AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
The purpose of this legislation is to enhance state employees' awareness regarding cybersecurity best practices.
Currently, nearly every state agency and employee uses some form of data usage agreement, which delineates the employee's duties and responsibilities regarding data access and usage. As cybersecurity threats evolve, state agencies' data usage agreements change by including new best practices that respond to the latest threats. Despite data user agreement changes, employees typically sign and review data agreements only once as part of the hiring process.
Recent studies in data management and cybersecurity revealed that understanding new requirements or simply refreshing existing ones has a positive effect on employee awareness of duties and responsibilities related to data access and use. The lack of a periodic renewal of data usage agreements means that employees who have worked in one position for a long time may not be aware of new or updated best practices.
S.B. 1877 directs the Department of Information Resources (DIR) to work with state agencies to create a minimum uniform standard data and technology user agreement. Employees would be required to sign this data and technology user agreement at least once every two years. The two-year period would account for changes in the interim to any rules that may apply to specific agencies or to Texas as a whole.
This periodic signing of up-to-date user agreements would fundamentally enhance cybersecurity in state agencies. (Original Author's/Sponsor's Statement of Intent)
S.B. 1877 amends current law relating to the development and maintenance by each state agency of a data use agreement for the state agency's employees and to training related to that agreement.
RULEMAKING AUTHORITY
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Subchapter F, Chapter 2054, Government Code, by adding Section 2054.134, as follows:
Sec. 2054.134. DATA USE AGREEMENT. (a) Requires each state agency (agency) to develop a data use agreement for use by the agency that meets the particular needs of the agency and is consistent with rules adopted by the Department of Information Resources (DIR) that relate to information security standards for state agencies.
(b) Requires a state agency to update the data use agreement at least biennially, but provides that a state agency may update the agreement at any time as necessary to accommodate best practices in data management.
(c) Requires a state agency to distribute the data use agreement developed under this section, and each update to that agreement, to employees of the agency who handle sensitive information, including financial, medical, personnel, or student data. Requires the employee to sign the data use agreement distributed and each update to the agreement.
(d) Requires a state agency, to the extent possible, to provide employees described by Subsection (c) with cybersecurity awareness training to coincide with distribution of:
(1) the data use agreement required under this section; and
(2) each biennial update to that agreement.
SECTION 2. Effective date: September 1, 2015.