77(R) HB 249 Engrossed version

SRC-BWC H.B. 249 77(R)   BILL ANALYSIS


Senate Research Center   H.B. 249
By: Pitts (Shapiro)
State Affairs
5/10/2001
Engrossed


DIGEST AND PURPOSE 

Under current law, the findings of a computer system vulnerability report
conducted on or by a state agency may be required to be made accessible to
the public, a practice that could compromise the safety of the state
agency's electronically stored sensitive and confidential information.
H.B. 249 provides that a vulnerability report is not subject to disclosure
and requires a state agency whose manager has prepared a vulnerability
report to prepare a summary of the report that excludes information that
might compromise security to be made available to the public on request.  

RULEMAKING AUTHORITY

This bill does not expressly grant any additional rulemaking authority to a
state officer, institution, or agency. 

SECTION BY SECTION ANALYSIS

SECTION 1.  Amends Chapter 2054D, Government Code, is amended by adding
Section 2054.077, as follows: 
 
Sec. 2054.077.  VULNERABILITY REPORTS.  Provides that in this section, a
term defined by Section 33.01, Penal Code, has the meaning assigned by that
section.  Authorizes the information resources manager of a state agency to
prepare or have prepared a report assessing the extent to which a computer,
a computer program, a computer network, a computer system, computer
software, or data processing of the agency or of a contractor of the agency
is vulnerable to unauthorized access or harm, including the extent to which
the agency's or contractor's electronically stored information is
vulnerable to alteration, damage, or erasure. Provides that except as
provided by this section, a vulnerability report and any information or
communication prepared or maintained for use in the preparation of a
vulnerability report is confidential and is not subject to disclosure under
Chapter 552.  Requires the information resources manager, on request, to
provide a copy of the vulnerability report to the Department of Information
Resources, the state auditor, and any other information technology security
oversight group specifically authorized by the legislature to receive the
report.  Requires a state agency whose information resources manager has
prepared or has had prepared a vulnerability report to prepare a summary of
the report that does not contain any information the release of which might
compromise the security of the state agency's or state agency contractor's
computers, computer programs, computer networks, computer systems, computer
software, data processing, or electronically stored information.  Provides
that the summary is available to the public on request. 

SECTION 2.  Amends Section 2054.006(a), Government Code, to provide that
except as specifically provided by this chapter, this chapter does not
affect laws, rules, or decisions relating to the confidentiality or
privileged status of categories of information or communications. 

SECTION 3.  Effective date: upon passage or September 1, 2001.