| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to establishing a system for the sharing of information |
|
|
regarding cyber attacks or other cybersecurity incidents occurring |
|
|
in schools in this state. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. The heading to Section 11.175, Education Code, |
|
|
is amended to read as follows: |
|
|
Sec. 11.175. SCHOOL DISTRICT AND OPEN-ENROLLMENT CHARTER |
|
|
SCHOOL CYBERSECURITY. |
|
|
SECTION 2. Section 11.175, Education Code, is amended by |
|
|
amending Subsections (b), (c), (d), and (e) and adding Subsections |
|
|
(g), (h), and (i) to read as follows: |
|
|
(b) Each school district and open-enrollment charter school |
|
|
shall adopt a cybersecurity policy to: |
|
|
(1) secure district cyberinfrastructure against cyber |
|
|
attacks and other cybersecurity incidents; and |
|
|
(2) determine cybersecurity risk and implement |
|
|
mitigation planning. |
|
|
(c) A school district's or open-enrollment charter school's |
|
|
cybersecurity policy may not conflict with the information security |
|
|
standards for institutions of higher education adopted by the |
|
|
Department of Information Resources under Chapters 2054 and 2059, |
|
|
Government Code. |
|
|
(d) The superintendent of each school district and |
|
|
open-enrollment charter school shall designate a cybersecurity |
|
|
coordinator to serve as a liaison between the district or school and |
|
|
the agency in cybersecurity matters. |
|
|
(e) A [The district's] cybersecurity coordinator designated |
|
|
under Subsection (d) shall report to the agency or, if applicable, |
|
|
the entity that administers the system established under Subsection |
|
|
(g) any cyber attack or other cybersecurity incident against the |
|
|
school district's or open-enrollment charter school's [district] |
|
|
cyberinfrastructure that constitutes a breach of system security as |
|
|
soon as practicable after the discovery of the attack or incident. |
|
|
(g) The agency, in coordination with the Department of |
|
|
Information Resources, shall establish and maintain a system to |
|
|
coordinate the anonymous sharing of information concerning cyber |
|
|
attacks or other cybersecurity incidents between participating |
|
|
public and private schools and the state. The system must: |
|
|
(1) include each report made under Subsection (e); |
|
|
(2) provide for reports made under Subsection (e) to |
|
|
be shared between participating schools in as close to real time as |
|
|
possible; and |
|
|
(3) preserve a reporting school's anonymity by |
|
|
preventing the disclosure through the system of the name of the |
|
|
school at which an attack or incident occurred. |
|
|
(h) In establishing the system under Subsection (g), the |
|
|
agency may: |
|
|
(1) contract with a qualified third party to |
|
|
administer the system; and |
|
|
(2) allow open-enrollment charter schools and private |
|
|
schools in this state to report and receive information through the |
|
|
system. |
|
|
(i) The commissioner shall adopt rules as necessary to |
|
|
implement this section. |
|
|
SECTION 3. This Act takes effect September 1, 2021. |