BILL ANALYSIS

C.S.H.B. 1861

By: Elkins

Government Transparency & Operation

Committee Report (Substituted)

BACKGROUND AND PURPOSE

Interested parties contend that information related to a computer security incident can be voluminous and therefore unduly burdensome to a governmental body required to disclose such information under state public information law. C.S.H.B. 1861 seeks to reduce this burden by excepting certain information related to a computer security incident from the public availability requirement of state public information law.

CRIMINAL JUSTICE IMPACT

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

RULEMAKING AUTHORITY

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

ANALYSIS

C.S.H.B. 1861 amends the Government Code to include among the government information related to security or infrastructure issues for computers considered confidential and excepted from the public availability requirement of state public information law, with certain exceptions, information directly arising from a governmental body's routine efforts to prevent, detect, or investigate a computer security incident, including information contained in or derived from an information security log. The bill establishes that the confidentiality and exception provided by such provision does not apply to information related to a breach of system security as defined by the Identity Theft Enforcement and Protection Act.

C.S.H.B. 1861 requires certain state agencies to redact from certain contracts for the purchase of goods or services from a private vendor posted on the applicable agency's website information that is made confidential by, or excepted from required public disclosure, under statutory provisions relating to the confidentiality of government information related to security or infrastructure issues for computers as amended by the bill. The bill establishes that the availability of information so redacted in response to a request made under state public information law is governed by such law.

EFFECTIVE DATE

On passage, or, if the bill does not receive the necessary vote, September 1, 2017.

COMPARISON OF ORIGINAL AND SUBSTITUTE

While C.S.H.B. 1861 may differ from the original in minor or nonsubstantive ways, the following comparison is organized and formatted in a manner that indicates the substantial differences between the introduced and committee substitute versions of the bill.

INTRODUCED

HOUSE COMMITTEE SUBSTITUTE

SECTION 1. Section 552.139(b), Government Code, is amended to read as follows:

(b) The following information is confidential:

(1) a computer network vulnerability report;

(2) any other assessment of the extent to which data processing operations, a computer, a computer program, network, system, or system interface, or software of a governmental body or of a contractor of a governmental body is vulnerable to unauthorized access or harm, including an assessment of the extent to which the governmental body's or contractor's electronically stored information containing sensitive or critical information is vulnerable to alteration, damage, erasure, or inappropriate use; [~~and~~]

(3) a photocopy or other copy of an identification badge issued to an official or employee of a governmental body; and

(4) information collected, assembled, or maintained by or for a governmental body to prevent, detect, or investigate a computer security incident,

including

a breach of system security as defined by Section 521.053, Business & Commerce Code.

SECTION 1. Section 552.139, Government Code, is amended by amending Subsection (b) and adding Subsections (b-1) and (d) to read as follows:

(b) Except as provided by Subsection (b-1), the [~~The~~] following information is confidential:

(1) a computer network vulnerability report;

(3) a photocopy or other copy of an identification badge issued to an official or employee of a governmental body; and

(4) information directly arising from a governmental body's routine efforts to prevent, detect, or investigate a computer security incident, including information contained in or derived from an information security log.

(b-1) Subsection (b) does not apply to information related to a breach of system security as defined by Section 521.053, Business & Commerce Code.

(d) A state agency shall redact from a contract posted on the agency's Internet website under Section 2261.253 information that is made confidential by, or excepted from required public disclosure under, this section. The availability of information redacted as provided by this subsection in response to a request made under this chapter is governed by this chapter.

SECTION 2. The change in law made by this Act applies only to a request for public information received on or after the effective date of this Act. A request received before the effective date of this Act is governed by the law in effect when the request was received, and the former law is continued in effect for that purpose.

SECTION 2. Section 552.139(b), Government Code, as amended by this Act, and Section 552.139(b-1), Government Code, as added by this Act, apply only to a request for public information received on or after the effective date of this Act. A request received before the effective date of this Act is governed by the law in effect when the request was received, and the former law is continued in effect for that purpose.

SECTION 3. This Act takes effect immediately if it receives a vote of two-thirds of all the members elected to each house, as provided by Section 39, Article III, Texas Constitution. If this Act does not receive the vote necessary for immediate effect, this Act takes effect September 1, 2017.

SECTION 3. Same as introduced version.