BILL ANALYSIS

 

 

Senate Research Center

S.B. 64

 

By: Nelson

 

Business & Commerce

 

6/13/2019

 

Enrolled

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

The Texas Cybersecurity Act, (H.B. 8, 85R) made sweeping improvements to assess and improve the state's cybersecurity posture. H.B. 8 also created the Senate Select Committee on Cybersecurity. Hearings conducted during the interim identified several areas where the State could benefit from improvements. 

 

S.B. 64 seeks to address those issues by improving Texas' cybersecurity to protect data and ensure that key services are delivered by strengthening state oversight of cybersecurity, bolstering the cyber workforce, assisting local government recovering from cyber events, and improving oversight of the electric grid. (Original Author's/Sponsor's Statement of Intent)

 

S.B. 64 amends current law relating to cybersecurity for information resources.

 

RULEMAKING AUTHORITY

 

Rulemaking authority is expressly granted to the Texas Higher Education Coordinating Board in SECTION 1 (Section 61.09092, Education Code) of this bill.

 

Rulemaking authority previously granted to the Texas Department of Information Resources is rescinded in SECTION 24 (Section 2054.119, Government Code) of this bill.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Subchapter C, Chapter 61, Education Code, by adding Sections 61.09091 and 61.09092, as follows:

 

Sec. 61.09091. STRATEGIES TO INCENTIVIZE CYBERSECURITY DEGREE PROGRAMS. (a) Requires the Texas Higher Education Coordinating Board (THECB) in collaboration with the Texas Department of Information Resources (DIR) to identify and develop strategies to incentivize institutions of higher education to develop degree programs in cybersecurity.

 

(b) Requires THECB to consult with institutions of higher education as necessary to carry out its duties under this section.

 

(c) Requires THECB, not later than September 1, 2020, to submit a written report detailing the strategies identified under this section to the lieutenant governor, the speaker of the house of representatives, the presiding officer of each legislative standing committee with primary jurisdiction over higher education, and each governing board of an institution of higher education.

 

(d) Provides that this section expires September 1, 2021.

 

Sec. 61.09092. COORDINATION OF CYBERSECURITY COURSEWORK DEVELOPMENT.� (a) Defines "lower-division institution of higher education" for the purposes of this section.

 

(b) Requires THECB, in consultation with DIR, to coordinate with lower-division institutions of higher education and entities that administer or award postsecondary industry certifications or other workforce credentials in cybersecurity to develop certificate programs or other courses of instruction leading toward those certifications or credentials that may be offered by lower‑division institutions of higher education.

 

(c) Authorizes THECB to adopt rules as necessary for the administration of this section.

 

SECTION 2. Amends Section 418.004(1), Government Code, to redefine "disaster" to include a cybersecurity event.

 

SECTION 3. Amends Subchapter F, Chapter 437, Government Code, by adding Section 437.255, as follows:

 

Sec. 437.255. ASSISTING TEXAS STATE GUARD WITH CYBER OPERATIONS. Authorizes the governor, to serve the state and safeguard the public from malicious cyber activity, to command the Texas National Guard to assist the Texas State Guard with defending the state's cyber operations.

 

SECTION 4. Amends the heading to Section 656.047, Government Code, to read as follows:

 

Sec. 656.047. PAYMENT OF PROGRAM AND CERTIFICATION EXAMINATION EXPENSES.

 

SECTION 5. Amends Section 656.047, Government Code, by adding Subsection (a-1), as follows:

 

(a-1) Authorizes a state agency to spend public funds as appropriate to reimburse a state agency employee or administrator who serves in an information technology, cybersecurity, or other cyber-related position for fees associated with industry-recognized certification examinations.

 

SECTION 6. Amends Section 815.103, Government Code, by adding Subsection (g) to require the Employees Retirement System of Texas to comply with cybersecurity and information security standards established by DIR under Chapter 2054 (Information Resources).

 

SECTION 7. Amends Section 825.103, Government Code, by amending Subsection (e) and adding Subsection (e-1), as follows:

 

(e) Provides that, except as provided by Subsection (e-1), Chapters 2054 and 2055 (Electronic Grant System) do not apply to the Teacher Retirement System of Texas (TRS).

 

(e-1) Requires TRS to comply with cybersecurity and information security standards established by DIR under Chapter 2054.

 

SECTION 8. Amends Section 2054.0075, Government Code, as follows:

 

Sec. 2054.0075. EXCEPTION: PUBLIC JUNIOR COLLEGE. Provides that this chapter does not apply to a public junior college or a public junior college district, except as necessary to comply with information security standards and for participation in shared technology services, including the electronic government project implemented under Subchapter I (State Electronic Internet Portal Project) and statewide technology centers under Subchapter L (Statewide Technology Centers), rather than except as necessary for participation in the electronic government project implemented under Subchapter I and except as to Section 2054.119 (Bids or Proposals For Interagency Contracts), Government Code.

 

SECTION 9. Amends Section 2054.0591(a), Government Code, as follows:

 

(a) Requires the report relating to preventive and recovery efforts the state can undertake to improve cybersecurity to include:

 

(1)�(2) makes no changes to these subdivisions;

 

(3) makes a nonsubstantive change to this subdivision; and

 

(4) an evaluation of a program that provides an information security officer to assist small state agencies and local governments that are unable to justify hiring a full-time information security officer, rather than an evaluation of the costs and benefits of cybersecurity insurance.

 

Deletes existing Subdivision (5) relating to an evaluation of tertiary disaster recovery options.

 

SECTION 10. Amends Section 2054.0594, Government Code, as follows:

 

Sec. 2054.0594. New heading: INFORMATION SHARING AND ANALYSIS ORGANIZATION. (a) Requires DIR to establish an information sharing and analysis organization, rather than center, to provide a forum for state agencies, local governments, public and private institutions of higher education, and the private sector, rather than for state agencies, to share information regarding cybersecurity threats, best practices, and remediation strategies.

 

(b) Deletes existing text requiring DIR to appoint representatives to the center. Requires DIR to provide administrative support to the information sharing and analysis organization. Redesignates existing Subsection (c) as this subsection, deletes existing text relating to the use of funds other than funds appropriated to DIR in a general appropriations act, and makes a conforming change.

 

(c) Requires a participant in the information sharing and analysis organization to assert any exception available under state or federal law, including Section 552.139 (Exception: Confidentiality of Government Information Related to Security or Infrastructure Issues For Computers), in response to a request for public disclosure of information shared through the organization. Provides that Section 552.007 (Voluntary Disclosure of Certain Information When Disclosure Not Required) does not apply to information described by this subsection.

 

SECTION 11. Amends Section 2054.068(e), Government Code, as follows:

 

(e) Requires the consolidated report required by Subsection (d) (relating to requiring DIR to report information collected from state agencies regarding information technology infrastructure) to:

 

(1) makes no changes to this subdivision; and

 

(2) for a state agency found to be at higher security and operational risks, include a detailed analysis of agency efforts to address the risks and related vulnerabilities. Deletes existing text relating to an estimate of the costs to implement certain agency requirements and efforts.

 

SECTION 12. Amends Subchapter C, Chapter 2054, Government Code, by adding Section 2054.069, as follows:

 

Sec. 2054.069. PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM PROJECTS REPORT. (a) Requires DIR, not later than October 1 of each even-numbered year, to submit a report to the Legislative Budget Board that prioritizes, for the purpose of receiving funding, state agency cybersecurity projects, and state agency projects to modernize or replace legacy systems, as defined by Section 2054.571 (Definition).

 

(b) Requires each state agency to coordinate with DIR to implement this section.

 

(c) Requires a state agency to assert any exception available under state or federal law, including Section 552.139, in response to a request for public disclosure of information contained in or written, produced, collected, assembled, or maintained in connection with the report under Subsection (a). Provides that Section 552.007 does not apply to information described by this subsection.

 

SECTION 13. Amends Sections 2054.077(b) and (d), Government Code, as follows:

 

(b) Requires the information security officer, rather than the information resources manager, of a state agency to prepare or have prepared a report, including certain information related to device vulnerability.

 

(d) Requires the information security officer, rather than the information resources manager, to provide an electronic copy of the vulnerability report on its completion to:

 

(1)�(3) makes no changes to these subdivisions;

 

(4) the agency's designated information resources manager; and

 

(5) creates this subdivision from existing Subdivision (4) and makes no further changes.

 

SECTION 14. Amends Section 2054.1125, Government Code, by amending Subsection (b) and adding Subsection (c), as follows:

 

(b) Deletes existing requirement that the state cybersecurity coordinator be notified not later than 48 hours after the discovery of a breach, suspected breach, or unauthorized exposure.

 

(c) Requires a state agency, not later than the 10th business day after the date of the eradication, closure, and recovery from a breach, suspected breach, or unauthorized exposure, to notify DIR, including the chief information security officer, of the details of the event and include in the notification an analysis of the cause of the event.

 

SECTION 15. Amends Section 2054.133(e), Government Code, as follows:

 

(e) Requires each state agency to include in the agency's information security plan a written document that is signed by the head of the agency, the chief financial officer, and each executive manager designated by the state agency and states that those persons have been made aware of the risks revealed during the preparation of the agency's information security plan, rather than a written acknowledgment that the executive director or other head of agency, the chief financial officer, and each manager as designated by the state agency have been made aware of such risks.

 

SECTION 16. Reenacts Section 2054.516, Government Code, as added by Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th Legislature, Regular Session, 2017, and amends it to delete existing text exempting an institution of higher education subject to Section 2054.517 (Data Security Procedures For Online and Mobile Applications of Institutions of Higher Education) from certain cybersecurity requirements and to make a nonsubstantive change.

 

SECTION 17. Amends Subchapter N-1, Chapter 2054, Government Code, by adding Section 2054.519, as follows:

 

Sec. 2054.519. CYBERSTAR PROGRAM; CERTIFICATE OF APPROVAL. (a) Requires the state cybersecurity coordinator, in collaboration with the cybersecurity council and public and private entities in this state, to develop best practices for cybersecurity that include:

 

(1) measureable, flexible, and voluntary cybersecurity risk management programs for public and private entities to adopt to prepare for and respond to cyber incidents that compromise the confidentiality, integrity, and availability of the entities' information systems;

 

(2) appropriate training and information for employees or other individuals who are most responsible for maintaining security of the entities' information systems;

 

(3) consistency with the National Institute of Standards and Technology standards for cybersecurity;

 

(4) public service announcements to encourage cybersecurity awareness; and

 

(5) coordination with local and state governmental entities.

 

(b) Requires the state cybersecurity coordinator to establish a cyberstar certificate program to recognize public and private entities that implement the best practices for cybersecurity developed in accordance with Subsection (a).� Requires the program to allow a public or private entity to submit to DIR a form certifying that the entity has complied with the best practices and DIR to issue a certificate of approval to the entity. Authorizes the entity to include the certificate of approval in advertisements and other public communications.

 

SECTION 18. Amends Chapter 2054, Government Code, by adding Subchapter R, as follows:

 

SUBCHAPTER R.� INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES

 

Sec. 2054.601. USE OF NEXT GENERATION TECHNOLOGY. Requires each state agency and local government to, in the administration of the agency or local government, consider using next generation technologies, including cryptocurrency, blockchain technology, and artificial intelligence.

 

Sec. 2054.602. LIABILITY EXEMPTION. Provides that a person who in good faith discloses to a state agency or other governmental entity information regarding a potential security issue with respect to the agency's or entity's information resources technologies is not liable for any civil damages resulting from disclosing the information unless the person stole, retained, or sold any data obtained as a result of the security issue.

 

SECTION 19. Amends Section 2059.058(b), Government Code, to add a public junior college to a list of entities to which DIR is authorized to provide network security by agreement.

 

SECTION 20. Amends Section 1702.104, Occupations Code, by adding Subsection (c) to provide that the review and analysis of computer-based data for the purpose of preparing for or responding to a cybersecurity event does not constitute an investigation for purposes of this section (Investigations Company) and does not require licensing under this chapter (Private Security).

 

SECTION 21. Amends Chapter 31, Utilities Code, by designating Sections 31.001 through 31.005 as Subchapter A and adding a subchapter heading to read as follows:

 

SUBCHAPTER A. GENERAL PROVISIONS

 

SECTION 22. Amends Chapter 31, Utilities Code, by adding Subchapter B, as follows:

 

SUBCHAPTER B. CYBERSECURITY

 

Sec. 31.051. DEFINITION. Defines "utility."

 

Sec. 31.052. CYBERSECURITY COORDINATION PROGRAM FOR UTILITIES. (a) Requires the Public Utility Commission of Texas (PUC) to establish a program to monitor cybersecurity efforts among utilities in this state. Requires the program to:

 

(1) provide guidance on best practices in cybersecurity and facilitate the sharing of cybersecurity information between utilities; and

 

(2) provide guidance on best practices for cybersecurity controls for supply chain risk management of cybersecurity systems used by utilities, which may include, as applicable, best practices related to:

 

(A) software integrity and authenticity;

 

(B) vendor risk management and procurement controls, including notification by vendors of incidents related to the vendor's products and services; and

 

(C) vendor remote access.

 

(b) Authorizes the PUC to collaborate with the state cybersecurity coordinator and the cybersecurity council established under Chapter 2054, Government Code, in implementing the program.

 

SECTION 23. Amends Section 39.151, Utilities Code, by adding Subsections (o) and (p), as follows:

 

(o) Requires an independent organization certified by the PUC under this section (Essential Organizations) to:

 

(1) conduct internal cybersecurity risk assessment, vulnerability testing, and employee training to the extent the independent organization is not otherwise required to do so under applicable state and federal cybersecurity and information laws; and

 

(2) submit a report annually to the PUC on the independent organization's compliance with applicable cybersecurity and information security laws.

 

(p) Provides that information submitted in a report under Subsection (o) is confidential and not subject to disclosure under Chapter 552 (Public Information), Government Code.

 

SECTION 24. Repealer: Section 2054.119 (Bids or Proposals For Interagency Contracts), Government Code.

 

Repealer: Section 2054.513 (Cybersecurity Approval Seal), Government Code.

 

Repealer: Section 2054.517 (Data Security Procedures For Online and Mobile Applications of Institutions of Higher Education), Government Code.

 

SECTION 25. Provides that, to the extent of any conflict, this Act prevails over another Act of the 86th Legislature, Regular Session, 2019, relating to nonsubstantive additions and corrections in enacted codes.

 

SECTION 26. Effective date: September 1, 2019.