TX
Texas Senate Bill SB64

Texas 2019 - 86th Regular

Texas Senate Bill SB64 Compare Versions

OldNewDifferences
1-S.B. No. 64
1+By: Nelson S.B. No. 64
2+ (Phelan)
23
34
5+ A BILL TO BE ENTITLED
46 AN ACT
57 relating to cybersecurity for information resources.
68 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
79 SECTION 1. Subchapter C, Chapter 61, Education Code, is
8- amended by adding Sections 61.09091 and 61.09092 to read as
9- follows:
10+ amended by adding Section 61.09091 to read as follows:
1011 Sec. 61.09091. STRATEGIES TO INCENTIVIZE CYBERSECURITY
1112 DEGREE PROGRAMS. (a) The board in collaboration with the
1213 Department of Information Resources shall identify and develop
1314 strategies to incentivize institutions of higher education to
1415 develop degree programs in cybersecurity.
1516 (b) The board shall consult with institutions of higher
1617 education as necessary to carry out its duties under this section.
1718 (c) Not later than September 1, 2020, the board shall submit
1819 a written report detailing the strategies identified under this
1920 section to the lieutenant governor, the speaker of the house of
2021 representatives, the presiding officer of each legislative
2122 standing committee with primary jurisdiction over higher
2223 education, and each governing board of an institution of higher
2324 education.
2425 (d) This section expires September 1, 2021.
25- Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK
26- DEVELOPMENT. (a) In this section, "lower-division institution of
27- higher education" means a public junior college, public state
28- college, or public technical institute.
29- (b) The board, in consultation with the Department of
30- Information Resources, shall coordinate with lower-division
31- institutions of higher education and entities that administer or
32- award postsecondary industry certifications or other workforce
33- credentials in cybersecurity to develop certificate programs or
34- other courses of instruction leading toward those certifications or
35- credentials that may be offered by lower-division institutions of
36- higher education.
37- (c) The board may adopt rules as necessary for the
38- administration of this section.
3926 SECTION 2. Section 418.004(1), Government Code, is amended
4027 to read as follows:
4128 (1) "Disaster" means the occurrence or imminent threat
4229 of widespread or severe damage, injury, or loss of life or property
4330 resulting from any natural or man-made cause, including fire,
4431 flood, earthquake, wind, storm, wave action, oil spill or other
4532 water contamination, volcanic activity, epidemic, air
4633 contamination, blight, drought, infestation, explosion, riot,
4734 hostile military or paramilitary action, extreme heat,
4835 cybersecurity event, other public calamity requiring emergency
4936 action, or energy emergency.
50- SECTION 3. Subchapter F, Chapter 437, Government Code, is
51- amended by adding Section 437.255 to read as follows:
52- Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER
53- OPERATIONS. To serve the state and safeguard the public from
54- malicious cyber activity, the governor may command the Texas
55- National Guard to assist the Texas State Guard with defending the
56- state's cyber operations.
57- SECTION 4. The heading to Section 656.047, Government Code,
58- is amended to read as follows:
59- Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION
60- EXAMINATION EXPENSES.
61- SECTION 5. Section 656.047, Government Code, is amended by
62- adding Subsection (a-1) to read as follows:
63- (a-1) A state agency may spend public funds as appropriate
64- to reimburse a state agency employee or administrator who serves in
65- an information technology, cybersecurity, or other cyber-related
66- position for fees associated with industry-recognized
67- certification examinations.
68- SECTION 6. Section 815.103, Government Code, is amended by
37+ SECTION 3. Section 815.103, Government Code, is amended by
6938 adding Subsection (g) to read as follows:
7039 (g) The retirement system shall comply with cybersecurity
7140 and information security standards established by the Department of
7241 Information Resources under Chapter 2054.
73- SECTION 7. Section 825.103, Government Code, is amended by
42+ SECTION 4. Section 825.103, Government Code, is amended by
7443 amending Subsection (e) and adding Subsection (e-1) to read as
7544 follows:
7645 (e) Except as provided by Subsection (e-1), Chapters 2054
7746 and 2055 do not apply to the retirement system. The board of
7847 trustees shall control all aspects of information technology and
7948 associated resources relating to the retirement system, including
8049 computer, data management, and telecommunication operations,
8150 procurement of hardware, software, and middleware, and
8251 telecommunication equipment and systems, location, operation, and
8352 replacement of computers, computer systems, and telecommunication
8453 systems, data processing, security, disaster recovery, and
8554 storage. The Department of Information Resources shall assist the
8655 retirement system at the request of the retirement system, and the
8756 retirement system may use any service that is available through
8857 that department.
8958 (e-1) The retirement system shall comply with cybersecurity
9059 and information security standards established by the Department of
9160 Information Resources under Chapter 2054.
92- SECTION 8. Section 2054.0075, Government Code, is amended
61+ SECTION 5. Section 2054.0075, Government Code, is amended
9362 to read as follows:
9463 Sec. 2054.0075. EXCEPTION: PUBLIC JUNIOR COLLEGE. This
9564 chapter does not apply to a public junior college or a public junior
9665 college district, except as necessary to comply with information
9766 security standards and for participation in shared technology
9867 services, including the electronic government project implemented
9968 under Subchapter I and statewide technology centers under
10069 Subchapter L [except as to Section 2054.119, Government Code].
101- SECTION 9. Section 2054.0591(a), Government Code, is
70+ SECTION 6. Section 2054.0591(a), Government Code, is
10271 amended to read as follows:
10372 (a) Not later than November 15 of each even-numbered year,
10473 the department shall submit to the governor, the lieutenant
10574 governor, the speaker of the house of representatives, and the
10675 standing committee of each house of the legislature with primary
10776 jurisdiction over state government operations a report identifying
10877 preventive and recovery efforts the state can undertake to improve
10978 cybersecurity in this state. The report must include:
11079 (1) an assessment of the resources available to
11180 address the operational and financial impacts of a cybersecurity
11281 event;
11382 (2) a review of existing statutes regarding
11483 cybersecurity and information resources technologies;
11584 (3) recommendations for legislative action to
11685 increase the state's cybersecurity and protect against adverse
11786 impacts from a cybersecurity event; and
11887 (4) an evaluation of a program that provides an
11988 information security officer to assist small state agencies and
12089 local governments that are unable to justify hiring a full-time
12190 information security officer [the costs and benefits of
12291 cybersecurity insurance; and
12392 [(5) an evaluation of tertiary disaster recovery
12493 options].
125- SECTION 10. Section 2054.0594, Government Code, is amended
94+ SECTION 7. Section 2054.0594, Government Code, is amended
12695 to read as follows:
12796 Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS
12897 ORGANIZATION [CENTER]. (a) The department shall establish an
12998 information sharing and analysis organization [center] to provide a
13099 forum for state agencies, local governments, public and private
131100 institutions of higher education, and the private sector to share
132101 information regarding cybersecurity threats, best practices, and
133102 remediation strategies.
134103 (b) [The department shall appoint persons from appropriate
135104 state agencies to serve as representatives to the information
136105 sharing and analysis center.
137106 [(c)] The department[, using funds other than funds
138107 appropriated to the department in a general appropriations act,]
139108 shall provide administrative support to the information sharing and
140109 analysis organization [center].
141110 (c) A participant in the information sharing and analysis
142111 organization shall assert any exception available under state or
143112 federal law, including Section 552.139, in response to a request
144113 for public disclosure of information shared through the
145114 organization. Section 552.007 does not apply to information
146115 described by this subsection.
147- SECTION 11. Section 2054.068(e), Government Code, is
148- amended to read as follows:
116+ SECTION 8. Section 2054.068(e), Government Code, is amended
117+ to read as follows:
149118 (e) The consolidated report required by Subsection (d)
150119 must:
151120 (1) include an analysis and assessment of each state
152121 agency's security and operational risks; and
153122 (2) for a state agency found to be at higher security
154123 and operational risks, include a detailed analysis of agency
155124 efforts to address the risks and related vulnerabilities[, and an
156125 estimate of the costs to implement, the:
157126 [(A) requirements for the agency to address the
158127 risks and related vulnerabilities; and
159128 [(B) agency's efforts to address the risks
160129 through the:
161130 [(i) modernization of information
162131 technology systems;
163132 [(ii) use of cloud services; and
164133 [(iii) use of a statewide technology center
165134 established by the department].
166- SECTION 12. Subchapter C, Chapter 2054, Government Code, is
135+ SECTION 9. Subchapter C, Chapter 2054, Government Code, is
167136 amended by adding Section 2054.069 to read as follows:
168137 Sec. 2054.069. PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM
169138 PROJECTS REPORT. (a) Not later than October 1 of each
170139 even-numbered year, the department shall submit a report to the
171140 Legislative Budget Board that prioritizes, for the purpose of
172141 receiving funding, state agency:
173142 (1) cybersecurity projects; and
174143 (2) projects to modernize or replace legacy systems,
175144 as defined by Section 2054.571.
176145 (b) Each state agency shall coordinate with the department
177146 to implement this section.
178147 (c) A state agency shall assert any exception available
179148 under state or federal law, including Section 552.139, in response
180149 to a request for public disclosure of information contained in or
181150 written, produced, collected, assembled, or maintained in
182151 connection with the report under Subsection (a). Section 552.007
183152 does not apply to information described by this subsection.
184- SECTION 13. Sections 2054.077(b) and (d), Government Code,
153+ SECTION 10. Sections 2054.077(b) and (d), Government Code,
185154 are amended to read as follows:
186155 (b) The information security officer [resources manager] of
187156 a state agency shall prepare or have prepared a report, including an
188157 executive summary of the findings of the biennial report, not later
189158 than October 15 of each even-numbered year, assessing the extent to
190159 which a computer, a computer program, a computer network, a
191160 computer system, a printer, an interface to a computer system,
192161 including mobile and peripheral devices, computer software, or data
193162 processing of the agency or of a contractor of the agency is
194163 vulnerable to unauthorized access or harm, including the extent to
195164 which the agency's or contractor's electronically stored
196165 information is vulnerable to alteration, damage, erasure, or
197166 inappropriate use.
198167 (d) The information security officer [resources manager]
199168 shall provide an electronic copy of the vulnerability report on its
200169 completion to:
201170 (1) the department;
202171 (2) the state auditor;
203172 (3) the agency's executive director;
204173 (4) the agency's designated information resources
205174 manager; and
206175 (5) [(4)] any other information technology security
207176 oversight group specifically authorized by the legislature to
208177 receive the report.
209- SECTION 14. Section 2054.1125, Government Code, is amended
178+ SECTION 11. Section 2054.1125, Government Code, is amended
210179 by amending Subsection (b) and adding Subsection (c) to read as
211180 follows:
212181 (b) A state agency that owns, licenses, or maintains
213182 computerized data that includes sensitive personal information,
214183 confidential information, or information the disclosure of which is
215184 regulated by law shall, in the event of a breach or suspected breach
216185 of system security or an unauthorized exposure of that information:
217186 (1) comply with the notification requirements of
218187 Section 521.053, Business & Commerce Code, to the same extent as a
219188 person who conducts business in this state; and
220189 (2) not later than 48 hours after the discovery of the
221190 breach, suspected breach, or unauthorized exposure, notify:
222191 (A) the department, including the chief
223192 information security officer [and the state cybersecurity
224193 coordinator]; or
225194 (B) if the breach, suspected breach, or
226195 unauthorized exposure involves election data, the secretary of
227196 state.
228197 (c) Not later than the 10th business day after the date of
229198 the eradication, closure, and recovery from a breach, suspected
230199 breach, or unauthorized exposure, a state agency shall notify the
231200 department, including the chief information security officer, of
232201 the details of the event and include in the notification an analysis
233202 of the cause of the event.
234- SECTION 15. Section 2054.133(e), Government Code, is
203+ SECTION 12. Section 2054.133(e), Government Code, is
235204 amended to read as follows:
236205 (e) Each state agency shall include in the agency's
237206 information security plan a written document that is signed by
238207 [acknowledgment that] the [executive director or other] head of the
239208 agency, the chief financial officer, and each executive manager
240209 [as] designated by the state agency and states that those persons
241210 have been made aware of the risks revealed during the preparation of
242211 the agency's information security plan.
243- SECTION 16. Section 2054.516, Government Code, as added by
212+ SECTION 13. Section 2054.516, Government Code, as added by
244213 Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th
245214 Legislature, Regular Session, 2017, is reenacted and amended to
246215 read as follows:
247216 Sec. 2054.516. DATA SECURITY PLAN FOR ONLINE AND MOBILE
248217 APPLICATIONS. (a) Each state agency[, other than an institution
249218 of higher education subject to Section 2054.517,] implementing an
250219 Internet website or mobile application that processes any sensitive
251220 personal or personally identifiable information or confidential
252221 information must:
253222 (1) submit a biennial data security plan to the
254223 department not later than October 15 of each even-numbered year to
255224 establish planned beta testing for the website or application; and
256225 (2) subject the website or application to a
257226 vulnerability and penetration test and address any vulnerability
258227 identified in the test.
259228 (b) The department shall review each data security plan
260229 submitted under Subsection (a) and make any recommendations for
261230 changes to the plan to the state agency as soon as practicable after
262231 the department reviews the plan.
263- SECTION 17. Subchapter N-1, Chapter 2054, Government Code,
264- is amended by adding Section 2054.519 to read as follows:
265- Sec. 2054.519. CYBERSTAR PROGRAM; CERTIFICATE OF APPROVAL.
266- (a) The state cybersecurity coordinator, in collaboration with
267- the cybersecurity council and public and private entities in this
268- state, shall develop best practices for cybersecurity that include:
269- (1) measureable, flexible, and voluntary
270- cybersecurity risk management programs for public and private
271- entities to adopt to prepare for and respond to cyber incidents that
272- compromise the confidentiality, integrity, and availability of the
273- entities' information systems;
274- (2) appropriate training and information for
275- employees or other individuals who are most responsible for
276- maintaining security of the entities' information systems;
277- (3) consistency with the National Institute of
278- Standards and Technology standards for cybersecurity;
279- (4) public service announcements to encourage
280- cybersecurity awareness; and
281- (5) coordination with local and state governmental
282- entities.
283- (b) The state cybersecurity coordinator shall establish a
284- cyberstar certificate program to recognize public and private
285- entities that implement the best practices for cybersecurity
286- developed in accordance with Subsection (a). The program must
287- allow a public or private entity to submit to the department a form
288- certifying that the entity has complied with the best practices and
289- the department to issue a certificate of approval to the entity.
290- The entity may include the certificate of approval in
291- advertisements and other public communications.
292- SECTION 18. Chapter 2054, Government Code, is amended by
293- adding Subchapter R to read as follows:
294- SUBCHAPTER R. INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES
295- Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Each
296- state agency and local government shall, in the administration of
297- the agency or local government, consider using next generation
298- technologies, including cryptocurrency, blockchain technology, and
299- artificial intelligence.
300- Sec. 2054.602. LIABILITY EXEMPTION. A person who in good
301- faith discloses to a state agency or other governmental entity
302- information regarding a potential security issue with respect to
303- the agency's or entity's information resources technologies is not
304- liable for any civil damages resulting from disclosing the
305- information unless the person stole, retained, or sold any data
306- obtained as a result of the security issue.
307- SECTION 19. Section 2059.058(b), Government Code, is
232+ SECTION 14. Section 2059.058(b), Government Code, is
308233 amended to read as follows:
309234 (b) In addition to the department's duty to provide network
310235 security services to state agencies under this chapter, the
311236 department by agreement may provide network security to:
312237 (1) each house of the legislature;
313238 (2) an agency that is not a state agency, including a
314239 legislative agency;
315240 (3) a political subdivision of this state, including a
316241 county, municipality, or special district; [and]
317242 (4) an independent organization, as defined by Section
318243 39.151, Utilities Code; and
319244 (5) a public junior college.
320- SECTION 20. Section 1702.104, Occupations Code, is amended
245+ SECTION 15. Section 1702.104, Occupations Code, is amended
321246 by adding Subsection (c) to read as follows:
322247 (c) The review and analysis of computer-based data for the
323248 purpose of preparing for or responding to a cybersecurity event
324249 does not constitute an investigation for purposes of this section
325250 and does not require licensing under this chapter.
326- SECTION 21. Chapter 31, Utilities Code, is amended by
251+ SECTION 16. Chapter 31, Utilities Code, is amended by
327252 designating Sections 31.001 through 31.005 as Subchapter A and
328253 adding a subchapter heading to read as follows:
329254 SUBCHAPTER A. GENERAL PROVISIONS
330- SECTION 22. Chapter 31, Utilities Code, is amended by
255+ SECTION 17. Chapter 31, Utilities Code, is amended by
331256 adding Subchapter B to read as follows:
332257 SUBCHAPTER B. CYBERSECURITY
333258 Sec. 31.051. DEFINITION. In this subchapter, "utility"
334259 means:
335260 (1) an electric cooperative;
336261 (2) an electric utility;
337- (3) a municipally owned electric utility; or
338- (4) a transmission and distribution utility.
262+ (3) a municipally owned electric utility;
263+ (4) a retail electric provider; or
264+ (5) a transmission and distribution utility.
339265 Sec. 31.052. CYBERSECURITY COORDINATION PROGRAM FOR
340266 UTILITIES. (a) The commission shall establish a program to
341267 monitor cybersecurity efforts among utilities in this state. The
342268 program shall:
343269 (1) provide guidance on best practices in
344270 cybersecurity and facilitate the sharing of cybersecurity
345271 information between utilities; and
346272 (2) provide guidance on best practices for
347273 cybersecurity controls for supply chain risk management of
348274 cybersecurity systems used by utilities, which may include, as
349275 applicable, best practices related to:
350276 (A) software integrity and authenticity;
351277 (B) vendor risk management and procurement
352278 controls, including notification by vendors of incidents related to
353279 the vendor's products and services; and
354280 (C) vendor remote access.
355281 (b) The commission may collaborate with the state
356282 cybersecurity coordinator and the cybersecurity council
357283 established under Chapter 2054, Government Code, in implementing
358284 the program.
359- SECTION 23. Section 39.151, Utilities Code, is amended by
285+ SECTION 18. Section 39.151, Utilities Code, is amended by
360286 adding Subsections (o) and (p) to read as follows:
361287 (o) An independent organization certified by the commission
362288 under this section shall:
363289 (1) conduct internal cybersecurity risk assessment,
364290 vulnerability testing, and employee training to the extent the
365291 independent organization is not otherwise required to do so under
366292 applicable state and federal cybersecurity and information
367293 security laws; and
368294 (2) submit a report annually to the commission on the
369295 independent organization's compliance with applicable
370296 cybersecurity and information security laws.
371297 (p) Information submitted in a report under Subsection (o)
372298 is confidential and not subject to disclosure under Chapter 552,
373299 Government Code.
374- SECTION 24. Sections 2054.119, 2054.513, and 2054.517,
375- Government Code, are repealed.
376- SECTION 25. To the extent of any conflict, this Act prevails
300+ SECTION 19. Sections 2054.119 and 2054.517, Government
301+ Code, are repealed.
302+ SECTION 20. To the extent of any conflict, this Act prevails
377303 over another Act of the 86th Legislature, Regular Session, 2019,
378304 relating to nonsubstantive additions and corrections in enacted
379305 codes.
380- SECTION 26. This Act takes effect September 1, 2019.
381- ______________________________ ______________________________
382- President of the Senate Speaker of the House
383- I hereby certify that S.B. No. 64 passed the Senate on
384- April 26, 2019, by the following vote: Yeas 30, Nays 0; and that
385- the Senate concurred in House amendments on May 24, 2019, by the
386- following vote: Yeas 31, Nays 0.
387- ______________________________
388- Secretary of the Senate
389- I hereby certify that S.B. No. 64 passed the House, with
390- amendments, on May 22, 2019, by the following vote: Yeas 142,
391- Nays 1, two present not voting.
392- ______________________________
393- Chief Clerk of the House
394- Approved:
395- ______________________________
396- Date
397- ______________________________
398- Governor
306+ SECTION 21. This Act takes effect September 1, 2019.