Updated March 24, 2017 (changes in red)
There are a number of bills in front of the 85th session of the Texas legislature. I’ve cherry picked several that are directly related to “computer security” or Privacy. For the complete list click here.
|HB8||Capriglione||Relating to cybersecurity for state agency information resources.||Scheduled for public hearing on March 20, 2017.||A significant bill affecting multiple agencies. Requires all security incidents to be report to the Department of Information Resources (DIR) within 48 hours of detection. Also includes a provision for the Sunset Commission to include cybersecurity in their review of state agencies. Additionally directs DIR to conduct exercises and to address duplication of efforts within state agencies. Well worth reading the full bill.|
|HB9||Capriglione||Relating to cybercrime ; creating criminal offenses.||Scheduled for public hearing on March 20, 2017.||Amends the Penal Code to include criminal offenses for malware and ransomware, among other cybercrimes.|
|HB138||Krause||Relating to the creation of the Fiscal Risk Management Commission.||Referred to Appropriations||Sec. 2117.004(a)(2)(D)(i) adds study of “cyberterrorism” on the state to the Fiscal Risk Management Commission.|
|HB305||Minjarez||Relating to student harassment, bullying, and cyberbullying.||Referred to Public Education||companion to SB180 (Identical)|
|HB306||Minjarez||Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense.||Referred to Public Education||companion to SB179 (Identical)|
|HB334||Collier||Relating to the consideration by employers of the consumer credit reports or other credit information of employees and applicants for employment; providing civil and administrative penalties.||Referred to Business & Industry||Amends the Labor Code Ch. 52 to limit the ability of an employer to request or adversely use an employees credit report as a condition of employment. Creates a Civil penalty.|
|HB407||Tinderholt||Relating to protection of the electric power transmission and distribution system.||Referred to State Affairs||While this looks like it would be a companion to SB83(85R)-Hall, it is a distinct bill aimed at amending the Utility Code §39.151 to create design standards for electric power transmission.|
|HB542||Metcalf||Relating to the drug screening and testing of certain persons seeking benefits under the medical assistance program.||Referred to Human Services||Amends the Human Resources Code §32.024 to mandate drug screening for adults seeking medical assistance benefits.|
|HB703||Wu||Relating to the availability of personal information of a child protective services caseworker or investigator.||Referred to Human Services||Amends the Government Code §552 (public information) to except child protective services personal contact information.|
|HB787||Parker||Relating to the security of the electric grid.||Referred to State Affairs||Another bill aimed at electric grid security. Amends Utilities Code to have an independent organization (created under Utilities §39.151) to collect information on grid security.|
|HB788||Parker||Relating to enhancing the security of the electric grid; making an appropriation.||Referred to Appropriations|
|HB792||Capriglione||Relating to the exception from disclosure under the public information law for information related to competition or bidding.||Referred to Government Transparency & Operation||Companion to SB407 (Identical)|
|HB1278||Dutton||Relating to availability of Previous personal information of certain current and former prosecutors.||Referred to Government Transparency & Operations||Excepts the personal information of district attorneys, criminal district attorneys and municipal attorneys from public disclosure.|
|HB1452||Blanco||Relating to a study regarding cyber attacks on election infrastructure.||Scheduled for public hearing on March 20, 2017.||Directs the Secretary of State to study of the election infrastructures vulnerability to cyber attacks and to provide recommendations to protect the infrastructure.|
|HB1605||Blanco||Relating to the powers and duties of the Department of Information Resources regarding cybersecurity.||Scheduled for public hearing on March 20, 2017.||A substantial change to the DIR cybersecurity duties including reports on ways to improve cybersecurity, evaluation of cybersecurity insurance, and the possibility of creating an emergency fund for responding to cybersecurity events.|
|HB1861||Elkins||Relating to the confidentiality of certain information related to a computer security incident.
||Referred to Government Transparency & Operation||Adds a provision to §552 (public information act) that excepts information related to security incident information.|
|HB1898||Uresti, Tomas||Relating to a study on state agency digital data storage and records management practices and associated state costs.
||Scheduled for public hearing on March 27, 2017.||Requires the Department of Information Resources (DIR) and the Texas State Library and Archives Commission to conduct a study on the use of digital data storage and its associated costs. Additionally requires (in the report) whether agencies are complying with data classification policies.|
|HB2087||VanDeaver||Relating to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose.
||Referred to Public Education||An interesting bill targeted at restricting the use of student’s profiles gathered by online services. As many of these services are nationwide, it would be interesting to see this bill in action|
|HB2222||Hunter||Relating to the confidentiality of home address information of certain victims of family violence, sexual assault or abuse, stalking, or trafficking of persons.
||Referred to Criminal Jurisprudence||Adds victims of sexual abuse or human trafficking to Chapter 56 of the cod of criminal procedure which currently includes family violence, sexual assault, or stalking.|
|HB2333||Elkins||Relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty.
||Referred to Business & Industry||Adds credit and debit card information to existing definition of breach in Business & Commerce Code sec 521. Also creates a fund for compensating victims of a breach. Also sets a civil penalty of $50 per record for each card breached, if the business fails to secure their systems.|
|HB2387||Herrero||Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act.
||Scheduled for public hearing on March 27, 2017.||Prohibits the release of applications for compensation
Companion to SB843 (Identical)
|HB2544||Sanford||Relating to the prosecution of the offense of unlawful installation of tracking device or malicious software.
||Referred to Criminal Jurisprudence||Adds an interesting provision to the penal code prohibiting individuals from adding malicious software, “designed to obtain…private information”, to a vehicle.|
|HB3274||Capriglione||Relating to the creation of a chief innovation and technology officer position in the office of the governor that works with other states, ensures strategic use of information resources, and work with chief information officers at state agencies.
||Filed||Creates a position in the office of the governor.|
|HB3671||Shaheen||Relating to the requirement that state agencies notify the Department of Information Resources in the event of a breach of system security or unauthorized exposure of certain information.
||Filed||Explicitly requires state agencies to comply with the breach notification requirements in the Texas breach notification law (Business and Commerce Code Sec. 521) and requires notification to the State CISO within 48 hours.|
|SB42||Zaffirni||Relating to the security of courts and judges in the state.||Scheduled for public hearing on March 27, 2017.||Excepts disclosure of personal information of judges and their spouses from disclosure.
Companion to HB1487 (Identical)
|SB56||Zaffirni||Relating to the acknowledgment by management of risks identified in state agency information security plans.||Referred to Business & Commerce||Bill refilled from 84th Legislature|
|SB83||Hall||Relating to protection of energy critical infrastructure from electromagnetic, geomagnetic, terrorist, and cyber-attack threats.||Referred to Business & Commerce||A significant amendment to Government Code Ch. 418(I) focused on threats to the power grid from EMP. Creates an electromagnetic threat preparedness task force.|
|SB179||Menéndez||Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense.||Referred to State Affairs||companion to HB306|
|SB180||Menéndez||Relating to student harassment, bullying, and cyberbullying.||Referred to Education||companion to HB305|
|SB456||Taylor, Van||Relating to the right of members of the legislature, the lieutenant governor, committees of the legislature, and legislative agencies to access certain governmental information for legislative purposes; creating a criminal offense.||Referred to Business & Commerce||One of the more interesting confidentiality bills so far this session. Allows for members of the Legislature to request “governmental information” maintained by or for a governmental body, including confidential information. Some protections are available, but the timelines for response are relatively short.|
|SB532||Nelson||Relating to reports on and purchase of information technology by state agencies.||Committee report printed and distributed||One to keep an eye on. The bill directs agencies to provide information to the Department of Information Resources about their security programs and risks. DIR must provide a public analysis of the risks and plans. Also has some language about cloud computing and state agencies.
Companion to HB1467 (Similar)
|SB564||Campbell||Relating to the applicability of open meetings requirements to certain meetings of a governing body relating to information technology security practices.||Referred to Business & Commerce||Expands (currently only applies to the Department of Information Resources) an exception to open meetings requirements to allow for closed meetings of governmental bodies to discuss security assessments, network security information, or other security issues.|
|SB659||Campbell||Relating to the availability of personal information of a statewide elected official or member of the legislature.||Referred to Business & Commerce||Excepts the personal contact information of state officers elected statewide or a member of the legislature from disclosure under the PIA.|
|SB705||Birdwell||Relating to an exception from disclosure under the public information law for certain personal information of an applicant for an appointment by the governor.||Scheduled for public hearing on March 23, 2017.||Excepts the personal contact information of persons applying for appointment by the governor or the senate from public disclosure under the PIA.|
|SB843||Perry||Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act.||Committee report printed and distributed||Prohibits the release of applications for compensation
Companion to HB2387 (Identical)
|SB1020||Taylor||Relating to cybercrime ; creating criminal offenses.||Referred to Criminal Justice||Companion to HB9 (Capriglione)|
|SB1470||Zaffirini||Relating to the powers and duties of the Department of Information Resources regarding cybersecurity.||Referred to Business & Commerce||Companion to HB1605 (Blanco)|
|SB1574||Kolkhorst||Relating to the electronic sharing of protected health information and certification of and enforcement actions against certain covered entities.||Referred to Health & Human Services|
|SB1910||Zaffirini||Relating to state agency information security plans, information technology employees, and online and mobile applications.||Filed||Requires each state agency to submit a security plan to the DIR. Also calls out that if an agency has a CISO, that CISO should report outside of the IT department!!! 🙂|
A couple people have asked about certain legislation in Texas related to privacy in restrooms or immigration. I will not address those topics here, as this tracker is related to information security and data privacy.