BILL ANALYSIS
|
Senate Research Center |
H.B. 1861 |
|
|
By: Elkins (Watson) |
|
|
Business & Commerce |
|
|
5/17/2017 |
|
|
Engrossed |
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Much of the data in routine information technology (IT) security reports and logs includes confidential and personal information, as well as information on security flaws. The Public Information Act (PIA) contains a confidentiality provision for computer and IT security information, but it only covers (1) computer network vulnerability reports, (2) other computer vulnerability assessments, and (3) copies of government employee ID badges.
Because this provision does not cover routine IT security reports and logs, when a governmental body receives a PIA request covering these reports or logs, government employees and the Office of the Attorney General have to spend an inordinate amount of time to complete the redactions in these voluminous records.
H.B. 1861 addresses this issue by adding a fourth category to the existing IT security provision in the PIA to protect information directly arising from a governmental body's routine efforts to prevent, detect, investigate, or mitigate a computer security incident, including security logs. H.B. 1861 also requires a governmental body to redact this information from contracts with private entities before posting the contracts online. Finally, H.B. 1861 specifies that the new PIA provision does not affect the IT security breach notification requirements in current law.
Taken together, these provisions create a more efficient mechanism to protect information relating to a governmental body's routine efforts to prevent, detect, investigate, or mitigate IT security incidents.
H.B. 1861 amends current law relating to the confidentiality of certain information related to a computer security incident.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 552.139, Government Code, by amending Subsection (b) and adding Subsections (b-1) and (d), as follows:
(b) Provides that certain information is confidential, including information directly arising from a governmental body's routine efforts to prevent, detect, investigate, or mitigate a computer security incident, including information contained in or derived from an information security log.
(b-1) Provides that Subsection (b)(4) does not affect the notification requirements related to a breach of system security as defined by Section 521.053 (Notification Required Following Breach of Security of Computerized Data), Business & Commerce Code.
(d) Requires a state agency to redact from a contract posted on the agency's Internet website under Section 2261.253 (Required Posting of Certain Contracts; Enhanced Contract and Performance Monitoring) information that is made confidential by, or excepted from required public disclosure under, this section (Exception: Confidentiality of Government Information Related to Security or Infrastructure Issues for Computers). Provides that the redaction of information under this subsection does not exempt the information from the requirements of Section 552.021 (Availability of Public Information) or 552.221 (Application for Public Information; Production of Public Information).
SECTION 2. Makes application of Sections 552.139(b)(4) and (b-1), Government Code, as added by this Act, prospective.
SECTION 3. Effective date: upon passage or September 1, 2017.