Austin, Texas
May 19, 2017

Honorable Kelly Hancock, Chair, Senate Committee on Business & Commerce
Ursula Parks, Director, Legislative Budget Board
HB8 by Capriglione (Relating to cybersecurity for state agency information resources.), Committee Report 2nd House, Substituted

The statewide fiscal implications of the bill cannot be determined at this time, but it is expected to result in a cost to the State. These costs primarily relate to provisions that would require agencies to perform an information security risk assessment every two years.

The bill sets forth certain requirements all agencies would be required to follow relating to cybersecurity. Statewide costs cannot be determined because the impact would be contingent on factors such as an agency's existing information technology infrastructure, current practices, and the number of full-time equivalent positions currently supporting related services. Some agencies such as Texas A&M University and the Texas Department of Transportation estimate an indeterminate but significant cost would be incurred to comply with the requirements of the bill. The University of Texas System Administration reported that the provisions of the bill could be implemented within existing resources.

The bill would require each state agency to conduct a security assessment of the agency's information resources systems, network systems, digital data storage systems, digital data security measures, and information resources vulnerabilities at least once every two years. Each state agency would be required to report the results of the assessment to DIR, the Governor, the Lieutenant Governor, and the Speaker of the House of Representatives by December 1 in the year in which the agency conducts the assessment. The bill would require DIR to establish the requirements for the information security assessment and report.
The bill would require a state agency to destroy or arrange for the destruction of information that alone or in conjunction with other information presents a cybersecurity risk and alone or in conjunction with other information identifies an individual, if retention of the information is not required under law or for other legal reasons. The cost of this would vary based on how much personally identifiable information an agency retains and what related activities an agency currently undertakes. DIR indicated this could be absorbed within existing resources and the Texas Medical Board estimated this would cost $50,000 in fiscal year 2019.
Based on agency responses and LBB staff analysis, it is assumed that other provisions of the bill would not have a significant fiscal impact and could be implemented within existing resources.

The bill would take effect September 1, 2017.

Local Government Impact

According to the Texas Association of Counties, this bill would have no fiscal impact to units of local government.

Source Agencies:
116 Sunset Advisory Commission, 300 Trusteed Programs Within the Office of the Governor, 304 Comptroller of Public Accounts, 306 Library & Archives Commission, 307 Secretary of State, 313 Department of Information Resources, 320 Texas Workforce Commission, 323 Teacher Retirement System, 405 Department of Public Safety, 503 Texas Medical Board, 515 Board of Pharmacy, 529 Health and Human Services Commission, 578 Board of Veterinary Medical Examiners, 601 Department of Transportation, 701 Texas Education Agency, 710 Texas A&M University System Administrative and General Offices, 720 The University of Texas System Administration, 781 Higher Education Coordinating Board
LBB Staff: