88R18451 ANG-D
By: Buckley H.B. No. 4944
Substitute the following for H.B. No. 4944:
By: Buckley C.S.H.B. No. 4944
A BILL TO BE ENTITLED
AN ACT
relating to public school cybersecurity controls, student data
privacy protection, and requirements and technical assistance and
cybersecurity risk assessments for public schools provided by the
Department of Information Resources.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 11.175(c), Education Code, is amended to
read as follows:
(c) A school district's cybersecurity policy must comply
with the cybersecurity controls and requirements adopted by the
commissioner under Section 32.351 and may not conflict with the
information security standards for institutions of higher
education adopted by the Department of Information Resources under
Chapters 2054 and 2059, Government Code.
SECTION 2. Chapter 32, Education Code, is amended by adding
Subchapters D-1 and H to read as follows:
SUBCHAPTER D-1. PRIVACY OF STUDENT EDUCATION RECORDS
Sec. 32.175. PRIVACY OF STUDENT EDUCATION RECORDS. The
agency, a school district, or an open-enrollment charter school, as
applicable, shall protect the privacy of student education records
in a manner that is at least as stringent as that provided under the
Family Educational Rights and Privacy Act of 1974 (20 U.S.C.
Section 1232g), as that law existed on January 1, 2023.
SUBCHAPTER H. CYBERSECURITY
Sec. 32.351. CYBERSECURITY CONTROLS AND REQUIREMENTS. (a)
The commissioner shall adopt cybersecurity controls and
requirements for school districts, open-enrollment charter
schools, and district and school vendors in consultation with and
as recommended by the Department of Information Resources.
(b) Each school district and open-enrollment charter school
shall implement the cybersecurity controls and requirements
adopted by the commissioner under this section.
(c) The agency may contract with the following entities to
implement this section:
(1) a regional education service center;
(2) a private entity;
(3) the Department of Information Resources; or
(4) a regional network security center established
under Subchapter E, Chapter 2059, Government Code.
(d) The commissioner shall adopt rules as necessary to
implement this section.
(e) Not later than September 1 of each even-numbered year,
the commissioner shall review the rules adopted under this section
and amend the rules as necessary to ensure that the cybersecurity
controls and requirements continue to provide effective
cybersecurity protection for school districts and open-enrollment
charter schools.
SECTION 3. Subchapter C, Chapter 2054, Government Code, is
amended by adding Sections 2054.0561 and 2054.0595 to read as
follows:
Sec. 2054.0561. TECHNICAL ASSISTANCE FOR PUBLIC SCHOOLS.
(a) The department may provide technical assistance to school
districts and open-enrollment charter schools regarding the
implementation of cybersecurity controls, requirements, and
network operations under Sections 11.175 and 32.351, Education
Code. In providing technical assistance to districts and schools,
the department may:
(1) use services offered by third parties;
(2) procure technology and services for districts and
schools;
(3) recommend to the Legislative Budget Board that
school districts and open-enrollment charter schools migrate
services to the State Data Center located on the campus of Angelo
State University; and
(4) use the services of a regional network security
center established under Section 2059.202.
(b) The department may adopt rules as necessary to implement
this section.
Sec. 2054.0595. CYBERSECURITY RISK ASSESSMENTS FOR PUBLIC
SCHOOLS. The department may perform a cybersecurity risk
assessment of a school district or open-enrollment charter school
at the request of:
(1) the commissioner of education;
(2) the superintendent of the district or the person
who serves the function of superintendent of the school, as
applicable;
(3) the board of trustees of the district or the
governing body of the school; or
(4) the state cybersecurity coordinator after a
cybersecurity incident affecting the district or school.
SECTION 4. Section 2059.058(b), Government Code, is amended
to read as follows:
(b) In addition to the department's duty to provide network
security services to state agencies under this chapter, the
department by agreement may provide network security to:
(1) each house of the legislature;
(2) an agency that is not a state agency, including a
legislative agency;
(3) a political subdivision of this state, including a
county, municipality, or special district;
(4) an independent organization, as defined by Section
39.151, Utilities Code; [and]
(5) a public junior college;
(6) an open-enrollment charter school established
under Subchapter D, Chapter 12, Education Code; and
(7) a regional education service center.
SECTION 5. Section 2059.201, Government Code, is amended to
read as follows:
Sec. 2059.201. ELIGIBLE PARTICIPATING ENTITIES. A state
agency or an entity listed in Sections 2059.058(b)(3)-(7)
[2059.058(b)(3)-(5)] is eligible to participate in cybersecurity
support and network security provided by a regional network
security center under this subchapter.
SECTION 6. Section 11.175(g), Education Code, as added by
Chapter 1045 (S.B. 1267), Acts of the 87th Legislature, Regular
Session, 2021, is repealed.
SECTION 7. Not later than March 31, 2024, the Texas
Education Agency and the Department of Information Resources shall
adopt rules necessary to implement the changes in law made by this
Act.
SECTION 8. To the extent of any conflict, this Act prevails
over another Act of the 88th Legislature, Regular Session, 2023,
relating to nonsubstantive additions to and corrections in enacted
codes.
SECTION 9. This Act takes effect September 1, 2023.