81R1762 EAH-F
 
  By: Corte H.B. No. 1830
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to information technology security practices of state
  agencies.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 411.081(i), Government Code, is amended
  to read as follows:
         (i)  A criminal justice agency may disclose criminal history
  record information that is the subject of an order of nondisclosure
  to the following noncriminal justice agencies or entities only:
               (1)  the State Board for Educator Certification;
               (2)  a school district, charter school, private school,
  regional education service center, commercial transportation
  company, or education shared service arrangement;
               (3)  the Texas Medical Board;
               (4)  the Texas School for the Blind and Visually
  Impaired;
               (5)  the Board of Law Examiners;
               (6)  the State Bar of Texas;
               (7)  a district court regarding a petition for name
  change under Subchapter B, Chapter 45, Family Code;
               (8)  the Texas School for the Deaf;
               (9)  the Department of Family and Protective Services;
               (10)  the Texas Youth Commission;
               (11)  the Department of Assistive and Rehabilitative
  Services;
               (12)  the Department of State Health Services, a local
  mental health service, a local mental retardation authority, or a
  community center providing services to persons with mental illness
  or retardation;
               (13)  the Texas Private Security Board;
               (14)  a municipal or volunteer fire department;
               (15)  the Texas Board of Nursing;
               (16)  a safe house providing shelter to children in
  harmful situations;
               (17)  a public or nonprofit hospital or hospital
  district;
               (18)  the Texas Juvenile Probation Commission;
               (19)  the securities commissioner, the banking
  commissioner, the savings and mortgage lending commissioner, or the
  credit union commissioner;
               (20)  the Texas State Board of Public Accountancy;
               (21)  the Texas Department of Licensing and Regulation;
               (22)  the Health and Human Services Commission;
               (23)  the Department of Aging and Disability Services;
  [and]
               (24)  the Texas Education Agency; and
               (25)  the Department of Information Resources.
         SECTION 2.  Subchapter F, Chapter 411, Government Code, is
  amended by adding Section 411.1404 to read as follows:
         Sec. 411.1404.  ACCESS TO CRIMINAL HISTORY RECORD
  INFORMATION: DEPARTMENT OF INFORMATION RESOURCES. (a)  The
  Department of Information Resources is entitled to obtain from the
  department or another appropriate law enforcement agency the
  criminal history record information maintained by the department or
  other law enforcement agency that relates to:
               (1)  a person who is an employee or applicant for
  employment with the Department of Information Resources;
               (2)  a person who may perform services for the
  Department of Information Resources; or
               (3)  a person who is an employee or subcontractor, or an
  applicant to be an employee or subcontractor, of a contractor that
  provides services to the Department of Information Resources.
         (b)  Criminal history record information obtained by the
  Department of Information Resources under Subsection (a) may be
  used only to evaluate:
               (1)  an employee or applicant for employment with the
  Department of Information Resources;
               (2)  a person who may perform services for the
  Department of Information Resources; or
               (3)  a person who is an employee or subcontractor, or an
  applicant to be an employee or subcontractor, of a contractor that
  provides services to the Department of Information Resources.
         (c)  Criminal history record information obtained by the
  Department of Information Resources under this section may not be
  released or disclosed to any person or agency except on court order
  or with the consent of the person who is the subject of the
  information.
         (d)  The Department of Information Resources shall destroy
  the criminal history record information obtained under this section
  after the information is used for the purposes authorized by this
  section.
         SECTION 3.  Subchapter D, Chapter 551, Government Code, is
  amended by adding Section 551.089 to read as follows:
         Sec. 551.089.  DEPARTMENT OF INFORMATION RESOURCES. This
  chapter does not require the governing board of the Department of
  Information Resources to conduct an open meeting to deliberate:
               (1)  security assessments or deployments relating to
  information resources technology;
               (2)  network security information as described by
  Section 2059.055(b); or
               (3)  the deployment, or specific occasions for
  implementation, of security personnel, critical infrastructure, or
  security devices.
         SECTION 4.  Section 552.139, Government Code, is amended to
  read as follows:
         Sec. 552.139.  EXCEPTION: GOVERNMENT INFORMATION RELATED TO
  SECURITY OR INFRASTRUCTURE ISSUES FOR COMPUTERS.  (a)  Information
  is excepted from the requirements of Section 552.021 if it is
  information that relates to computer network security, to
  restricted information under Section 2059.055, or to the design,
  operation, or defense of a computer network.
         (b)  The following information is confidential:
               (1)  a computer network vulnerability report; and
               (2)  any other assessment of the extent to which data
  processing operations, a computer, [or] a computer program,
  network, system, or system interface, or software of a governmental
  body or of a contractor of a governmental body is vulnerable to
  unauthorized access or harm, including an assessment of the extent
  to which the governmental body's or contractor's electronically
  stored information containing sensitive or critical information is
  vulnerable to alteration, damage, [or] erasure, or inappropriate
  use.
         (c)  Notwithstanding the confidential nature of the
  information described in this section, the information may be
  disclosed to a bidder if the governmental body determines that
  providing the information is necessary for the bidder to provide an
  accurate bid.  A disclosure under this subsection is not a voluntary
  disclosure for purposes of Section 552.007.
         SECTION 5.  Sections 2054.077(b), (d), and (e), Government
  Code, are amended to read as follows:
         (b)  The information resources manager of a state agency may
  prepare or have prepared a report, including an executive summary
  of the findings of the report, assessing the extent to which a
  computer, a computer program, a computer network, a computer
  system, an interface to a computer system, computer software, or
  data processing of the agency or of a contractor of the agency is
  vulnerable to unauthorized access or harm, including the extent to
  which the agency's or contractor's electronically stored
  information containing sensitive or critical information is
  vulnerable to alteration, damage, [or] erasure, or inappropriate
  use.
         (d)  The [On request, the] information resources manager
  shall provide an electronic [a] copy of the vulnerability report on
  its completion to:
               (1)  the department;
               (2)  the state auditor; [and]
               (3)  the agency's executive director; and
               (4)  any other information technology security
  oversight group specifically authorized by the legislature to
  receive the report.
         (e)  Separate from the executive summary described by
  Subsection (b), a [A] state agency whose information resources
  manager has prepared or has had prepared a vulnerability report
  shall prepare a summary of the report that does not contain any
  information the release of which might compromise the security of
  the state agency's or state agency contractor's computers, computer
  programs, computer networks, computer systems, computer software,
  data processing, or electronically stored information. The summary
  is available to the public on request.
         SECTION 6.  This Act takes effect September 1, 2009.