S.B. No. 64
 
 
 
 
AN ACT
  relating to cybersecurity for information resources.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subchapter C, Chapter 61, Education Code, is
  amended by adding Sections 61.09091 and 61.09092 to read as
  follows:
         Sec. 61.09091.  STRATEGIES TO INCENTIVIZE CYBERSECURITY
  DEGREE PROGRAMS. (a)  The board in collaboration with the
  Department of Information Resources shall identify and develop
  strategies to incentivize institutions of higher education to
  develop degree programs in cybersecurity.
         (b)  The board shall consult with institutions of higher
  education as necessary to carry out its duties under this section.
         (c)  Not later than September 1, 2020, the board shall submit
  a written report detailing the strategies identified under this
  section to the lieutenant governor, the speaker of the house of
  representatives, the presiding officer of each legislative
  standing committee with primary jurisdiction over higher
  education, and each governing board of an institution of higher
  education.
         (d)  This section expires September 1, 2021.
         Sec. 61.09092.  COORDINATION OF CYBERSECURITY COURSEWORK
  DEVELOPMENT. (a)  In this section, "lower-division institution of
  higher education" means a public junior college, public state
  college, or public technical institute.
         (b)  The board, in consultation with the Department of
  Information Resources, shall coordinate with lower-division
  institutions of higher education and entities that administer or
  award postsecondary industry certifications or other workforce
  credentials in cybersecurity to develop certificate programs or
  other courses of instruction leading toward those certifications or
  credentials that may be offered by lower-division institutions of
  higher education.
         (c)  The board may adopt rules as necessary for the
  administration of this section.
         SECTION 2.  Section 418.004(1), Government Code, is amended
  to read as follows:
               (1)  "Disaster" means the occurrence or imminent threat
  of widespread or severe damage, injury, or loss of life or property
  resulting from any natural or man-made cause, including fire,
  flood, earthquake, wind, storm, wave action, oil spill or other
  water contamination, volcanic activity, epidemic, air
  contamination, blight, drought, infestation, explosion, riot,
  hostile military or paramilitary action, extreme heat,
  cybersecurity event, other public calamity requiring emergency
  action, or energy emergency.
         SECTION 3.  Subchapter F, Chapter 437, Government Code, is
  amended by adding Section 437.255 to read as follows:
         Sec. 437.255.  ASSISTING TEXAS STATE GUARD WITH CYBER
  OPERATIONS. To serve the state and safeguard the public from
  malicious cyber activity, the governor may command the Texas
  National Guard to assist the Texas State Guard with defending the
  state's cyber operations.
         SECTION 4.  The heading to Section 656.047, Government Code,
  is amended to read as follows:
         Sec. 656.047.  PAYMENT OF PROGRAM AND CERTIFICATION
  EXAMINATION EXPENSES.
         SECTION 5.  Section 656.047, Government Code, is amended by
  adding Subsection (a-1) to read as follows:
         (a-1)  A state agency may spend public funds as appropriate
  to reimburse a state agency employee or administrator who serves in
  an information technology, cybersecurity, or other cyber-related
  position for fees associated with industry-recognized
  certification examinations.
         SECTION 6.  Section 815.103, Government Code, is amended by
  adding Subsection (g) to read as follows:
         (g)  The retirement system shall comply with cybersecurity
  and information security standards established by the Department of
  Information Resources under Chapter 2054.
         SECTION 7.  Section 825.103, Government Code, is amended by
  amending Subsection (e) and adding Subsection (e-1) to read as
  follows:
         (e)  Except as provided by Subsection (e-1), Chapters 2054
  and 2055 do not apply to the retirement system.  The board of
  trustees shall control all aspects of information technology and
  associated resources relating to the retirement system, including
  computer, data management, and telecommunication operations,
  procurement of hardware, software, and middleware, and
  telecommunication equipment and systems, location, operation, and
  replacement of computers, computer systems, and telecommunication
  systems, data processing, security, disaster recovery, and
  storage.  The Department of Information Resources shall assist the
  retirement system at the request of the retirement system, and the
  retirement system may use any service that is available through
  that department.
         (e-1)  The retirement system shall comply with cybersecurity
  and information security standards established by the Department of
  Information Resources under Chapter 2054.
         SECTION 8.  Section 2054.0075, Government Code, is amended
  to read as follows:
         Sec. 2054.0075.  EXCEPTION:  PUBLIC JUNIOR COLLEGE.  This
  chapter does not apply to a public junior college or a public junior
  college district, except as necessary to comply with information
  security standards and for participation in shared technology
  services, including the electronic government project implemented
  under Subchapter I and statewide technology centers under
  Subchapter L [except as to Section 2054.119, Government Code].
         SECTION 9.  Section 2054.0591(a), Government Code, is
  amended to read as follows:
         (a)  Not later than November 15 of each even-numbered year,
  the department shall submit to the governor, the lieutenant
  governor, the speaker of the house of representatives, and the
  standing committee of each house of the legislature with primary
  jurisdiction over state government operations a report identifying
  preventive and recovery efforts the state can undertake to improve
  cybersecurity in this state.  The report must include:
               (1)  an assessment of the resources available to
  address the operational and financial impacts of a cybersecurity
  event;
               (2)  a review of existing statutes regarding
  cybersecurity and information resources technologies;
               (3)  recommendations for legislative action to
  increase the state's cybersecurity and protect against adverse
  impacts from a cybersecurity event; and
               (4)  an evaluation of a program that provides an
  information security officer to assist small state agencies and
  local governments that are unable to justify hiring a full-time
  information security officer [the costs and benefits of
  cybersecurity insurance; and
               [(5)     an evaluation of tertiary disaster recovery
  options].
         SECTION 10.  Section 2054.0594, Government Code, is amended
  to read as follows:
         Sec. 2054.0594.  INFORMATION SHARING AND ANALYSIS
  ORGANIZATION [CENTER]. (a)  The department shall establish an
  information sharing and analysis organization [center] to provide a
  forum for state agencies, local governments, public and private
  institutions of higher education, and the private sector to share
  information regarding cybersecurity threats, best practices, and
  remediation strategies.
         (b)  [The department shall appoint persons from appropriate
  state agencies to serve as representatives to the information
  sharing and analysis center.
         [(c)]  The department[, using funds other than funds
  appropriated to the department in a general appropriations act,]
  shall provide administrative support to the information sharing and
  analysis organization [center].
         (c)  A participant in the information sharing and analysis
  organization shall assert any exception available under state or
  federal law, including Section 552.139, in response to a request
  for public disclosure of information shared through the
  organization.  Section 552.007 does not apply to information
  described by this subsection.
         SECTION 11.  Section 2054.068(e), Government Code, is
  amended to read as follows:
         (e)  The consolidated report required by Subsection (d)
  must:
               (1)  include an analysis and assessment of each state
  agency's security and operational risks; and
               (2)  for a state agency found to be at higher security
  and operational risks, include a detailed analysis of agency
  efforts to address the risks and related vulnerabilities[, and an
  estimate of the costs to implement, the:
                     [(A)     requirements for the agency to address the
  risks and related vulnerabilities; and
                     [(B)     agency's efforts to address the risks
  through the:
                           [(i)     modernization of information
  technology systems;
                           [(ii)  use of cloud services; and
                           [(iii)     use of a statewide technology center
  established by the department].
         SECTION 12.  Subchapter C, Chapter 2054, Government Code, is
  amended by adding Section 2054.069 to read as follows:
         Sec. 2054.069.  PRIORITIZED CYBERSECURITY AND LEGACY SYSTEM
  PROJECTS REPORT. (a)  Not later than October 1 of each
  even-numbered year, the department shall submit a report to the
  Legislative Budget Board that prioritizes, for the purpose of
  receiving funding, state agency:
               (1)  cybersecurity projects; and
               (2)  projects to modernize or replace legacy systems,
  as defined by Section 2054.571.
         (b)  Each state agency shall coordinate with the department
  to implement this section.
         (c)  A state agency shall assert any exception available
  under state or federal law, including Section 552.139, in response
  to a request for public disclosure of information contained in or
  written, produced, collected, assembled, or maintained in
  connection with the report under Subsection (a).  Section 552.007
  does not apply to information described by this subsection.
         SECTION 13.  Sections 2054.077(b) and (d), Government Code,
  are amended to read as follows:
         (b)  The information security officer [resources manager] of
  a state agency shall prepare or have prepared a report, including an
  executive summary of the findings of the biennial report, not later
  than October 15 of each even-numbered year, assessing the extent to
  which a computer, a computer program, a computer network, a
  computer system, a printer, an interface to a computer system,
  including mobile and peripheral devices, computer software, or data
  processing of the agency or of a contractor of the agency is
  vulnerable to unauthorized access or harm, including the extent to
  which the agency's or contractor's electronically stored
  information is vulnerable to alteration, damage, erasure, or
  inappropriate use.
         (d)  The information security officer [resources manager]
  shall provide an electronic copy of the vulnerability report on its
  completion to:
               (1)  the department;
               (2)  the state auditor;
               (3)  the agency's executive director;
               (4)  the agency's designated information resources
  manager; and
               (5) [(4)]  any other information technology security
  oversight group specifically authorized by the legislature to
  receive the report.
         SECTION 14.  Section 2054.1125, Government Code, is amended
  by amending Subsection (b) and adding Subsection (c) to read as
  follows:
         (b)  A state agency that owns, licenses, or maintains
  computerized data that includes sensitive personal information,
  confidential information, or information the disclosure of which is
  regulated by law shall, in the event of a breach or suspected breach
  of system security or an unauthorized exposure of that information:
               (1)  comply with the notification requirements of
  Section 521.053, Business & Commerce Code, to the same extent as a
  person who conducts business in this state; and
               (2)  not later than 48 hours after the discovery of the
  breach, suspected breach, or unauthorized exposure, notify:
                     (A)  the department, including the chief
  information security officer [and the state cybersecurity
  coordinator]; or
                     (B)  if the breach, suspected breach, or
  unauthorized exposure involves election data, the secretary of
  state.
         (c)  Not later than the 10th business day after the date of
  the eradication, closure, and recovery from a breach, suspected
  breach, or unauthorized exposure, a state agency shall notify the
  department, including the chief information security officer, of
  the details of the event and include in the notification an analysis
  of the cause of the event.
         SECTION 15.  Section 2054.133(e), Government Code, is
  amended to read as follows:
         (e)  Each state agency shall include in the agency's
  information security plan a written document that is signed by
  [acknowledgment that] the [executive director or other] head of the
  agency, the chief financial officer, and each executive manager
  [as] designated by the state agency and states that those persons
  have been made aware of the risks revealed during the preparation of
  the agency's information security plan.
         SECTION 16.  Section 2054.516, Government Code, as added by
  Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th
  Legislature, Regular Session, 2017, is reenacted and amended to
  read as follows:
         Sec. 2054.516.  DATA SECURITY PLAN FOR ONLINE AND MOBILE
  APPLICATIONS. (a)  Each state agency[, other than an institution
  of higher education subject to Section 2054.517,] implementing an
  Internet website or mobile application that processes any sensitive
  personal or personally identifiable information or confidential
  information must:
               (1)  submit a biennial data security plan to the
  department not later than October 15 of each even-numbered year to
  establish planned beta testing for the website or application; and
               (2)  subject the website or application to a
  vulnerability and penetration test and address any vulnerability
  identified in the test.
         (b)  The department shall review each data security plan
  submitted under Subsection (a) and make any recommendations for
  changes to the plan to the state agency as soon as practicable after
  the department reviews the plan.
         SECTION 17.  Subchapter N-1, Chapter 2054, Government Code,
  is amended by adding Section 2054.519 to read as follows:
         Sec. 2054.519.  CYBERSTAR PROGRAM; CERTIFICATE OF APPROVAL.
  (a)  The state cybersecurity coordinator, in collaboration with
  the cybersecurity council and public and private entities in this
  state, shall develop best practices for cybersecurity that include:
               (1)  measureable, flexible, and voluntary
  cybersecurity risk management programs for public and private
  entities to adopt to prepare for and respond to cyber incidents that
  compromise the confidentiality, integrity, and availability of the
  entities' information systems;
               (2)  appropriate training and information for
  employees or other individuals who are most responsible for
  maintaining security of the entities' information systems;
               (3)  consistency with the National Institute of
  Standards and Technology standards for cybersecurity;
               (4)  public service announcements to encourage
  cybersecurity awareness; and
               (5)  coordination with local and state governmental
  entities.
         (b)  The state cybersecurity coordinator shall establish a
  cyberstar certificate program to recognize public and private
  entities that implement the best practices for cybersecurity
  developed in accordance with Subsection (a). The program must
  allow a public or private entity to submit to the department a form
  certifying that the entity has complied with the best practices and
  the department to issue a certificate of approval to the entity.
  The entity may include the certificate of approval in
  advertisements and other public communications.
         SECTION 18.  Chapter 2054, Government Code, is amended by
  adding Subchapter R to read as follows:
  SUBCHAPTER R.  INFORMATION RESOURCES OF GOVERNMENTAL ENTITIES
         Sec. 2054.601.  USE OF NEXT GENERATION TECHNOLOGY. Each
  state agency and local government shall, in the administration of
  the agency or local government, consider using next generation
  technologies, including cryptocurrency, blockchain technology, and
  artificial intelligence.
         Sec. 2054.602.  LIABILITY EXEMPTION. A person who in good
  faith discloses to a state agency or other governmental entity
  information regarding a potential security issue with respect to
  the agency's or entity's information resources technologies is not
  liable for any civil damages resulting from disclosing the
  information unless the person stole, retained, or sold any data
  obtained as a result of the security issue.
         SECTION 19.  Section 2059.058(b), Government Code, is
  amended to read as follows:
         (b)  In addition to the department's duty to provide network
  security services to state agencies under this chapter, the
  department by agreement may provide network security to:
               (1)  each house of the legislature;
               (2)  an agency that is not a state agency, including a
  legislative agency;
               (3)  a political subdivision of this state, including a
  county, municipality, or special district; [and]
               (4)  an independent organization, as defined by Section
  39.151, Utilities Code; and
               (5)  a public junior college.
         SECTION 20.  Section 1702.104, Occupations Code, is amended
  by adding Subsection (c) to read as follows:
         (c)  The review and analysis of computer-based data for the
  purpose of preparing for or responding to a cybersecurity event
  does not constitute an investigation for purposes of this section
  and does not require licensing under this chapter.
         SECTION 21.  Chapter 31, Utilities Code, is amended by
  designating Sections 31.001 through 31.005 as Subchapter A and
  adding a subchapter heading to read as follows:
  SUBCHAPTER A.  GENERAL PROVISIONS
         SECTION 22.  Chapter 31, Utilities Code, is amended by
  adding Subchapter B to read as follows:
  SUBCHAPTER B.  CYBERSECURITY
         Sec. 31.051.  DEFINITION. In this subchapter, "utility"
  means:
               (1)  an electric cooperative;
               (2)  an electric utility;
               (3)  a municipally owned electric utility; or
               (4)  a transmission and distribution utility.
         Sec. 31.052.  CYBERSECURITY COORDINATION PROGRAM FOR
  UTILITIES. (a)  The commission shall establish a program to
  monitor cybersecurity efforts among utilities in this state.  The
  program shall:
               (1)  provide guidance on best practices in
  cybersecurity and facilitate the sharing of cybersecurity
  information between utilities; and
               (2)  provide guidance on best practices for
  cybersecurity controls for supply chain risk management of
  cybersecurity systems used by utilities, which may include, as
  applicable, best practices related to:
                     (A)  software integrity and authenticity;
                     (B)  vendor risk management and procurement
  controls, including notification by vendors of incidents related to
  the vendor's products and services; and
                     (C)  vendor remote access.
         (b)  The commission may collaborate with the state
  cybersecurity coordinator and the cybersecurity council
  established under Chapter 2054, Government Code, in implementing
  the program.
         SECTION 23.  Section 39.151, Utilities Code, is amended by
  adding Subsections (o) and (p) to read as follows:
         (o)  An independent organization certified by the commission
  under this section shall:
               (1)  conduct internal cybersecurity risk assessment,
  vulnerability testing, and employee training to the extent the
  independent organization is not otherwise required to do so under
  applicable state and federal cybersecurity and information
  security laws; and
               (2)  submit a report annually to the commission on the
  independent organization's compliance with applicable
  cybersecurity and information security laws.
         (p)  Information submitted in a report under Subsection (o)
  is confidential and not subject to disclosure under Chapter 552,
  Government Code.
         SECTION 24.  Sections 2054.119, 2054.513, and 2054.517,
  Government Code, are repealed.
         SECTION 25.  To the extent of any conflict, this Act prevails
  over another Act of the 86th Legislature, Regular Session, 2019,
  relating to nonsubstantive additions and corrections in enacted
  codes.
         SECTION 26.  This Act takes effect September 1, 2019.
 
 
 
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
         I hereby certify that S.B. No. 64 passed the Senate on
  April 26, 2019, by the following vote: Yeas 30, Nays 0; and that
  the Senate concurred in House amendments on May 24, 2019, by the
  following vote: Yeas 31, Nays 0.
 
 
  ______________________________
  Secretary of the Senate    
 
         I hereby certify that S.B. No. 64 passed the House, with
  amendments, on May 22, 2019, by the following vote: Yeas 142,
  Nays 1, two present not voting.
 
 
  ______________________________
  Chief Clerk of the House   
 
 
 
  Approved:
 
  ______________________________ 
              Date
 
 
  ______________________________ 
            Governor