88R13152 MPF-F
 
  By: Hall S.B. No. 2001
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the security of election systems.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Chapter 279, Election Code, is amended by
  amending Sections 279.002 and 279.003 and adding Sections 279.004
  and 279.005 to read as follows:
         Sec. 279.002.  ELECTION CYBERSECURITY: SECRETARY OF STATE.  
  (a)  The secretary of state shall adopt rules defining classes of
  protected election data and establishing best practices for
  identifying, [and] reducing, and eliminating the risk to the
  electronic use, storage, and transmission of election data and the
  security of election systems, including:
               (1)  methods of encrypting data at rest and during
  transmission; and
               (2)  restricting access to sensitive data to only users
  with a specific need to access that data.
         (a-1)  The secretary of state shall appoint a dedicated
  cybersecurity expert to implement cybersecurity measures to
  protect all election data and other election-related data held by
  the state or a county in the state, including technology that
  blocks, notifies, and reports on unauthorized attempts to access or
  transfer data.
         (b)  The secretary of state shall direct the cybersecurity
  expert to offer training on best practices:
               (1)  on a biennial [an annual] basis, to all
  appropriate personnel or contractors with [in] the secretary of
  state's office with access to sensitive information; and
               (2)  on request, to county election officers and any
  employees or contractors of the county election officers with
  access to sensitive information [in this state].
         (b-1)  Access to sensitive data shall be revoked for any
  employee or contractor that is required to receive training under
  Subsection (b) but does not complete the training.
         (c)  If the secretary of state becomes aware of a breach of
  cybersecurity that impacts election data, the secretary shall
  immediately notify the governor, lieutenant governor, speaker of
  the house of representatives, and members of the standing
  committees of each house of the legislature with jurisdiction over
  elections. The secretary shall direct the cybersecurity expert to
  conduct an investigation of the breach and report any findings to
  the governor, lieutenant governor, speaker of the house of
  representatives, and standing committees of the legislature with
  jurisdiction over elections.
         (d)  During an investigation conducted under Subsection (c),
  access to the election system is restricted to only individuals
  designated by the secretary of state until the standing committees
  confirm that the breach has been mitigated.
         (e)  If the investigation under Subsection (c) reveals that
  individuals' personal data has been breached, the secretary of
  state shall promptly notify the affected individuals by written
  letter of the occurrence and extent of the breach.
         (f)  The secretary of state, in cooperation with the
  cybersecurity expert, shall contract with a provider of
  cybersecurity assessments to biennially conduct an assessment of
  the cybersecurity of the state's election system.
         (g)  The cybersecurity expert shall implement cybersecurity
  measures to ensure that all devices with access to election data
  held by the state comply to the highest extent possible with rules
  adopted by the secretary of state under Subsection (a).
         Sec. 279.003.  ELECTION CYBERSECURITY: COUNTY ELECTION
  OFFICERS.  (a)  A county election officer shall biennially
  [annually] request training on cybersecurity from the
  cybersecurity expert [secretary of state].  The secretary of state
  shall pay the costs associated with the training with available
  state funds.
         (b)  A county election officer shall contract with a provider
  of cybersecurity assessments to biennially conduct [request] an
  assessment of the cybersecurity of the county's election system
  [from a provider of cybersecurity assessments if the secretary of
  state recommends an assessment and the necessary funds are
  available].
         (b-1)  The county election officer shall deliver a report on
  any recommended improvements to the county's election system by the
  assessment conducted under Subsection (b) to the secretary of
  state.
         (c)  If a county election officer becomes aware of a breach
  of cybersecurity that impacts election data, the officer shall
  immediately notify the secretary of state. During an investigation
  by the secretary of state made aware of a breach under this section,
  access to sensitive data in the county shall be restricted to
  specific personnel.
         (d)  A [To the extent that state funds are available for the
  purpose, a] county election officer shall implement cybersecurity
  measures to ensure that all devices with access to election data
  comply to the highest extent possible with rules adopted by the
  secretary of state under Section 279.002.
         Sec. 279.004.  INTERNAL PERSONNEL VIOLATION. If a data
  breach under this section is conducted by an employee of the
  secretary of state's or county election officer's office, the
  employee may not be provided access to election-related data until
  an investigation under this section is concluded. If an
  investigation determines that the employee intentionally breached
  an election system, the secretary of state may pursue all available
  legal remedies against the employee, including criminal
  prosecution.
         Sec. 279.005.  COMPUTER NETWORK CONNECTIVITY. (a)  Except
  as expressly authorized by this code, an election system that is
  capable of being connected to the Internet or any other computer
  network may not be used, except for the use of a visible wired
  connection to an isolated local area network within the building.
         (b)  The cybersecurity expert appointed by the secretary of
  state under Section 279.002 shall annually verify compliance with
  this section by each county conducting an election in this state.
         SECTION 2.  Section 123.034, Election Code, is amended to
  read as follows:
         Sec. 123.034.  MAINTENANCE AND STORAGE OF EQUIPMENT.  (a) 
  The governing body of a political subdivision shall provide for the
  proper maintenance and storage of the equipment that the
  subdivision acquires for use in the operation of a voting system.
         (b)  Equipment used in the operation of a voting system must
  have a documented chain of custody and be stored in a locked
  facility with video surveillance monitoring the storage facility at
  all times.
         SECTION 3.  As soon as practicable after the effective date
  of this Act, the secretary of state shall:
               (1)  adopt the rules required by Section 279.002(a),
  Election Code, as amended by this Act; and
               (2)  appoint a cybersecurity expert in accordance with
  Section 279.002(a-1), Election Code, as added by this Act.
         SECTION 4.  This Act takes effect September 1, 2023.