |
|---|
| 16 | 16 | | unauthorized access or harm, including an assessment of the extent |
|---|
| 17 | 17 | | to which the governmental body's or contractor's electronically |
|---|
| 18 | 18 | | stored information containing sensitive or critical information is |
|---|
| 19 | 19 | | vulnerable to alteration, damage, erasure, or inappropriate use; |
|---|
| 20 | 20 | | (3) a photocopy of other copy of an identification |
|---|
| 21 | 21 | | badge issued to an official or employee of a governmental body; |
|---|
| 22 | 22 | | [and] |
|---|
| 23 | 23 | | (4) information directly arising from a governmental |
|---|
| 24 | 24 | | body's routine to prevent, detect, investigate, or mitigate a |
|---|
| 25 | 25 | | computer security incident, including information contained in or |
|---|
| 26 | 26 | | derived from an information security log; and |
|---|
| 27 | 27 | | (5) information about a state agency's cybersecurity |
|---|
| 28 | 28 | | insurance coverage, including policy provisions and coverage |
|---|
| 29 | 29 | | limits. |
|---|
| 30 | 30 | | SECTION 2. Subchapter N-1, Chapter 2054, Government Code, |
|---|
| 31 | 31 | | is amended by adding Section 2054.5172 to read as follows: |
|---|
| 32 | 32 | | Sec. 2054.5172. CYBER RANGE. (a) In this section, "cyber |
|---|
| 33 | 33 | | range" means a virtual environment used for interactive training in |
|---|
| 34 | 34 | | the defense against and response to cyberwarfare and other |
|---|
| 35 | 35 | | cybersecurity incidents. |
|---|
| 36 | 36 | | (b) The department may create a cyber range for use by |
|---|
| 37 | 37 | | public sector employees with responsibility for cybersecurity to |
|---|
| 38 | 38 | | improve this state's cybersecurity capabilities. |
|---|
| 39 | 39 | | SECTION 3. Subchapter N-1, Chapter 2054, Government Code, |
|---|
| 40 | 40 | | is amended by adding Section 2054.519, 2054.520, and 2054.521 to |
|---|
| 41 | 41 | | read as follows: |
|---|
| 42 | 42 | | Sec. 2054.519. CYBERSECURITY RESOURCES PROGRAM FOR STATE |
|---|
| 43 | 43 | | AGENCIES. (a) The department may establish a program that provides |
|---|
| 44 | 44 | | to state agencies the use of information security officers and |
|---|
| 45 | 45 | | other cybersecurity resources to assist in managing the agencies' |
|---|
| 46 | 46 | | information security. |
|---|
| 47 | 47 | | (b) The department shall adopt rules to implement this |
|---|
| 48 | 48 | | section. |
|---|
| 49 | 49 | | Sec. 2054.520. CYBERSECURITY INSURANCE. (a) The State |
|---|
| 50 | 50 | | Office of Risk Management shall evaluate the feasibility of |
|---|
| 51 | 51 | | providing cybersecurity insurance policies to state agencies. |
|---|
| 52 | 52 | | (b) The State Office of Risk Management shall develop |
|---|
| 53 | 53 | | guidance for state agencies regarding cybersecurity insurance |
|---|
| 54 | 54 | | coverage. The guidance must: |
|---|
| 55 | 55 | | (1) be based on best practices for making |
|---|
| 56 | 56 | | cybersecurity insurance coverage decisions; and |
|---|
| 57 | 57 | | (2) assist a state agency in determining whether: |
|---|
| 58 | 58 | | (A) cybersecurity insurance coverage would be |
|---|
| 59 | 59 | | beneficial to the agency; and |
|---|
| 60 | 60 | | (B) the agency should purchase a cybersecurity |
|---|
| 61 | 61 | | insurance policy from a third party or self-insure. |
|---|
| 62 | 62 | | (c) The department shall review and consider the guidance |
|---|
| 63 | 63 | | developed under this section in connection with the department's |
|---|
| 64 | 64 | | protection of statewide technology centers. |
|---|
| 65 | 65 | | Sec. 2054.521. BUG BOUNTY PROGRAM. (a) The department by |
|---|
| 66 | 66 | | rule may establish a bug bounty program, using money available for |
|---|
| 67 | 67 | | that purpose from legislative appropriations, to pay bounties to |
|---|
| 68 | 68 | | persons who uncover or resolve security flaws in state websites and |
|---|
| 69 | 69 | | applications. |
|---|
| 70 | 70 | | (b) The department may determine eligibility criteria for |
|---|
| 71 | 71 | | receiving a bounty under this section and the amount of a bounty to |
|---|
| 72 | 72 | | be paid under this section. |
|---|
| 73 | 73 | | (c) An employee of or contractor with a state agency is not |
|---|
| 74 | 74 | | eligible to receive a bounty under this section. |
|---|
| 75 | 75 | | (d) The payment of a bounty under this section does not |
|---|
| 76 | 76 | | affect a person 's civil or criminal liability for prohibited |
|---|
| 77 | 77 | | conduct related to a state website or application. |
|---|
| 78 | 78 | | SECTION 4. Section 2054.136, Government Code, is amended to |
|---|
| 79 | 79 | | read as follows: |
|---|
| 80 | 80 | | Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER; |
|---|
| 81 | 81 | | DUTIES. (a) In this section, "cloud computing service" has the |
|---|
| 82 | 82 | | meaning assigned by Section 2157.007. |
|---|
| 83 | 83 | | (b) Each state agency shall designate an information |
|---|
| 84 | 84 | | security officer who: |
|---|
| 85 | 85 | | (1) reports to the agency 's executive-level |
|---|
| 86 | 86 | | management; |
|---|
| 87 | 87 | | (2) has authority over information security for the |
|---|
| 88 | 88 | | entire agency; |
|---|
| 89 | 89 | | (3) possesses the training and experience required to |
|---|
| 90 | 90 | | perform the duties required by department rules; and |
|---|
| 91 | 91 | | (4) to the extent feasible, has information security |
|---|
| 92 | 92 | | duties as the officer 's primary duties. |
|---|
| 93 | 93 | | (c) A state agency 's information security officer must |
|---|
| 94 | 94 | | authorize the purchase of cloud computing services before the |
|---|
| 95 | 95 | | agency may enter into a contract for those services. |
|---|
| 96 | 96 | | SECTION 5. Section 2054.1125, Government Code, is amended |
|---|
| 97 | 97 | | by adding Subsection (c) to read as follows: |
|---|
| 98 | 98 | | (c) Not later than the 10th business day after the date of |
|---|
| 99 | 99 | | the eradication, closure, and recovery from a breach, suspected |
|---|
| 100 | 100 | | breach, or unauthorized exposure, a state agency shall notify the |
|---|
| 101 | 101 | | department, including the chief information security officer, of |
|---|
| 102 | 102 | | the details of the event. |
|---|
| 103 | 103 | | SECTION 6. The change in law made by this Act applies only |
|---|
| 104 | 104 | | to a contract for cloud computing services that is entered into on |
|---|
| 105 | 105 | | or after the effective date of this Act. A contract entered into |
|---|
| 106 | 106 | | before the effective date of this Act is governed by the law in |
|---|
| 107 | 107 | | effect on the date the contract was entered into, and the former law |
|---|
| 108 | 108 | | is continued in effect for that purpose. |
|---|
| 109 | 109 | | SECTION 7. This Act takes effect September 1, 2019. |
|---|