BILL ANALYSIS

 

 

Senate Research Center

C.S.H.B. 1118

87R21561 E

By: Capriglione (Paxton)

 

Finance

 

4/20/2021

 

Committee Report (Substituted)

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Cybersecurity and data privacy continue to be a primary concern. Over the past year, the state has continued to witness cyber attacks against governmental entities, both at the state and local levels of government. As the state performs more business functions, transactions, and open meetings online, it is increasingly important to ensure that employees and officials are aware of common cyber attacks.

 

The 86th Legislature passed H.B. 3834, which requires state and local government employees, appointed agency commissioners, elected local officials, and state and local contractors to take a cybersecurity awareness training. Interested parties identified some areas of this statute that need clarification to best implement the training and ensure compliance.

 

H.B. 1118 provides consistency in the implementation and requirements of the cybersecurity training between state and local governments and tracks compliance with the cybersecurity training through consistency in the reporting, a common list of training modules provided by the Texas Department of Information Resources through a portal, and common requirements for who is required to take the cybersecurity training between the state and local governments.

 

(Original Author's/Sponsor's Statement of Intent)

 

C.S.H.B. 1118 amends current law relating to state agency and local government compliance with cybersecurity training requirements.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Subchapter A, Chapter 772, Government Code, by adding Section 772.012, as follows:

 

Sec. 772.012. COMPLIANCE WITH CYBERSECURITY TRAINING REQUIREMENTS. (a) Defines "local government."

 

(b) Requires a local government, to apply for a grant under Chapter 772 (Governmental Planning), to submit with the grant application a written certification of the local government's compliance with the cybersecurity training required by Section 2054.5191 (Cyber Security Training Required; Certain Employees).

 

(c) Requires the local government, on a determination by the criminal justice division established under Section 772.006 (Governor's Criminal Justice Division) that a local government awarded a grant under this chapter has not complied with the cybersecurity training required by Section 2054.5191, to pay to this state an amount equal to the amount of the grant award. Provides that a local government that is the subject of a determination described by this subsection is ineligible for another grant under this chapter until the second anniversary of the date the local government is determined ineligible.

 

SECTION 2. Amends the heading to Section 2054.5191, Government Code, to read as follows:

 

Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN EMPLOYEES AND OFFICIALS.

 

SECTION 3. Amends Section 2054.5191, Government Code, by amending Subsections (a-1) and (b) and adding Subsections (a-2), (e), and (f), as follows:

 

(a-1) Requires a local government, at least once each year, to:

 

(1) identify local government employees and elected and appointed officials who have access to a local government computer system or database and use a computer to perform at least 25 percent of the employee's or official's required duties; and

 

(2) require the employees and officials identified under Subdivision (1) to complete a cybersecurity training programs certified under Section 2054.519 (State Certified Cybersecurity Training Programs), rather than certified under Section 2054.519 or offered under Section 2054.519(f) (relating to authorizing a local government that employs a dedicated information resources cybersecurity officer to offer to its employees a cybersecurity training program that satisfies the requirements).

 

Makes conforming and nonsubstantive changes.

 

(a-2) Authorizes the governing body of a local government or the governing body's designee to deny access to the local government's computer system or database to an individual described by Subsection (a-1)(1) who the governing body or the governing body's designee determines is noncompliant with the requirements of Subsection (a-1)(2).

 

(b) Authorizes the governing body of a local government to select the most appropriate cybersecurity training program certified under Section 2054.519, rather than certified under Section 2054.519 or offered under Section 2054.519(f), for employees and officials of the local government to complete. Makes a conforming change.

 

(e) Requires the Texas Department of Information Resources (DIR) to develop a form for use by state agencies and local governments in verifying completion of� cybersecurity training program requirements under this section. Requires that the form allow the state agency and local government to indicate the percentage of employee completion.

 

(f) Provides that the requirements of Subsections (a) (relating to requiring each state agency to identify state employees who use a computer to complete at least 25 percent of the employee's required duties) and (a-1) do not apply to employees who have been:

 

(1) granted military leave;

 

(2) granted leave under the federal Family and Medical Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);

 

(3) granted leave related to a sickness or disability covered by workers' compensation benefits, if that employee no longer has access to the state agency's or local government's database and systems;

 

(4) granted any other type of extended leave or authorization to work from an alternative work site if that employee no longer has access to the state agency's or local government's database and systems; or

 

(5) denied access to a local government's computer system or database by the governing body of the local government or the governing body's designee under Subsection (a-2) for noncompliance with the requirements of Subsection (a-1)(2).

 

SECTION 4. Amends Section 2056.002(b), Government Code, as follows:

 

(b) Requires that each state agency's strategic plan, unless modified by the Legislative Budget Board and the governor's office, and except as provided by Subsection (c) (relating to requiring a state agency to include a reason for omitting a required element of the strategic plan), include certain information, including a written certification of the agency's compliance with the cybersecurity training required under Sections 2054.5191 and 2054.5192 (Cybersecurity Training Required: Certain State Contractors). Makes nonsubstantive changes.

 

SECTION 5. Repealer: Section 2054.519(f) (relating to authorizing a local government that employs a dedicated information resources cybersecurity officer to offer to its employees a cybersecurity training program that satisfies applicable requirements), Government Code, as added by Chapter 1308 (H.B. 3834), Acts of the 86th Legislature, Regular Session, 2019.

 

SECTION 6. (a) Makes application of Section 772.012, Government Code, as added by this Act, prospective to September 1, 2021.

 

(b) Makes application of Section 2056.002(b), Government Code, as amended by this Act, prospective to January 1, 2022.

 

SECTION 7. Effective date: upon passage or September 1, 2021.