87R10726 CXP-D
 
  By: Capriglione H.B. No. 3743
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to cybersecurity and privacy regarding distance learning
  in public schools and prohibiting ransomware payments by certain
  governmental entities.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 11.175, Education Code, is amended by
  adding Subsection (g) to read as follows:
         (g)  Each school district that contracts with an outside
  provider to provide web services to facilitate distance learning
  shall maintain a contractual agreement with the provider that
  ensures:
               (1)  an industry-standard base level of cybersecurity
  and privacy protection for students and educators; and
               (2)  compliance with all applicable state and federal
  law governing the confidentiality of student and educator
  information.
         SECTION 2.  Subchapter D, Chapter 32, Education Code, is
  amended by adding Section 32.158 to read as follows:
         Sec. 32.158.  RECORDINGS OF DISTANCE LEARNING INSTRUCTION.
  (a) A school district may not retain a recording of distance
  learning instruction for more than 30 days after the date the
  recording is made, except to comply with recording and retention
  laws applicable to students enrolled in special education programs
  under Subchapter A, Chapter 29.
         (b)  A recording of distance learning instruction is
  confidential and is not subject to:
               (1)  the open meetings law, Chapter 551, Government
  Code; or
               (2)  disclosure under Chapter 552, Government Code.
         SECTION 3.  Chapter 370, Local Government Code, is amended
  by adding Section 370.007 to read as follows:
         Sec. 370.007.  RANSOMWARE PAYMENTS PROHIBITED. (a) In this
  section:
               (1)  "Local government" has the meaning assigned by
  Section 271.081.
               (2)  "Ransomware" has the meaning assigned by Section
  33.023, Penal Code.
         (b)  A local government or open-enrollment charter school
  may not make a ransomware payment related to a ransomware cyber
  attack.
         (c)  As soon as practicable after discovering a ransomware
  cyber attack, a local government or open-enrollment charter school
  shall report the attack to the office of the attorney general and to
  the information sharing and analysis organization established by
  the Department of Information Resources under Section 2054.0594,
  Government Code.
         SECTION 4.  This Act takes effect September 1, 2021.