Category Archives: Texas

Bills of the 85th session

Now that the 85th Texas legislative session is over, here is a list of the cybersecurity and privacy bill that made it through.  For the complete list of the bills I tracked this session, click here.

House Bills

Bill Author Caption Stage Notes
HB8 Capriglione Relating to cybersecurity for state agency information resources. Effective 9/1/2017 A significant bill affecting multiple agencies. Requires all security incidents to be report to the Department of Information Resources (DIR) within 48 hours of detection. Also includes a provision for the Sunset Commission to include cybersecurity in their review of state agencies. Additionally directs DIR to conduct exercises and to address duplication of efforts within state agencies. Well worth reading the full bill.
HB9 Capriglione Relating to cybercrime ; creating criminal offenses. Effective 9/1/2017 Amends the Penal Code to include criminal offenses for malware and ransomware, among other cybercrimes.
HB1278 Dutton Relating to availability of Previous personal information of certain current and former prosecutors. Effective immediately Excepts the personal information of district attorneys, criminal district attorneys and municipal attorneys from public disclosure.
HB1861 Elkins Relating to the confidentiality of certain information related to a computer security incident. Effective immediately Adds a provision to §552 (public information act) that excepts information related to security incident information.
HB2087 VanDeaver Relating to restricting the use of covered information, including student personally identifiable information, by an operator of a website, online service, online application, or mobile application for a school purpose. Effective 9/1/2017 An interesting bill targeted at restricting the use of student’s profiles gathered by online services. As many of these services are nationwide, it would be interesting to see this bill in action

Senate Bills

Bill Author Caption Stage Notes
SB42 Zaffirni Relating to the security of courts and judges in the state. Effective on 9/1/17 Excepts disclosure of personal information of judges and their spouses from disclosure.
SB179 Menéndez Relating to student harassment, bullying, cyberbullying, injury to or death of a minor; creating a criminal offense. Effective on 9/1/17 David’s Law
SB532 Nelson Relating to reports on and purchase of information technology by state agencies. Effective on 9/1/17 One to keep an eye on. The bill directs agencies to provide information to the Department of Information Resources about their security programs and risks. DIR must provide a public analysis of the risks and plans.  Also has some language about cloud computing and state agencies.
SB564 Campbell Relating to the applicability of open meetings requirements to certain meetings of a governing body relating to information technology security practices. Effective on 9/1/17 Expands (currently only applies to the Department of Information Resources) an exception to open meetings requirements to allow for closed meetings of governmental bodies to discuss security assessments, network security information, or other security issues.
SB705 Birdwell Relating to an exception from disclosure under the public information law for certain personal information of an applicant for an appointment by the governor. Effective immediately Excepts the personal contact information of persons applying for appointment by the governor or the senate from public disclosure under the PIA.
SB843 Perry Relating to disclosure and use of certain information regarding the Crime Victims’ Compensation Act. Effective on 9/1/17 Prohibits the release of applications for compensation
SB1910 Zaffirini Relating to state agency information security plans, information technology employees, and online and mobile applications. Effective on 9/1/17  Requires each state agency to submit a security plan to the DIR.  Also calls out that if an agency has a CISO, that CISO should report outside of the IT department!!! 🙂

InfoSec SouthWest and other conference

It has been an interesting few months.  Since joining Gardere last November I’ve presented more than I can remember doing so in the past.  Now, in general I don’t really like presenting.  It isn’t one of my greatest fears, but it also isn’t a big deal.

What I do enjoy about the past few months of presentations, though, is the audiences.  I’ve been lucky enough to present to CIOs, clients, college students, and numerous lawyers through internal and external Continuing Legal Education (CLE) events.

Now, I’m a security guy right?  Why not present to security people?  Because it is less important to present to people that already “get it”.

The technology world, and specifically the security world need to be exposed to people outside of security.  The lawyers need to understand how to protect their clients and firms.  CIOs need to hear that security is important from someone other than their CISO.

Normal human beings need to understand how to protect themselves.

It has been very rewarding.

This weekend (in Austin) is the InfoSec SouthWest (ISSW) conference.  This will bring together some amazing security professionals.  I’m not presenting at ISSW but really looking forward to hearing people smarter than me educate me about security philosophy and technology.  There is always room to learn and grow.

Data classification: Attempting to solve for x without knowing a, b, and c.

Computerweekly.com has an interesting post on federal government security classifications and cloud provisioning.  The TLDR is that many federal agencies are paying too much, because they are classifying information incorrectly and vendors are happy to upsell protections.

In my experience in state government, the problem is very different.  To begin with few agencies have strong data classification policies.  In Texas, the Department of Information Resources published a data classification template that agencies can use to develop a classification scheme.  Personally, I think the template (and associate white paper) is a marvelous piece of work :).  It is unclear how many actually used the template, though.

The problem isn’t limited to Texas.  Based on discussion with the CISOs from other states, data classification is a difficult problem for many.

The issue raised is how to determine the appropriate protections for data when classification programs don’t exist.  The result is agencies will either over protect public data or under protect sensitive data.  Several states have a de facto policy of requiring all data to be hosted in the continental United States (conus).  While this is appealing, it also drives up prices for cloud services.

Many of the regulations that affect states (most recently CJIS) have dropped the conus requirements.  Requiring conus storage for “public” data is probably not the best use of taxpayer money.  Without a strong data classification program, though, it is hard to make informed decisions.