BILL ANALYSIS

 

 

 

S.B. 1910

By: Zaffirini

State Affairs

Committee Report (Unamended)

 

 

 

BACKGROUND AND PURPOSE

 

Interested parties contend that state agencies will continue to be prone to cybersecurity risks if they do not adopt best practices similar to those used in the private sector. S.B. 1910 seeks to enhance the security of state agency information, including personally identifiable information or confidential information.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

S.B. 1910 amends the Government Code to require the Department of Information Resources (DIR), subject to available resources, to select a portion of state agency security plans to be audited by DIR in accordance with DIR rules. The bill requires DIR to adopt rules as necessary to implement this requirement. The bill requires each state agency in the executive branch of state government that has on staff a chief information security officer or information security officer to ensure that within the agency's organizational structure the officer is independent from and not subordinate to the agency's information technology operations.

 

S.B. 1910 requires each state agency implementing a website or mobile application that processes any personally identifiable or confidential information to submit a data security plan to DIR before beta testing the website or application and, before deploying the website or application, to subject the website or application to a vulnerability and penetration test conducted by an independent third party and address any vulnerability identified by that test. The bill sets out required components of such a data security plan and requires DIR to review each such plan submitted to DIR and make any recommendations for changes to the plan to the state agency as soon as practicable after DIR reviews the plan.

 

EFFECTIVE DATE

 

September 1, 2017.