BILL ANALYSIS

 

 

 

C.S.S.B. 1893

By: Birdwell

State Affairs

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

Governor Abbott, members of the U.S. Congress, and the FBI have all expressed concerns over the potential security risks posed by the use of TikTok. In December 2022, Governor Abbott ordered that all state agencies prohibit the use of TikTok on any government-issued devices. C.S.S.B. 1893 seeks to establish a formal state policy on the use of social media services and applications such as TikTok that pose potential security risks to the state by requiring all state agencies to adopt policies prohibiting the use of certain services and applications identified as posing such potential security risks on any devices owned or leased by the agency, with certain authorized exceptions, including for law enforcement purposes.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.S.B. 1893 amends the Government Code to require the Department of Information Resources (DIR) and the Department of Public Safety (DPS), in consultation with the governor's office, to jointly identify social media applications or services that pose a threat to the security of the state's sensitive information, critical infrastructure, or both. The bill requires DIR to publish annually and maintain on its publicly accessible website a list of the identified applications. The bill authorizes the governor by executive order to also identify social media applications or services that pose a threat to the security of the state's sensitive information, critical infrastructure, or both.

 

C.S.S.B. 1893 requires all state agencies to adopt a policy that prohibits the installation or use of the following prohibited applications on any device owned or leased by the agency and requiring the removal of such applications from those devices:

·         a social media application or service included on the list published by DIR; or

·         any other social media applications or services specified by an executive order of the governor.

The bill requires DIR and DPS to jointly develop a model policy for state agencies to use in developing their own policies and requires each state agency to adopt their policy not later than the 60th day after the model policy is made available.

 

C.S.S.B. 1893 authorizes an agency's policy to include an exception allowing for the installation and use of a prohibited application to the extent necessary for providing law enforcement, for developing or implementing information security measures, or to allow other legitimate governmental uses as jointly determined by DIR and DPS. The bill requires a policy that allows such limited installation and use of a prohibited application to require the use of measures to mitigate risks to the security of state agency information during the use of the prohibited application and the documentation of those measures. The bill requires the administrative head of a state agency to approve in writing the installation and use of a prohibited application under an exception by agency employees and report the approval to DIR.

 

EFFECTIVE DATE

 

On passage, or, if the bill does not receive the necessary vote, September 1, 2023.

 

COMPARISON OF SENATE ENGROSSED AND SUBSTITUTE

 

While C.S.S.B. 1893 may differ from the engrossed in minor or nonsubstantive ways, the following summarizes the substantial differences between the engrossed and committee substitute versions of the bill.

 

The substitute limits the applicability of the bill's provisions to state agencies, whereas the engrossed applied also to political subdivisions of the state, including a municipality, county, or special purpose district.

 

The substitute expands the social media applications or services subject to the policies required under the bill. Whereas in the engrossed these policies dealt with "covered applications," which were the social media service TikTok or its successors provided by ByteDance Limited, as well as any social media application or service specified by executive order of the governor as posing a similar risk to the security of state agency information, the substitute makes these policies applicable instead with respect to any "prohibited applications," which include those identified by DIR and DPS as posing a threat to the security of the state's sensitive information, critical infrastructure, or both, or specified by executive order of the governor as posing such a threat. Accordingly, the substitute:

·         does not include the provision from the engrossed establishing the circumstances under which a social media application is considered to pose a security risk; and

·         includes provisions not in the engrossed that require DIR and DPS, in consultation with the governor's office, to jointly identify social media applications or services that pose such a threat and require DIR to publish and maintain on its publicly accessible website a list of prohibited applications.

 

The substitute includes a provision not in the engrossed that requires DIR and DPS to jointly develop a model policy for state agencies to use in developing their own policies. Whereas the engrossed required each state agency to adopt the required policy not later than the 60th day after the bill's effective date, the substitute instead requires the policies to be adopted not later than the 60th day after DIR and DPS make the model policy available.

 

The substitute revises provisions in the engrossed that authorized a state agency policy to include certain exceptions to its policy to include among the authorized exceptions an authorization that allows for the use and installation of a prohibited application to the extent necessary to allow other legitimate governmental uses as determined jointly by DIR and DPS. The substitute includes a provision not in the engrossed requiring the administrative head of a state agency to approve in writing the installation and use of a prohibited application by employees of the state agency in accordance with an exception included in the agency's policy and to report such approval to DIR.