BILL ANALYSIS

 

 

 

C.S.H.B. 1118

By: Capriglione

State Affairs

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

The 86th Texas Legislature enacted legislation requiring state and local government employees, amongst others, to complete a cybersecurity training program. In implementing this law, local government officials identified a number of issues that needed to be addressed, including the fact that local governments must identify employees who are subject to the training requirements and that all local elected officials, regardless of whether they use a computer as part of their duties, are required to take the training. C.S.H.B. 1118 seeks to apply the training requirements on a uniform basis for state agencies and local governments, which will require local government employees and elected and appointed officials who use a computer for at least 25 percent of their assigned duties to complete the cybersecurity training, while tying certain state grant funding to completion of the training requirements in an effort to ensure compliance.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.H.B. 1118 amends the Government Code to do the following with respect to the requirement for a local government employee with access to a local government computer system or database to periodically complete a certified cybersecurity training program:

·       limit the employees to which that requirement applies to employees who have such access and who use a computer to perform at least 25 percent of the employee's required duties; and

·       apply the requirement to elected and appointed local government officials on the same basis as it applies to governmental employees.

The bill repeals the authorization for a local government that employs a dedicated information resources cybersecurity officer to offer its own cybersecurity training program to its employees as an alternative to completing one of the cybersecurity training programs certified by the Department of Information Resources (DIR).

 

C.S.H.B. 1118 requires DIR to develop a form for use by state agencies and local governments in verifying their employees have completed applicable cybersecurity training requirements. The form must allow the state agency and local government to indicate the percentage of employee completion. The bill exempts from the requisite cybersecurity training the employees of a state agency or local government who have been granted the following:

·       military leave;

·       leave under the federal Family and Medical Leave Act of 1993; or

·       any other type of extended leave or authorization to work from an alternative work site, including leave related to a sickness or disability covered by workers' compensation benefits, if that employee no longer has access to the state agency's or local government's database and systems.

 

C.S.H.B. 1118 requires a local government applying for a grant under an applicable governmental planning grant program administered by the governor's criminal justice division on or after September 1, 2021, to submit with the grant application a written certification of compliance with the cybersecurity training requirements for local government employees and officials. A local government that the division determines has not complied with the training requirements after being awarded a grant:

·       must pay the state an amount equal to the amount of the grant award; and

·       is ineligible for another governmental planning grant until the second anniversary of the date the local government is determined ineligible.

 

C.S.H.B. 1118 requires each applicable state agency strategic plan of operation submitted on or after January 1, 2022, to include a written certification of the agency's compliance with applicable cybersecurity training requirements.

 

C.S.H.B. 1118 repeals Section 2054.519(f), Government Code, as added by Chapter 1308 (H.B. 3834), Acts of the 86th Legislature, Regular Session, 2019.

 

EFFECTIVE DATE

 

On passage, or, if the bill does not receive the necessary vote, September 1, 2021.

 

COMPARISON OF ORIGINAL AND SUBSTITUTE

 

While C.S.H.B. 1118 may differ from the original in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.

 

The substitute does the following:

·       repeals the authorization for certain local governments to offer a cybersecurity training program as an alternative to DIR-certified programs;

·       requires DIR to develop a form for use in verifying employee compliance with cybersecurity training requirements; and

·       exempts employees who have been granted an applicable type of leave or authorization to work from an alternative work site from the cybersecurity training requirements.