BILL ANALYSIS

 

 

Senate Research Center

S.B. 532

 

By: Nelson

 

Finance

 

6/5/2017

 

Enrolled

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

S.B. 532 promotes cybersecurity and cost saving within state agencies by requiring an assessment of information technology risks and encouraging agencies to explore cloud computing innovations. (Original Author's / Sponsor's Statement of Intent)

 

S.B. 532 amends current law relating to information collected about and purchases of information technology by governmental entities.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Section 552.139, Government Code, by amending Subsection (b) and adding Subsection (b-1), as follows:

 

(b) Provides that information directly arising from a governmental body's routine efforts to prevent, detect, investigate, or mitigate a computer security incident, including information contained in or derived from an information security log, is confidential. Makes nonsubstantive changes.

 

(b-1) Provides that Subsection (b)(4) (relating to the confidentiality of certain information) does not affect the notification requirements related to a breach of security as defined by Section 521.053 (Notification Required Following Breach of Security of Computerized Data), Business and Commerce Code.

 

SECTION 2. Amends Subchapter C, Chapter 2054, Government Code, by adding Section 2054.068, as follows:

 

Sec. 2054.068. INFORMATION TECHNOLOGY INFRASTRUCTURE REPORT. �(a) Defines "information technology."

 

(b) Requires the Department of Information Resources (DIR) to collect certain information from each state agency on the status and condition of the agency's information technology infrastructure.

 

(c) Requires a state agency to provide the required information to DIR according to a schedule determined by DIR.

 

(d) Requires DIR, not later than November 15 of each even-numbered year, to submit to the governor, chair of the house appropriations committee, chair of the senate finance committee, speaker of the house of representatives, lieutenant governor, and staff of the Legislative Budge Board a consolidated report of the information submitted by state agencies.

 

(e) Requires that the required consolidated report:

 

(1) include an analysis and assessment of each state agency's security and operational risks; and

 

(2) for a state agency found to be at higher security and operational risks, include a detailed analysis of, and an estimate of the costs to implement, the requirements for the agency to address the risks and related vulnerabilities and the agency's efforts to address the risks through certain methods.�

 

(f) Provides that the consolidated report, with the exception of information that is confidential under Chapter 552 (Public Information), including Section 552.139 (Exception: Confidentiality of Government Information Related to Security or Infrastructure Issues for Computers), or other state or federal law, is public information and requires that the report be released or made available to the public upon request. Authorizes a certain governmental body to withhold certain confidential information that is contained in a released consolidated report without the necessity of requesting a decision from the Texas attorney general under Subchapter G (Attorney General Decisions), Chapter 552.

 

(g) Provides that this section does not apply to an institution of higher education or university system, as defined by Section 61.003 (Definitions), Education Code.

 

SECTION 3. Amends Section 2054.0965(a), Government Code, to require a state agency, not later than March 31 of each even-numbered year, rather than December 1 of each odd-numbered year, to complete a review of operational aspects of the agency's information resources deployment following instructions developed by DIR.

 

SECTION 4. Amends Section 2157.007, Government Code, by amending Subsection (b) and adding Subsection (e), as follows:

 

(b) Requires a state agency, rather than authorizes a state agency, to consider cloud computing service options, including any security benefits and cost savings associated with purchasing those service options from a cloud computing service provider and from a statewide technology center established by DIR, when making purchases for a major information resources project under Section 2054.118 (Major Information Resources Project).

 

(e) Requires DIR, using existing resources, not later than November 15 of each even-numbered year, to submit a report to the governor, lieutenant governor, and speaker of the house of representatives on state agencies' use of cloud computing service options. Requires that the report include use cases that provided cost savings and other benefits, including security enhancements. Requires a state agency to cooperate with DIR in the creation of the report by providing timely and accurate information and any assistance required by DIR.

 

SECTION 5. Makes application of Sections 552.139(b)(4) and (b-1), Government Code, as added by this Act, prospective.

 

SECTION 6. Effective date: September 1, 2017.