|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to state and local government information technology |
|
infrastructure, information security, and data breach and exposure |
|
reporting. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. The heading to Section 2054.0594, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.0594. INFORMATION SHARING AND ANALYSIS |
|
ORGANIZATIONS [ORGANIZATION]. |
|
SECTION 2. Section 2054.0594, Government Code, is amended |
|
by amending Subsections (a), (b), and (c) and adding Subsection |
|
(a-1) to read as follows: |
|
(a) The department shall establish an intrastate |
|
information sharing and analysis organization to provide a forum |
|
for state agencies, local governments, public and private |
|
institutions of higher education, and [the] private sector entities |
|
in this state to share information regarding cybersecurity threats, |
|
best practices, and remediation strategies. |
|
(a-1) The department may establish an interstate |
|
information sharing and analysis organization to provide a forum |
|
for states to share information regarding cybersecurity threats, |
|
best practices, and remediation strategies. |
|
(b) The department shall provide administrative support to |
|
each [the] information sharing and analysis organization |
|
established under this section. |
|
(c) A participant in an [the] information sharing and |
|
analysis organization established under this section shall assert |
|
any exception available under state or federal law, including |
|
Section 552.139, in response to a request for public disclosure of |
|
information shared through the organization. Section 552.007 does |
|
not apply to information described by this subsection. |
|
SECTION 3. The heading to Section 2054.068, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.068. STATE AGENCY INFORMATION TECHNOLOGY |
|
INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT. |
|
SECTION 4. Section 2054.068, Government Code, is amended by |
|
amending Subsections (b), (c), and (d) and adding Subsections |
|
(c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as |
|
follows: |
|
(b) The department shall collect from each state agency |
|
information on the status and condition of the agency's information |
|
technology infrastructure, including [information regarding]: |
|
(1) information on the agency's information security |
|
program; |
|
(2) an inventory of the agency's servers, mainframes, |
|
cloud services, and other information technology equipment; |
|
(3) identification information for [of] vendors that |
|
operate and manage the agency's information technology |
|
infrastructure; [and] |
|
(4) the results of the information security assessment |
|
required by Section 2054.515; and |
|
(5) any additional related information requested by |
|
the department. |
|
(c) A state agency shall provide the information required by |
|
Subsection (b) to the department not later than June 1 of each |
|
even-numbered year [according to a schedule determined by the |
|
department]. |
|
(c-1) The department shall assign to each state agency that |
|
is not an institution of higher education one of the following |
|
information security ratings based on the agency's information |
|
security risk profile: |
|
(1) above average; |
|
(2) average; or |
|
(3) below average. |
|
(c-2) In assigning an information security rating to a state |
|
agency under Subsection (c-1), the department shall consider: |
|
(1) the information the agency provides under |
|
Subsection (b); |
|
(2) the agency's comprehensive information security |
|
risk position relative to the agency's risk environment; and |
|
(3) any additional document or information the |
|
department requests from the agency. |
|
(c-3) The department: |
|
(1) shall develop options and make recommendations for |
|
improvements in the information security maturity of any state |
|
agency assigned an information security rating of below average |
|
under Subsection (c-1); and |
|
(2) may assist any state agency in determining whether |
|
additional security measures would increase the agency's |
|
information security maturity. |
|
(c-4) The department may audit the information security and |
|
technology of any state agency assigned an information security |
|
rating under Subsection (c-1) or contract with a vendor to perform |
|
the audit. The department shall make available on request by any |
|
person listed in Subsection (d) the results of an audit conducted |
|
under this subsection. |
|
(d) Not later than November 15 of each even-numbered year, |
|
the department shall submit to the governor, chair of the house |
|
appropriations committee, chair of the senate finance committee, |
|
speaker of the house of representatives, lieutenant governor, and |
|
staff of the Legislative Budget Board: |
|
(1) a consolidated report of the information submitted |
|
by state agencies under Subsection (b); and |
|
(2) any department recommendations relevant to and |
|
necessary for improving this state's information technology |
|
infrastructure and information security. |
|
(e-1) The department shall compile a summary of the |
|
consolidated report required under Subsection (d) and make the |
|
summary available to the public. The summary may not disclose any |
|
confidential information. |
|
(e-2) The consolidated report required under Subsection (d) |
|
and all information a state agency submits to substantiate or |
|
otherwise related to the report are confidential and not subject to |
|
disclosure under Chapter 552. The state agency or the department |
|
may redact or withhold information as confidential under Chapter |
|
552 without requesting a decision from the attorney general under |
|
Subchapter G, Chapter 552. |
|
(e-3) Following its review of the consolidated report, the |
|
Legislative Budget Board may direct the department to select for |
|
participation in a statewide technology center established under |
|
Subchapter L any state agency assigned an information security |
|
rating under Subsection (c-1). The department shall notify each |
|
selected state agency of the agency's selection as required by |
|
Section 2054.385. The department is not required to conduct the |
|
cost and requirements analysis under Section 2054.384 for a state |
|
agency selected for participation under this subsection. This |
|
subsection expires September 1, 2027. |
|
SECTION 5. Section 2054.136, Government Code, is amended to |
|
read as follows: |
|
Sec. 2054.136. DESIGNATED INFORMATION SECURITY OFFICER. |
|
(a) Each state agency shall designate an information security |
|
officer who: |
|
(1) reports to the agency's executive-level |
|
management; |
|
(2) has authority over information security for the |
|
entire agency; |
|
(3) possesses the training and experience required to |
|
perform the duties required by department rules; and |
|
(4) to the extent feasible, has information security |
|
duties as the officer's primary duties. |
|
(b) An employee designated under Subsection (a) may be |
|
designated to serve as a joint information security officer by two |
|
or more state agencies. The department must approve the joint |
|
designation. |
|
SECTION 6. The heading to Section 2054.515, Government |
|
Code, is amended to read as follows: |
|
Sec. 2054.515. STATE AGENCY INFORMATION SECURITY |
|
ASSESSMENT [AND REPORT]. |
|
SECTION 7. Sections 2054.515(a), (c), and (d), Government |
|
Code, are amended to read as follows: |
|
(a) At least once every two years, each state agency shall |
|
conduct an information security assessment of the agency's[: |
|
[(1)] information resources systems, network systems, |
|
digital data storage systems, digital data security measures, and |
|
information resources vulnerabilities[; and |
|
[(2) data governance program with participation from |
|
the agency's data management officer, if applicable, and in |
|
accordance with requirements established by department rule]. |
|
(c) Each state agency shall complete the information |
|
security assessment in consultation with the department or the |
|
vendor the department selects and submit the results of the |
|
assessment to the department in accordance with Section 2054.068(b) |
|
[The department by rule shall establish the requirements for the |
|
information security assessment and report required by this |
|
section]. |
|
(d) All [The report and all] documentation related to the |
|
information security assessment is [and report are] confidential |
|
and not subject to disclosure under Chapter 552. The state agency |
|
or department may redact or withhold the information as |
|
confidential under Chapter 552 without requesting a decision from |
|
the attorney general under Subchapter G, Chapter 552. |
|
SECTION 8. Section 2054.577(c), Government Code, is amended |
|
to read as follows: |
|
(c) Money in the fund: |
|
(1) may be used to improve and modernize state agency |
|
information resources, including legacy system projects and |
|
cybersecurity projects; [and] |
|
(2) may be used to mitigate a security incident at a |
|
state agency; |
|
(3) may not be used to replace money appropriated to a |
|
state agency for the purposes of operating and maintaining state |
|
agency information resources or reduce the amount of money |
|
appropriated to a state agency for those purposes; and |
|
(4) may not be used to pay an entity that commits the |
|
crime of electronic data tampering. |
|
SECTION 9. Section 2054.1125, Government Code, is |
|
transferred to Subchapter R, Chapter 2054, Government Code, |
|
redesignated as Section 2054.603, Government Code, and amended to |
|
read as follows: |
|
Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH] |
|
NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this |
|
section: |
|
(1) "Security incident" means: |
|
(A) the actual or suspected deliberate and |
|
unauthorized access, disclosure, exposure, modification, or |
|
destruction of sensitive personal information, confidential |
|
information, or other information the disclosure of which is |
|
regulated by law through a computer, computer network, or computer |
|
system, including: |
|
(i) a breach or suspected breach ["Breach] |
|
of system security as defined [security" has the meaning assigned] |
|
by Section 521.053, Business & Commerce Code; and |
|
(ii) the introduction of ransomware, as |
|
defined by Section 33.023, Penal Code, into a computer, computer |
|
network, or computer system; or |
|
(B) a deliberate and unauthorized modification, |
|
disruption, destruction, or defacement that makes unavailable or |
|
inaccessible: |
|
(i) state agency information or information |
|
resources; or |
|
(ii) a state agency website. |
|
(2) "Sensitive personal information" has the meaning |
|
assigned by Section 521.002, Business & Commerce Code. |
|
(b) A state agency or local government that owns, licenses, |
|
or maintains computerized data that includes sensitive personal |
|
information, confidential information, or information the |
|
disclosure of which is regulated by law shall, in the event of a |
|
security incident [breach or suspected breach of system security or |
|
an unauthorized exposure of that information]: |
|
(1) comply with the notification requirements of |
|
Section 521.053, Business & Commerce Code, to the same extent as a |
|
person who conducts business in this state; [and] |
|
(2) not later than 24 [48] hours after the discovery of |
|
the security incident [breach, suspected breach, or unauthorized |
|
exposure], notify: |
|
(A) the department, including the chief |
|
information security officer; or |
|
(B) if the security incident [breach, suspected |
|
breach, or unauthorized exposure] involves election data, the |
|
secretary of state; and |
|
(3) comply with all department rules relating to |
|
security incidents. |
|
(c) Not later than the 10th business day after the date of |
|
the eradication, closure, and recovery from a security incident |
|
[breach, suspected breach, or unauthorized exposure], a state |
|
agency or local government shall notify the department, including |
|
the chief information security officer, of the details of the |
|
security incident [event] and include in the notification an |
|
analysis of the cause of the security incident [event]. |
|
SECTION 10. The following provisions are repealed: |
|
(1) Section 2054.068(f), Government Code; and |
|
(2) Section 2054.515(b), Government Code, as amended |
|
by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th |
|
Legislature, Regular Session, 2021. |
|
SECTION 11. This Act takes effect September 1, 2023. |