By: Harris of Williamson H.B. No. 4023
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to security procedures for digital applications that pose
  a network security risk to state agencies.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Chapter 2054, Government Code, is amended by
  adding Subchapter S to read as follows:
  SUBCHAPTER S.  DIGITAL APPLICATION SECURITY PROCEDURES
         Sec. 2054.621.  DEFINITIONS. In this subchapter:
               (1)  "Digital application" means an Internet website or
  application that is open to the public, allows a user to create an
  account, and enables a user to communicate with other users by
  posting information, comments, messages, images, or video.  The
  term does not include:
                     (A)  an Internet service provider, as defined by
  Section 324.055, Business & Commerce Code;
                     (B)  e-mail; or
                     (C)  an online service, application, or Internet
  website:
                           (i)  that consists primarily of news,
  sports, entertainment, or other content preselected by the provider
  that is not user generated; and
                           (ii)  for which any chat, comment, or
  interactive functionality is incidental to, directly related to, or
  dependent on provision of the content described by Subparagraph
  (i).
               (2)  "Network security" has the meaning assigned by
  Section 2059.001.
               (3)  "User" means a person who posts, uploads,
  transmits, shares, or otherwise publishes or receives content
  through a digital application.
         Sec. 2054.622.  DIGITAL APPLICATION SECURITY RISK LIST. The
  department shall:
               (1)  compile, maintain, and annually update a list of
  digital applications that create a network security risk to state
  agencies;
               (2)  limit or prohibit the placement and use of digital
  applications on the list under Subdivision (1) on:
                     (A)  state-owned cell phones, computers, and
  other communication devices; and
                     (B)  personal communication devices of state
  agency employees that are used in the agency's office or other
  workplace; and
               (3)  post the list under Subdivision (1) on a publicly
  accessible web page on the department's Internet website.
         Sec. 2054.623.  DIGITAL APPLICATION SECURITY MODEL POLICY
  FOR STATE AGENCIES.  The department shall develop, maintain, and
  periodically update a model policy for state agencies to use under
  Section 2054.624 in limiting or prohibiting the placement and use
  on communication devices of the digital applications included on
  the list compiled under Section 2054.622.
         Sec. 2054.624.  STATE AGENCY DIGITAL APPLICATION SECURITY
  POLICY.  (a)  Each state agency shall develop, implement, and
  periodically update a policy limiting or prohibiting the placement
  and use of digital applications included on the list compiled under
  Section 2054.622 on:
               (1)  state-owned cell phones, computers, and other
  communication devices; and
               (2)  personal communication devices of state agency
  employees that are used in the agency's office or other workplace.
         (b)  Each state agency shall submit to the department a copy
  of the policy required under Subsection (a) and updates to the
  policy.
         (c)  The department:
               (1)  may offer recommendations for improvements to
  submitted policies;
               (2)  shall retain each copy and update submitted under
  Subsection (b); and
               (3)  shall notify each member of the legislature and
  the governor when a state agency submits a policy or update.
         Sec. 2054.625.  DISCLOSURE EXEMPTION. The model policy and
  state agency policies developed under this subchapter are exempt
  from disclosure under Chapter 552.
         Sec. 2054.626.  RULEMAKING AUTHORITY.  The department may
  adopt rules to implement this subchapter.
         SECTION 2.  (a)  As soon as practicable after the effective
  date of this Act, but not later than January 1, 2024, the Department
  of Information Resources shall develop the digital application
  security risk list and model policy as required by Subchapter S,
  Chapter 2054, Government Code, as added by this Act.
         (b)  A state agency is not required to comply with Section
  2054.624, Government Code, as added by this Act, until May 1, 2024.
         SECTION 3.  This Act takes effect September 1, 2023.