| 1 | 1 | | By: Parker, Paxton S.B. No. 2358 |
|---|
| 2 | 2 | | |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | A BILL TO BE ENTITLED |
|---|
| 5 | 5 | | AN ACT |
|---|
| 6 | 6 | | relating to security procedures for digital applications that pose |
|---|
| 7 | 7 | | a network security risk to state agencies. |
|---|
| 8 | 8 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 9 | 9 | | SECTION 1. Chapter 2054, Government Code, is amended by |
|---|
| 10 | 10 | | adding Subchapter S to read as follows: |
|---|
| 11 | 11 | | SUBCHAPTER S. DIGITAL APPLICATION SECURITY PROCEDURES |
|---|
| 12 | 12 | | Sec. 2054.621. DEFINITIONS. In this subchapter: |
|---|
| 13 | 13 | | (1) "Digital application" means an Internet website or |
|---|
| 14 | 14 | | application that is open to the public, allows a user to create an |
|---|
| 15 | 15 | | account, and enables a user to communicate with other users by |
|---|
| 16 | 16 | | posting information, comments, messages, images, or video. The |
|---|
| 17 | 17 | | term does not include: |
|---|
| 18 | 18 | | (A) an Internet service provider, as defined by |
|---|
| 19 | 19 | | Section 324.055, Business & Commerce Code; |
|---|
| 20 | 20 | | (B) e-mail; or |
|---|
| 21 | 21 | | (C) an online service, application, or Internet |
|---|
| 22 | 22 | | website: |
|---|
| 23 | 23 | | (i) that consists primarily of news, |
|---|
| 24 | 24 | | sports, entertainment, or other content preselected by the provider |
|---|
| 25 | 25 | | that is not user generated; and |
|---|
| 26 | 26 | | (ii) for which any chat, comment, or |
|---|
| 27 | 27 | | interactive functionality is incidental to, directly related to, or |
|---|
| 28 | 28 | | dependent on provision of the content described by Subparagraph |
|---|
| 29 | 29 | | (i). |
|---|
| 30 | 30 | | (2) "Network security" has the meaning assigned by |
|---|
| 31 | 31 | | Section 2059.001. |
|---|
| 32 | 32 | | (3) "User" means a person who posts, uploads, |
|---|
| 33 | 33 | | transmits, shares, or otherwise publishes or receives content |
|---|
| 34 | 34 | | through a digital application. |
|---|
| 35 | 35 | | Sec. 2054.622. DIGITAL APPLICATION SECURITY RISK LIST. The |
|---|
| 36 | 36 | | department shall: |
|---|
| 37 | 37 | | (1) compile, maintain, and annually update a list of |
|---|
| 38 | 38 | | digital applications that create a network security risk to state |
|---|
| 39 | 39 | | agencies; |
|---|
| 40 | 40 | | (2) limit or prohibit the placement and use of digital |
|---|
| 41 | 41 | | applications on the list under Subdivision (1) on: |
|---|
| 42 | 42 | | (A) state-owned cell phones, computers, and |
|---|
| 43 | 43 | | other communication devices; and |
|---|
| 44 | 44 | | (B) personal communication devices of state |
|---|
| 45 | 45 | | agency employees that are used in the agency's office or other |
|---|
| 46 | 46 | | workplace; and |
|---|
| 47 | 47 | | (3) post the list under Subdivision (1) on a publicly |
|---|
| 48 | 48 | | accessible web page on the department's Internet website. |
|---|
| 49 | 49 | | Sec. 2054.623. DIGITAL APPLICATION SECURITY MODEL POLICY |
|---|
| 50 | 50 | | FOR STATE AGENCIES. The department shall develop, maintain, and |
|---|
| 51 | 51 | | periodically update a model policy for state agencies to use under |
|---|
| 52 | 52 | | Section 2054.624 in limiting or prohibiting the placement and use |
|---|
| 53 | 53 | | on communication devices of the digital applications included on |
|---|
| 54 | 54 | | the list compiled under Section 2054.622. |
|---|
| 55 | 55 | | Sec. 2054.624. STATE AGENCY DIGITAL APPLICATION SECURITY |
|---|
| 56 | 56 | | POLICY. (a) Each state agency shall develop, implement, and |
|---|
| 57 | 57 | | periodically update a policy limiting or prohibiting the placement |
|---|
| 58 | 58 | | and use of digital applications included on the list compiled under |
|---|
| 59 | 59 | | Section 2054.622 on: |
|---|
| 60 | 60 | | (1) state-owned cell phones, computers, and other |
|---|
| 61 | 61 | | communication devices; and |
|---|
| 62 | 62 | | (2) personal communication devices of state agency |
|---|
| 63 | 63 | | employees that are used in the agency's office or other workplace. |
|---|
| 64 | 64 | | (b) Each state agency shall submit to the department a copy |
|---|
| 65 | 65 | | of the policy required under Subsection (a) and updates to the |
|---|
| 66 | 66 | | policy. |
|---|
| 67 | 67 | | (c) The department: |
|---|
| 68 | 68 | | (1) may offer recommendations for improvements to |
|---|
| 69 | 69 | | submitted policies; |
|---|
| 70 | 70 | | (2) shall retain each copy and update submitted under |
|---|
| 71 | 71 | | Subsection (b); and |
|---|
| 72 | 72 | | (3) shall notify each member of the legislature and |
|---|
| 73 | 73 | | the governor when a state agency submits a policy or update. |
|---|
| 74 | 74 | | Sec. 2054.625. DISCLOSURE EXEMPTION. The model policy and |
|---|
| 75 | 75 | | state agency policies developed under this subchapter are exempt |
|---|
| 76 | 76 | | from disclosure under Chapter 552. |
|---|
| 77 | 77 | | Sec. 2054.626. RULEMAKING AUTHORITY. The department may |
|---|
| 78 | 78 | | adopt rules to implement this subchapter. |
|---|
| 79 | 79 | | SECTION 2. (a) As soon as practicable after the effective |
|---|
| 80 | 80 | | date of this Act, but not later than January 1, 2024, the Department |
|---|
| 81 | 81 | | of Information Resources shall develop the digital application |
|---|
| 82 | 82 | | security risk list and model policy as required by Subchapter S, |
|---|
| 83 | 83 | | Chapter 2054, Government Code, as added by this Act. |
|---|
| 84 | 84 | | (b) A state agency is not required to comply with Section |
|---|
| 85 | 85 | | 2054.624, Government Code, as added by this Act, until May 1, 2024. |
|---|
| 86 | 86 | | SECTION 3. This Act takes effect September 1, 2023. |
|---|