Category Archives: Privacy

Privacy Law and regulation

85th Legislative Session

The 85th regular Texas legislative session begins next week (January 10th.) For those outside of The Great State of Texas the Texas legislature meets for 140 days every 2 years. In those few days things move pretty quickly; a budget must be drafted and passed, any new bills must be submitted, reviewed and adopted, state agencies face scrutiny. All-in-all it can be a whirlwind.

In the interim between sessions, legislative committees will dive deep into issues, researching topics and delivering reports to the Speaker of the House and Lt. Governor (who oversees the Senate).

So what is in store for information security or cybersecurity in the 85th?  If the interim tells us anything it is that “cyber” is on the mind of many in both houses.  Over the interim there were six House committees charged with identifying and making recommendations regarding cybersecurity policies.

  • House Committee on Business & Industry
  • House Committee on County Affairs
  • House Committee on Government Transparency & Operation
  • House Committee on House Administration
  • House Committee on Investments & Financial Services
  • House Committee on Urban Affairs

Several of these committees had hearings on the issue, at which I either testified or was used as a resource.

On the Senate side only the Business and Commerce committee was explicitly charged with reviewing cybersecurity.  The Inter-Governmental Relations committee had a charge regarding disaster preparedness planning and coordination, which has technology implications.

So, that is a long way of saying that there seems to be a concern with protection of information assets within the state.  There are already a handful of bills submitted, with more expected in the coming weeks.  The Texas Legislature Online site provides the capability to search for bills, but that can be a monotonous process to do each day.  One the Texas Legislation page, I’m tracking bills that are related to information security, cybersecurity, and privacy.

I also wrote a really bad script to search the TLO website for keywords.  It works, but it is U, L, G, Y, Ugly.  Feel free to grab it off github.  I’ll try to make it more pretty as the session goes.

 

 

Information security and Privacy Bill Tracker

 

Updated June 15, 2017

There are a number of bills in front of the 85th session of the Texas legislature.  I’ve cherry picked several that are directly related to “computer security” or Privacy.  For the complete list click here.

House Bills

Bill Author Caption Stage Notes
HB8 Capriglione Relating to cybersecurity for state agency information resources. Effective 9/1/2017 A significant bill affecting multiple agencies. Requires all security incidents to be report to the Department of Information Resources (DIR) within 48 hours of detection. Also includes a provision for the Sunset Commission to include cybersecurity in their review of state agencies. Additionally directs DIR to conduct exercises and to address duplication of efforts within state agencies. Well worth reading the full bill.
HB9 Capriglione Relating to cybercrime ; creating criminal offenses. Effective 9/1/2017 Amends the Penal Code to include criminal offenses for malware and ransomware, among other cybercrimes.
HB138 Krause Relating to the creation of the Fiscal Risk Management Commission. Referred to Appropriations Sec. 2117.004(a)(2)(D)(i) adds study of “cyberterrorism” on the state to the Fiscal Risk Management Commission.
HB305 Minjarez Relating to student harassment, bullying, and cyberbullying. Referred to Public Education companion to SB180 (Identical)
HB306 Minjarez Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense. Laid on the table subject to call companion to SB179 (Identical)
HB334 Collier Relating to the consideration by employers of the consumer credit reports or other credit information of employees and applicants for employment; providing civil and administrative penalties. Referred to Business & Industry  Amends the Labor Code Ch. 52 to limit the ability of an employer to request or adversely use an employees credit report as a condition of employment.  Creates a Civil penalty.
HB407 Tinderholt Relating to protection of the electric power transmission and distribution system. Referred to State Affairs  While this looks like it would be a companion to SB83(85R)-Hall, it is a distinct bill aimed at amending the Utility Code §39.151 to create design standards for electric power transmission.
HB542 Metcalf Relating to the drug screening and testing of certain persons seeking benefits under the medical assistance program. Referred to Human Services  Amends the Human Resources Code §32.024 to mandate drug screening for adults seeking medical assistance benefits.
HB703 Wu Relating to the availability of personal information of a child protective services caseworker or investigator. Referred to Human Services  Amends the Government Code §552 (public information) to except child protective services personal contact information.
HB787 Parker Relating to the security of the electric grid. Left pending in committee (Senate)  Another bill aimed at electric grid security.  Amends Utilities Code to have an independent organization (created under Utilities §39.151) to collect information on grid security.
HB788 Parker Relating to enhancing the security of the electric grid; making an appropriation. Referred to Appropriations
HB792 Capriglione Relating to the exception from disclosure under the public information law for information related to competition or bidding. Left pending in committee (Senate)  Companion to SB407 (Identical)
HB1278 Dutton Relating to availability of Previous personal information of certain current and former prosecutors. Signed by the Governor Excepts the personal information of district attorneys, criminal district attorneys and municipal attorneys from public disclosure.
HB1452 Blanco Relating to a study regarding cyber attacks on election infrastructure. Considered in Calendars Directs the Secretary of State to study of the election infrastructures vulnerability to cyber attacks and to provide recommendations to protect the infrastructure.
HB1605 Blanco Relating to the powers and duties of the Department of Information Resources regarding cybersecurity. Referred to Business & Commerce (Senate) A substantial change to the DIR cybersecurity duties including reports on ways to improve cybersecurity, evaluation of cybersecurity insurance, and the possibility of creating an emergency fund for responding to cybersecurity events.
HB1861 Elkins Relating to the confidentiality of certain information related to a computer security incident.

Signed by the Governor Adds a provision to §552 (public information act) that excepts information related to security incident information.
HB1898 Uresti, Tomas Relating to a study on state agency digital data storage and records management practices and associated state costs.
Placed on General State Calendar Requires the Department of Information Resources (DIR) and the Texas State Library and Archives Commission to conduct a study on the use of digital data storage and its associated costs. Additionally requires (in the report) whether agencies are complying with data classification policies.
HB2087 VanDeaver Relating to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose.
Signed by the Governor An interesting bill targeted at restricting the use of student’s profiles gathered by online services. As many of these services are nationwide, it would be interesting to see this bill in action
HB2222 Hunter Relating to the confidentiality of home address information of certain victims of family violence, sexual assault or abuse, stalking, or trafficking of persons.
Laid on the table subject to call Adds victims of sexual abuse or human trafficking to Chapter 56 of the cod of criminal procedure which currently includes family violence, sexual assault, or stalking.
HB2333 Elkins Relating to a breach of system security of a business that exposes consumer credit card or debit card information; providing a civil penalty.
Left pending in committee Adds credit and debit card information to existing definition of breach in Business & Commerce Code sec 521. Also creates a fund for compensating victims of a breach. Also sets a civil penalty of $50 per record for each card breached, if the business fails to secure their systems.
HB2387 Herrero Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act.
Laid on the table subject to call Prohibits the release of applications for compensation

Companion to SB843 (Identical)

HB2544 Sanford Relating to the prosecution of the offense of unlawful installation of tracking device or malicious software. Referred to Criminal Jurisprudence Adds an interesting provision to the penal code prohibiting individuals from adding malicious software, “designed to obtain…private information”, to a vehicle.
HB3274 Capriglione Relating to the creation of a chief innovation and technology officer position in the office of the governor that works with other states, ensures strategic use of information resources, and work with chief information officers at state agencies.
Returned to Local & Consent Calendars Comm. Creates a position in the office of the governor.
HB3671 Shaheen Relating to the requirement that state agencies notify the Department of Information Resources in the event of a breach of system security or unauthorized exposure of certain information.
Referred to Government Transparency & Operations Explicitly requires state agencies to comply with the breach notification requirements in the Texas breach notification law (Business and Commerce Code Sec. 521) and requires notification to the State CISO within 48 hours.

Senate Bills

Bill Author Caption Stage Notes
SB42 Zaffirni Relating to the security of courts and judges in the state. Effective on 9/1/17 Excepts disclosure of personal information of judges and their spouses from disclosure.

Companion to HB1487 (Identical)

SB56 Zaffirni Relating to the acknowledgment by management of risks identified in state agency information security plans. Committee report sent to Calendars (House) Bill refilled from 84th Legislature

Companion to HB1048 (Identical)
Companion to HB1604 (Similar)

SB83 Hall Relating to protection of energy critical infrastructure from electromagnetic, geomagnetic, terrorist, and cyber-attack threats. Referred to State Affairs  (House)  A significant amendment to Government Code Ch. 418(I) focused on threats to the power grid from EMP.  Creates an electromagnetic threat preparedness task force.
SB179 Menéndez Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense. Signed by the Governor companion to HB306
SB180 Menéndez Relating to student harassment, bullying, and cyberbullying. Referred to Education companion to HB305
SB456 Taylor, Van Relating to the right of members of the legislature, the lieutenant governor, committees of the legislature, and legislative agencies to access certain governmental information for legislative purposes; creating a criminal offense. Referred to Business & Commerce One of the more interesting confidentiality bills so far this session.  Allows for members of the Legislature to request “governmental information” maintained by or for a governmental body, including confidential information.  Some protections are available, but the timelines for response are relatively short.
SB532 Nelson Relating to reports on and purchase of information technology by state agencies. Signed by the Governor One to keep an eye on. The bill directs agencies to provide information to the Department of Information Resources about their security programs and risks. DIR must provide a public analysis of the risks and plans.  Also has some language about cloud computing and state agencies.

Companion to HB1467 (Similar)

SB564 Campbell Relating to the applicability of open meetings requirements to certain meetings of a governing body relating to information technology security practices. Signed by the Governor Expands (currently only applies to the Department of Information Resources) an exception to open meetings requirements to allow for closed meetings of governmental bodies to discuss security assessments, network security information, or other security issues.
SB659 Campbell Relating to the availability of personal information of a statewide elected official or member of the legislature. Left pending in committee Excepts the personal contact information of state officers elected statewide or a member of the legislature from disclosure under the PIA.
SB705 Birdwell Relating to an exception from disclosure under the public information law for certain personal information of an applicant for an appointment by the governor. Effective immediately Excepts the personal contact information of persons applying for appointment by the governor or the senate from public disclosure under the PIA.
SB843 Perry Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act. Effective on 9/1/17 Prohibits the release of applications for compensation

Companion to HB2387 (Identical)

SB1020 Taylor Relating to cybercrime ; creating criminal offenses. Referred to Criminal Justice Companion to HB9 (Capriglione)
SB1470 Zaffirini Relating to the powers and duties of the Department of Information Resources regarding cybersecurity. Referred to Business & Commerce Companion to HB1605 (Blanco)
SB1574 Kolkhorst Relating to the electronic sharing of protected health information and certification of and enforcement actions against certain covered entities. Referred to Health & Human Services
SB1910 Zaffirini Relating to state agency information security plans, information technology employees, and online and mobile applications. Signed by the Governor  Requires each state agency to submit a security plan to the DIR.  Also calls out that if an agency has a CISO, that CISO should report outside of the IT department!!! 🙂

A couple people have asked about certain legislation in Texas related to privacy in restrooms or immigration. I will not address those topics here, as this tracker is related to information security and data privacy.