Information security and Privacy Bill Tracker

 

Updated April 25, 2017 (changes in red)

There are a number of bills in front of the 85th session of the Texas legislature.  I’ve cherry picked several that are directly related to “computer security” or Privacy.  For the complete list click here.

House Bills

Bill Author Caption Stage Notes
HB8 Capriglione Relating to cybersecurity for state agency information resources. Passed to engrossment as amended A significant bill affecting multiple agencies. Requires all security incidents to be report to the Department of Information Resources (DIR) within 48 hours of detection. Also includes a provision for the Sunset Commission to include cybersecurity in their review of state agencies. Additionally directs DIR to conduct exercises and to address duplication of efforts within state agencies. Well worth reading the full bill.
HB9 Capriglione Relating to cybercrime ; creating criminal offenses. Referred to Criminal Justice (Senate) Amends the Penal Code to include criminal offenses for malware and ransomware, among other cybercrimes.
HB138 Krause Relating to the creation of the Fiscal Risk Management Commission. Referred to Appropriations Sec. 2117.004(a)(2)(D)(i) adds study of “cyberterrorism” on the state to the Fiscal Risk Management Commission.
HB305 Minjarez Relating to student harassment, bullying, and cyberbullying. Referred to Public Education companion to SB180 (Identical)
HB306 Minjarez Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense. Scheduled for public hearing on 4/18/2017 companion to SB179 (Identical)
HB334 Collier Relating to the consideration by employers of the consumer credit reports or other credit information of employees and applicants for employment; providing civil and administrative penalties. Referred to Business & Industry  Amends the Labor Code Ch. 52 to limit the ability of an employer to request or adversely use an employees credit report as a condition of employment.  Creates a Civil penalty.
HB407 Tinderholt Relating to protection of the electric power transmission and distribution system. Referred to State Affairs  While this looks like it would be a companion to SB83(85R)-Hall, it is a distinct bill aimed at amending the Utility Code §39.151 to create design standards for electric power transmission.
HB542 Metcalf Relating to the drug screening and testing of certain persons seeking benefits under the medical assistance program. Referred to Human Services  Amends the Human Resources Code §32.024 to mandate drug screening for adults seeking medical assistance benefits.
HB703 Wu Relating to the availability of personal information of a child protective services caseworker or investigator. Referred to Human Services  Amends the Government Code §552 (public information) to except child protective services personal contact information.
HB787 Parker Relating to the security of the electric grid. Committee report sent to Calendars  Another bill aimed at electric grid security.  Amends Utilities Code to have an independent organization (created under Utilities §39.151) to collect information on grid security.
HB788 Parker Relating to enhancing the security of the electric grid; making an appropriation. Referred to Appropriations
HB792 Capriglione Relating to the exception from disclosure under the public information law for information related to competition or bidding. Scheduled for public hearing on 4/24/2017  Companion to SB407 (Identical)
HB1278 Dutton Relating to availability of Previous personal information of certain current and former prosecutors. Scheduled for public hearing on April 3, 2017. Excepts the personal information of district attorneys, criminal district attorneys and municipal attorneys from public disclosure.
HB1452 Blanco Relating to a study regarding cyber attacks on election infrastructure. Committee report sent to Calendars  Directs the Secretary of State to study of the election infrastructures vulnerability to cyber attacks and to provide recommendations to protect the infrastructure.
HB1605 Blanco Relating to the powers and duties of the Department of Information Resources regarding cybersecurity. Committee report sent to Calendars A substantial change to the DIR cybersecurity duties including reports on ways to improve cybersecurity, evaluation of cybersecurity insurance, and the possibility of creating an emergency fund for responding to cybersecurity events.
HB1861 Elkins Relating to the confidentiality of certain information related to a computer security incident.

Placed on General State Calendar Adds a provision to §552 (public information act) that excepts information related to security incident information.
HB1898 Uresti, Tomas Relating to a study on state agency digital data storage and records management practices and associated state costs.
Committee report sent to Calendars Requires the Department of Information Resources (DIR) and the Texas State Library and Archives Commission to conduct a study on the use of digital data storage and its associated costs. Additionally requires (in the report) whether agencies are complying with data classification policies.
HB2087 VanDeaver Relating to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose.
Reported favorably as substituted An interesting bill targeted at restricting the use of student’s profiles gathered by online services. As many of these services are nationwide, it would be interesting to see this bill in action
HB2222 Hunter Relating to the confidentiality of home address information of certain victims of family violence, sexual assault or abuse, stalking, or trafficking of persons.
Reported favorably as substituted Adds victims of sexual abuse or human trafficking to Chapter 56 of the cod of criminal procedure which currently includes family violence, sexual assault, or stalking.
HB2333 Elkins Relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty.
Scheduled for public hearing on 4/24/2017 Adds credit and debit card information to existing definition of breach in Business & Commerce Code sec 521. Also creates a fund for compensating victims of a breach. Also sets a civil penalty of $50 per record for each card breached, if the business fails to secure their systems.
HB2387 Herrero Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act.
Placed on General State Calendar Prohibits the release of applications for compensation

Companion to SB843 (Identical)

HB2544 Sanford Relating to the prosecution of the offense of unlawful installation of tracking device or malicious software. Referred to Criminal Jurisprudence Adds an interesting provision to the penal code prohibiting individuals from adding malicious software, “designed to obtain…private information”, to a vehicle.
HB3274 Capriglione Relating to the creation of a chief innovation and technology officer position in the office of the governor that works with other states, ensures strategic use of information resources, and work with chief information officers at state agencies.
Scheduled for public hearing on 4/10/17 Creates a position in the office of the governor.
HB3671 Shaheen Relating to the requirement that state agencies notify the Department of Information Resources in the event of a breach of system security or unauthorized exposure of certain information.
Filed Explicitly requires state agencies to comply with the breach notification requirements in the Texas breach notification law (Business and Commerce Code Sec. 521) and requires notification to the State CISO within 48 hours.

Senate Bills

Bill Author Caption Stage Notes
SB42 Zaffirni Relating to the security of courts and judges in the state. Referred to Judiciary & Civil Jurisprudence Excepts disclosure of personal information of judges and their spouses from disclosure.

Companion to HB1487 (Identical)

SB56 Zaffirni Relating to the acknowledgment by management of risks identified in state agency information security plans. Received from the Senate (House) Bill refilled from 84th Legislature

Companion to HB1048 (Identical)
Companion to HB1604 (Similar)

SB83 Hall Relating to protection of energy critical infrastructure from electromagnetic, geomagnetic, terrorist, and cyber-attack threats. Scheduled for public hearing on 4/11/17  A significant amendment to Government Code Ch. 418(I) focused on threats to the power grid from EMP.  Creates an electromagnetic threat preparedness task force.
SB179 Menéndez Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense. Scheduled for public hearing on 4/6/17 companion to HB306
SB180 Menéndez Relating to student harassment, bullying, and cyberbullying. Referred to Education companion to HB305
SB456 Taylor, Van Relating to the right of members of the legislature, the lieutenant governor, committees of the legislature, and legislative agencies to access certain governmental information for legislative purposes; creating a criminal offense. Referred to Business & Commerce One of the more interesting confidentiality bills so far this session.  Allows for members of the Legislature to request “governmental information” maintained by or for a governmental body, including confidential information.  Some protections are available, but the timelines for response are relatively short.
SB532 Nelson Relating to reports on and purchase of information technology by state agencies. Committee report distributed (House) One to keep an eye on. The bill directs agencies to provide information to the Department of Information Resources about their security programs and risks. DIR must provide a public analysis of the risks and plans.  Also has some language about cloud computing and state agencies.

Companion to HB1467 (Similar)

SB564 Campbell Relating to the applicability of open meetings requirements to certain meetings of a governing body relating to information technology security practices. Received from the Senate Expands (currently only applies to the Department of Information Resources) an exception to open meetings requirements to allow for closed meetings of governmental bodies to discuss security assessments, network security information, or other security issues.
SB659 Campbell Relating to the availability of personal information of a statewide elected official or member of the legislature. Received from the Senate (House) Excepts the personal contact information of state officers elected statewide or a member of the legislature from disclosure under the PIA.
SB705 Birdwell Relating to an exception from disclosure under the public information law for certain personal information of an applicant for an appointment by the governor. Reported engrossed -> Moved to House Excepts the personal contact information of persons applying for appointment by the governor or the senate from public disclosure under the PIA.
SB843 Perry Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act. Referred to Criminal Jurisprudence (house) Prohibits the release of applications for compensation

Companion to HB2387 (Identical)

SB1020 Taylor Relating to cybercrime ; creating criminal offenses. Referred to Criminal Justice Companion to HB9 (Capriglione)
SB1470 Zaffirini Relating to the powers and duties of the Department of Information Resources regarding cybersecurity. Referred to Business & Commerce Companion to HB1605 (Blanco)
SB1574 Kolkhorst Relating to the electronic sharing of protected health information and certification of and enforcement actions against certain covered entities. Referred to Health & Human Services
SB1910 Zaffirini Relating to state agency information security plans, information technology employees, and online and mobile applications. Referred to Business & Commerce  Requires each state agency to submit a security plan to the DIR.  Also calls out that if an agency has a CISO, that CISO should report outside of the IT department!!! 🙂

A couple people have asked about certain legislation in Texas related to privacy in restrooms or immigration. I will not address those topics here, as this tracker is related to information security and data privacy.