Updated April 25, 2017 (changes in red)
There are a number of bills in front of the 85th session of the Texas legislature. I’ve cherry picked several that are directly related to “computer security” or Privacy. For the complete list click here.
|HB8||Capriglione||Relating to cybersecurity for state agency information resources.||Passed to engrossment as amended||A significant bill affecting multiple agencies. Requires all security incidents to be report to the Department of Information Resources (DIR) within 48 hours of detection. Also includes a provision for the Sunset Commission to include cybersecurity in their review of state agencies. Additionally directs DIR to conduct exercises and to address duplication of efforts within state agencies. Well worth reading the full bill.|
|HB9||Capriglione||Relating to cybercrime ; creating criminal offenses.||Referred to Criminal Justice (Senate)||Amends the Penal Code to include criminal offenses for malware and ransomware, among other cybercrimes.|
|HB138||Krause||Relating to the creation of the Fiscal Risk Management Commission.||Referred to Appropriations||Sec. 2117.004(a)(2)(D)(i) adds study of “cyberterrorism” on the state to the Fiscal Risk Management Commission.|
|HB305||Minjarez||Relating to student harassment, bullying, and cyberbullying.||Referred to Public Education||companion to SB180 (Identical)|
|HB306||Minjarez||Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense.||Scheduled for public hearing on 4/18/2017||companion to SB179 (Identical)|
|HB334||Collier||Relating to the consideration by employers of the consumer credit reports or other credit information of employees and applicants for employment; providing civil and administrative penalties.||Referred to Business & Industry||Amends the Labor Code Ch. 52 to limit the ability of an employer to request or adversely use an employees credit report as a condition of employment. Creates a Civil penalty.|
|HB407||Tinderholt||Relating to protection of the electric power transmission and distribution system.||Referred to State Affairs||While this looks like it would be a companion to SB83(85R)-Hall, it is a distinct bill aimed at amending the Utility Code §39.151 to create design standards for electric power transmission.|
|HB542||Metcalf||Relating to the drug screening and testing of certain persons seeking benefits under the medical assistance program.||Referred to Human Services||Amends the Human Resources Code §32.024 to mandate drug screening for adults seeking medical assistance benefits.|
|HB703||Wu||Relating to the availability of personal information of a child protective services caseworker or investigator.||Referred to Human Services||Amends the Government Code §552 (public information) to except child protective services personal contact information.|
|HB787||Parker||Relating to the security of the electric grid.||Committee report sent to Calendars||Another bill aimed at electric grid security. Amends Utilities Code to have an independent organization (created under Utilities §39.151) to collect information on grid security.|
|HB788||Parker||Relating to enhancing the security of the electric grid; making an appropriation.||Referred to Appropriations|
|HB792||Capriglione||Relating to the exception from disclosure under the public information law for information related to competition or bidding.||Scheduled for public hearing on 4/24/2017||Companion to SB407 (Identical)|
|HB1278||Dutton||Relating to availability of Previous personal information of certain current and former prosecutors.||Scheduled for public hearing on April 3, 2017.||Excepts the personal information of district attorneys, criminal district attorneys and municipal attorneys from public disclosure.|
|HB1452||Blanco||Relating to a study regarding cyber attacks on election infrastructure.||Committee report sent to Calendars||Directs the Secretary of State to study of the election infrastructures vulnerability to cyber attacks and to provide recommendations to protect the infrastructure.|
|HB1605||Blanco||Relating to the powers and duties of the Department of Information Resources regarding cybersecurity.||Committee report sent to Calendars||A substantial change to the DIR cybersecurity duties including reports on ways to improve cybersecurity, evaluation of cybersecurity insurance, and the possibility of creating an emergency fund for responding to cybersecurity events.|
|HB1861||Elkins||Relating to the confidentiality of certain information related to a computer security incident.
||Placed on General State Calendar||Adds a provision to §552 (public information act) that excepts information related to security incident information.|
|HB1898||Uresti, Tomas||Relating to a study on state agency digital data storage and records management practices and associated state costs.
||Committee report sent to Calendars||Requires the Department of Information Resources (DIR) and the Texas State Library and Archives Commission to conduct a study on the use of digital data storage and its associated costs. Additionally requires (in the report) whether agencies are complying with data classification policies.|
|HB2087||VanDeaver||Relating to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose.
||Reported favorably as substituted||An interesting bill targeted at restricting the use of student’s profiles gathered by online services. As many of these services are nationwide, it would be interesting to see this bill in action|
|HB2222||Hunter||Relating to the confidentiality of home address information of certain victims of family violence, sexual assault or abuse, stalking, or trafficking of persons.
||Reported favorably as substituted||Adds victims of sexual abuse or human trafficking to Chapter 56 of the cod of criminal procedure which currently includes family violence, sexual assault, or stalking.|
|HB2333||Elkins||Relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty.
||Scheduled for public hearing on 4/24/2017||Adds credit and debit card information to existing definition of breach in Business & Commerce Code sec 521. Also creates a fund for compensating victims of a breach. Also sets a civil penalty of $50 per record for each card breached, if the business fails to secure their systems.|
|HB2387||Herrero||Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act.
||Placed on General State Calendar||Prohibits the release of applications for compensation
Companion to SB843 (Identical)
|HB2544||Sanford||Relating to the prosecution of the offense of unlawful installation of tracking device or malicious software.||Referred to Criminal Jurisprudence||Adds an interesting provision to the penal code prohibiting individuals from adding malicious software, “designed to obtain…private information”, to a vehicle.|
|HB3274||Capriglione||Relating to the creation of a chief innovation and technology officer position in the office of the governor that works with other states, ensures strategic use of information resources, and work with chief information officers at state agencies.
||Scheduled for public hearing on 4/10/17||Creates a position in the office of the governor.|
|HB3671||Shaheen||Relating to the requirement that state agencies notify the Department of Information Resources in the event of a breach of system security or unauthorized exposure of certain information.
||Filed||Explicitly requires state agencies to comply with the breach notification requirements in the Texas breach notification law (Business and Commerce Code Sec. 521) and requires notification to the State CISO within 48 hours.|
|SB42||Zaffirni||Relating to the security of courts and judges in the state.||Referred to Judiciary & Civil Jurisprudence||Excepts disclosure of personal information of judges and their spouses from disclosure.
Companion to HB1487 (Identical)
|SB56||Zaffirni||Relating to the acknowledgment by management of risks identified in state agency information security plans.||Received from the Senate (House)||Bill refilled from 84th Legislature|
|SB83||Hall||Relating to protection of energy critical infrastructure from electromagnetic, geomagnetic, terrorist, and cyber-attack threats.||Scheduled for public hearing on 4/11/17||A significant amendment to Government Code Ch. 418(I) focused on threats to the power grid from EMP. Creates an electromagnetic threat preparedness task force.|
|SB179||Menéndez||Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense.||Scheduled for public hearing on 4/6/17||companion to HB306|
|SB180||Menéndez||Relating to student harassment, bullying, and cyberbullying.||Referred to Education||companion to HB305|
|SB456||Taylor, Van||Relating to the right of members of the legislature, the lieutenant governor, committees of the legislature, and legislative agencies to access certain governmental information for legislative purposes; creating a criminal offense.||Referred to Business & Commerce||One of the more interesting confidentiality bills so far this session. Allows for members of the Legislature to request “governmental information” maintained by or for a governmental body, including confidential information. Some protections are available, but the timelines for response are relatively short.|
|SB532||Nelson||Relating to reports on and purchase of information technology by state agencies.||Committee report distributed (House)||One to keep an eye on. The bill directs agencies to provide information to the Department of Information Resources about their security programs and risks. DIR must provide a public analysis of the risks and plans. Also has some language about cloud computing and state agencies.
Companion to HB1467 (Similar)
|SB564||Campbell||Relating to the applicability of open meetings requirements to certain meetings of a governing body relating to information technology security practices.||Received from the Senate||Expands (currently only applies to the Department of Information Resources) an exception to open meetings requirements to allow for closed meetings of governmental bodies to discuss security assessments, network security information, or other security issues.|
|SB659||Campbell||Relating to the availability of personal information of a statewide elected official or member of the legislature.||Received from the Senate (House)||Excepts the personal contact information of state officers elected statewide or a member of the legislature from disclosure under the PIA.|
|SB705||Birdwell||Relating to an exception from disclosure under the public information law for certain personal information of an applicant for an appointment by the governor.||Reported engrossed -> Moved to House||Excepts the personal contact information of persons applying for appointment by the governor or the senate from public disclosure under the PIA.|
|SB843||Perry||Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act.||Referred to Criminal Jurisprudence (house)||Prohibits the release of applications for compensation
Companion to HB2387 (Identical)
|SB1020||Taylor||Relating to cybercrime ; creating criminal offenses.||Referred to Criminal Justice||Companion to HB9 (Capriglione)|
|SB1470||Zaffirini||Relating to the powers and duties of the Department of Information Resources regarding cybersecurity.||Referred to Business & Commerce||Companion to HB1605 (Blanco)|
|SB1574||Kolkhorst||Relating to the electronic sharing of protected health information and certification of and enforcement actions against certain covered entities.||Referred to Health & Human Services|
|SB1910||Zaffirini||Relating to state agency information security plans, information technology employees, and online and mobile applications.||Referred to Business & Commerce||Requires each state agency to submit a security plan to the DIR. Also calls out that if an agency has a CISO, that CISO should report outside of the IT department!!! 🙂|
A couple people have asked about certain legislation in Texas related to privacy in restrooms or immigration. I will not address those topics here, as this tracker is related to information security and data privacy.