BILL ANALYSIS

 

 

Senate Research Center

S.B. 820

 

By: Nelson

 

Education

 

6/17/2019

 

Enrolled

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

As school districts move from paper files to computers and data systems, valuable student and employee data is a target for cyber criminals. The Data Security Advisory Committee (DSAC) recently put together a list of priorities for the upcoming session. The DSAC provides guidance to Texas education communities (K-12), maximizing collaboration and communication regarding information security issues and resources.

 

S.B. 820 seeks to implement recommendations from the DSAC to protect vulnerable student and employee data from cyber criminals. (Original Author's/Sponsor's Statement of Intent)

 

S.B. 820 amends current law relating to a requirement that a school district adopt a cybersecurity policy.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Subchapter D, Chapter 11, Education Code, by adding Section 11.175, as follows:

 

Sec. 11.175. DISTRICT CYBERSECURITY. (a) Defines "breach of system security," "cyber attack," and "cybersecurity" for purposes of this section.

 

(b) Requires each school district to adopt a cybersecurity policy to:

 

(1) secure district cyberinfrastructure against cyber attacks and other cybersecurity incidents; and

 

(2) determine cybersecurity risk and implement mitigation planning.

 

(c) Prohibits a school district's cybersecurity policy from conflicting with the information security standards for institutions of higher education adopted by the Texas Department of Information Resources under Chapters 2054 (Information Resources) and 2059 (Texas Computer Network Security System), Government Code.

 

(d) Requires the superintendent of each school district to designate a cybersecurity coordinator to serve as a liaison between the district and the Texas Education Agency (TEA) in cybersecurity matters.

 

(e) Requires the district's cybersecurity coordinator to report to TEA any cyber attack or other cybersecurity incident against the district cyberinfrastructure that constitutes a breach of system security as soon as practicable after the discovery of the attack or incident.

 

(f) Requires the district's cybersecurity coordinator to provide notice to a parent of or person standing in parental relation to a student enrolled in the district of an attack or incident for which a report is required under Subsection (e) involving the student's information.

 

SECTION 2. Effective date: September 1, 2019.