BILL ANALYSIS

 

 

 

C.S.H.B. 4944

By: Buckley

Public Education

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Cybersecurity and information security threats are concerns for government agencies across all sectors. Although under current law each public school district must adopt a cybersecurity policy, designate a cybersecurity coordinator, and report any security breaches to the Texas Education Agency (TEA), many of Texas' districts, which number over 1,200, need better resources to protect against sophisticated cyberattacks and data privacy threats. Leveraging state resources, state uniform standards, and state technical expertise, instead of having districts each develop their own network, may allow districts to focus on education delivery instead of using funds to add information security officers to their central administrative staff. Uniform defense tools and common security features are easier to maintain and oversee collectively, instead of districts operating independently for such maintenance and oversight. 

 

C.S.H.B. 4944 seeks to provide for the development of cybersecurity controls and requirements through the function and expertise of both TEA and the Department of Information Resources (DIR). The bill authorizes DIR to provide technical assistance to districts and open-enrollment charter schools regarding the cybersecurity controls, requirements, and network operations and to perform a cybersecurity risk assessment of a district or charter school on request of specified entities.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that rulemaking authority is expressly granted to the commissioner of education in SECTION 2 of this bill, the Department of Information Resources in SECTION 3 of this bill, and the Texas Education Agency in SECTION 7 of this bill.

 

ANALYSIS

 

C.S.H.B. 4944 amends the Education Code to require the Texas Education Agency (TEA), a public school district, or an open-enrollment charter school, as applicable, to protect the privacy of student education records in a manner that is at least as stringent as that provided under the federal Family Educational Rights and Privacy Act of 1974, as that law existed on January 1, 2023.

 

C.S.H.B. 4944 requires the commissioner of education to adopt cybersecurity controls and requirements for districts, open-enrollment charter schools, and district and charter school vendors in consultation with and as recommended by the Department of Information Resources (DIR). The bill requires each district and charter school to implement those cybersecurity controls and requirements. The bill authorizes TEA to contract with a regional education service center, a private entity, DIR, or a regional network security center in the Texas Computer Network Security System to implement the bill's provisions relating to cybersecurity controls and requirements. The bill requires the commissioner to adopt rules as necessary to implement these provisions and to review and amend the rules as necessary not later than September 1 of each even-numbered year to ensure that those controls and requirements continue to provide effective cybersecurity protection for districts and charter schools.

 

C.S.H.B. 4944 requires an independent school district's cybersecurity policy to comply with the controls and requirements adopted by the commissioner under the bill's provisions. The bill repeals a provision that establishes that only an independent school district's cybersecurity coordinator is required to complete applicable cybersecurity training on an annual basis and requires any other district employee who must complete the cybersecurity training to complete the training as determined by the district, in consultation with the district's cybersecurity coordinator.

 

C.S.H.B. 4944 amends the Government Code to authorize DIR to provide technical assistance to districts and charter schools regarding the implementation of cybersecurity controls, requirements, and network operations as provided by the bill's provisions and to do the following in providing such assistance:

·         use services offered by third parties;

·         procure technology and services for districts and schools;

·         recommend to the Legislative Budget Board that districts and charter schools migrate services to the State Data Center located on the campus of Angelo State University; and

·         use the services of a regional network security center established by DIR.

The bill authorizes DIR to adopt rules as necessary to implement these provisions.

 

C.S.H.B. 4944 authorizes DIR to perform a cybersecurity risk assessment of a district or charter school at the request of any of the following persons or entities:

·         the commissioner;

·         the district superintendent or the person who serves the function of superintendent of the school, as applicable;

·         the board of trustees of the district or governing body of a school; or

·         the state cybersecurity coordinator after a cybersecurity incident affecting the district or school.

 

C.S.H.B. 4944 includes a charter school and a regional education service center among the entities to which DIR by agreement may provide network security and makes such entities eligible to participate in cybersecurity support and network security provided by a regional network security center established by DIR.

 

C.S.H.B. 4944 requires TEA and DIR to adopt rules necessary to implement the bill's changes not later than March 31, 2024.

 

C.S.H.B. 4944 repeals Section 11.175(g), Education Code, as added by Chapter 1045 (S.B. 1267), Acts of the 87th Legislature, Regular Session, 2021.

 

EFFECTIVE DATE

 

September 1, 2023.

 

COMPARISON OF INTRODUCED AND SUBSTITUTE

 

While C.S.H.B. 4944 may differ from the introduced in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.

 

The substitute includes a provision absent from the introduced requiring TEA, a district, or a charter school to protect the privacy of student education records in a manner that is at least as stringent as that provided under the federal Family Educational Rights and Privacy Act of 1974.

 

While both the introduced and the substitute authorize TEA to contract with certain entities to implement the bill's provisions relating to cybersecurity controls and requirements, the substitute includes DIR among those entities, but the introduced did not.

 

Whereas the introduced authorized the Texas Division of Emergency Management to request DIR to perform a cybersecurity risk assessment after a cybersecurity incident affecting the district or charter school, the substitute authorizes the state cybersecurity coordinator instead to request such an assessment from DIR after such an incident. The substitute also includes a district's board of trustees and the governing body of a charter school among the entities who may request DIR to perform such a risk assessment, whereas the introduced did not include those entities in that authorization.

 

While both the introduced and substitute include a charter school among the entities to which DIR may provide network security, the substitute also includes a regional education service center among those entities.