• New Texas Cybersecurity Laws
  • September 11, 2017
  • The Texas Legislature considered and approved a variety of cybersecurity-related legislation during the 85th regular legislative session. Unless otherwise noted, each of the newly-enacted laws will go into effect on Sept. 1, 2017.

    Substantively speaking, Texas has taken a leadership role in addressing various cybersecurity and data privacy issues. The Texas laws enacted in 2017 cover a wide range of relevant concerns, such as required practices for state agencies, continuous monitoring and auditing of network systems and processes, updating the penal code for the digital era, and important student data privacy protections. Other states have taken steps to address some of these issues, but the newly adopted Texas legislative approach is comprehensive.

    House Bill 8 by Rep. Giovanni Capriglione – “Texas Cybersecurity Act”

    The Texas Cybersecurity Act establishes certain cybersecurity requirements for all state agencies in Texas, adds cybersecurity as an element of the sunset review process, creates a cybersecurity council, and requires that certain agencies conduct studies and reports related to cybersecurity threats and responses. House Speaker Joe Straus commented that the overarching goal of HB 8 is “to ensure state agencies are good stewards of private data.”1

    Consideration of Cybersecurity in Sunset Review Process

    The Sunset Advisory Commission, an agency of the Texas Legislature, evaluates whether state agencies should be reformed, continued, or abolished, and makes recommendations to the Texas Legislature to that effect. When determining whether a public need exists for the continuation of a state agency, the Commission is now required to assess the agency’s cybersecurity practices using information provided by the Department of Information Resources (DIR) or any other appropriate state agency. (Tex. Gov’t Code § 325.011(14).)

    Expanding the Role of the Texas DIR

    HB 8 requires the DIR to develop and implement a plan to address cybersecurity risks and incidents in the state and authorized the agency to enter into an agreement, as needed, with an organization such as the National Cybersecurity Preparedness Consortium to support implementation efforts. (Tex. Gov’t Code § 2054.076(b-1).) The DIR is also required to establish an “information sharing and analysis center” to provide a forum for agencies to share information regarding cybersecurity threats, best practices, and remediation strategies. (Tex. Gov’t Code § 2054.518.)

    The Cybersecurity Act requires the DIR to provide mandatory guidelines to state agencies regarding the continuing education requirements for cybersecurity training to be completed by all information resources employees. (Tex. Gov’t Code § 2054.076(b-1).) The DIR shall also establish the requirements for the biennial information security assessment and report that all state agencies must now conduct (discussed further below). (Tex. Gov’t Code § 2054.515(c).)

    Changes for State Agencies

    Prior to passage of HB 8, state agencies were required to identify information security issues and develop a plan to prioritize the remediation and mitigation of those issues. This legislation adds specificity to that requirement by delineating five specific elements that an agency must consider when identifying the issues and developing the plan. (Tex. Gov’t Code § 2054.575(a).)

    Each state agency is now required to conduct an information security assessment of the agency's network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR. (Tex. Gov’t Code § 2054.515(a-b).) Similarly, each state agency shall submit a biennial data security plan to the DIR and conduct a vulnerability and penetration test of the agency's website and any mobile applications that process any personally identifiable or confidential information. (Tex. Gov’t Code § 2054.516.)

    Institutions of higher education must adopt and implement a policy for websites or mobile applications operated by the institution to ensure that the privacy of individuals is protected and the confidentiality of information processed by the websites or applications is preserved. (Tex. Gov’t Code § 2054.517.)

    The Texas Cybersecurity Act makes key changes to the state’s Open Meetings Act. All governmental bodies in Texas will now be permitted to conduct closed meetings to deliberate network security assessments or deployments of security personnel, infrastructure, or devices. (Tex. Gov’t Code § 551.089.) This new exception offers the freedom that an entity needs to properly deliberate these sensitive matters. Yet, any entity utilizing this provision must be careful to limit such deliberations to the appropriate topic so as to not violate separate provisions of the Open Meetings Act.

    With respect to data breaches, HB 8 expands the categories of information that, if compromised, would trigger an agency’s duty to notify affected individuals. (Tex. Gov’t Code § 2054.1125(b).) HB 8 also adds an additional requirement that state agencies must now report a data breach or suspected data breach of system security to the DIR. (Tex. Gov’t Code § 2054.1125(b).)

    Another provision of the bill requires the Texas Secretary of State to conduct a study regarding cyberattacks on election infrastructure. The study must include an investigation of vulnerabilities in election infrastructure, information on any attempted cyberattack on a county’s voting machines or registered voter lists, and recommendations for protecting voting machines and voter lists. (Tex. Elec. Code § 276.011.) The Secretary of State must prepare a public summary of the report as well as a confidential report for elected officials that will be exempt from disclosure under the Texas Public Information Act. (Tex. Elec. Code § 276.011.)

    Cybersecurity Council & Select Legislative Committees

    HB 8 requires the establishment of a Cybersecurity Council and specifies the make-up of the Council, which will be led by the state cybersecurity coordinator and will also include: representatives from the Offices of the Governor, the Lieutenant Governor, and the Speaker of the House of Representatives; private sector leaders; and representatives of institutions of higher education. (Tex. Gov’t Code § 2054.512(a-c).) The Cybersecurity Council shall consider the costs and benefits of establishing a computer emergency readiness team, establish criteria for addressing cybersecurity threats, assess the knowledge, skills, and capabilities of the existing state cybersecurity workforce, consolidate and synthesize best practices, and provide recommendations to the legislature on legislation necessary to implement cybersecurity appropriate practices. (Tex. Gov’t Code § 2054.512(d-e).)

    Finally, HB 8 calls for the creation of a Select Committee on Cybersecurity in both the House and Senate. Those Committees must, either jointly or separately, study the information security plans of each state agency and the risks and vulnerabilities of state agency cybersecurity.

    Practical Implications

    The successful enactment of the Texas Cybersecurity Act shows that the state of Texas is serious about addressing cybersecurity as a matter of public policy. The Texas Legislature will be examining these issues closely via committees that will be formed and the reports and studies required by HB 8. The DIR has been given significant new responsibilities related to cybersecurity and will likely emerge as the go-to resource for such issues across Texas state government. The practical and immediate impact of HB 8 is that it will elevate information network and data security to be a top priority for a state agency or institution of higher education. And the Secretary of State will be hard at work ensuring that the state is following (and perhaps creating) adequate safeguards for our election infrastructure. Given the vast amount of confidential and/or personally identifiable information held by state agencies, this legislation provided a critical response to the ever-evolving cyber threats present today.

    To effectively implement these new responsibilities, state agencies and institutions of higher education will need to develop reliable internal and external resources. It also will be important for state agencies and institutions of higher education to collaborate and coordinate among each other, and with the DIR, to sort through how best to comply with these myriad new responsibilities. Last, developing a network of subject matter experts will assist those impacted by HB 8 to comply with updated data breach notification procedures and Open Meetings Act exceptions.

    House Bill 9 by Rep. Capriglione - the Texas Cybercrime Act

    The Texas Cybercrime Act is a response to the lack of clearly-defined criminal offenses related to cyberattacks, hacking, and other nefarious activity related to networks, devices, and digital information. The bill creates classes of criminal offenses for denial of service attacks, ransomware, and intentional deceptive data alteration.

    Electronic Access Interference

    The Cybercrime Act creates the offense of “Electronic Access Interference,” a third degree felony. A person commits this offense by intentionally interrupting or suspending access to a computer system or network without the effective consent of the owner. (Tex. Penal Code § 33.022(a-b).) Importantly, the definition of this crime includes a defense to prosecution if the person who took an action described above did so with the intent to facilitate lawful access to a computer network or system for a legitimate law enforcement purpose. (Tex. Penal Code § 33.022(c).)

    Electronic Data Tampering and Ransomware

    HB 9 defines “Ransomware” as a computer contaminant or lock that restricts access, to an entire computer system or a computer file, by an unauthorized person to extort money from an authorized user and creates the offense of “Electronic Data Tampering.” (Tex. Penal Code § 33.023(a).) A person commits this offense if the person: intentionally alters data as it transmits between two computers through deception and without a legitimate business purpose; or intentionally introduces ransomware onto a computer network or system through deception and without a legitimate business purpose. (Tex. Penal Code § 33.023(b-c).) The seriousness of this offense is dependent on the aggregate amount of financial losses involved, starting with a Class A misdemeanor for $100 or less and scaling up to a first degree felony for $300,000 or more. (Tex. Penal Code § 33.023(d-1).) The starting point is raised to a state jail felony for an amount of $2,500 or less if it is shown that the defendant knowingly restricted a victim’s access to privileged information. (Tex. Penal Code § 33.023(d-2).)

    This legislation is a positive step in the process of modernizing the Texas Penal Code and provides law enforcement agencies in Texas with more robust tools for fighting cybercrimes.

    One key element of each of these new criminal statutes is the exception for legitimate business or law enforcement purposes. This important exception ensures that ‘white hat’ operations, internal network security testing conducted by a company on its own network or devices, or legal law enforcement activities do not unintentionally subject employees, contractors, or law enforcement personnel to criminal liability.

    House Bill 2087 by Rep. VanDeaver – “Student Data Privacy Act”

    After making a significant effort at passing similar legislation during the 2015 legislative session, Rep. VanDeaver succeeded this session in passing the Student Privacy Act. This important legislation provides strong privacy protections for student data within Texas public schools. Digital learning resources and internet-connected technology are transforming the classroom experience and the overall learning environment.

    However, along with the many benefits that digital tools offer, there are also new risks that must be addressed, especially with respect to student data. HB 2087 struck a balance between addressing those risks while being careful not to stifle the benefits that these new digital tools offer. The legislation was based on a model student privacy law that had previously been enacted, with some variations, in at least 14 other states.

    The Student Privacy Act prohibits the sale or rental of any student’s data (Tex. Educ. Code § 32.152), bans targeted advertising to students based upon their use of educational services (Id.), and prohibits the use of a student’s data to build a student profile for any purpose other than an educational purpose. (Id.) These important prohibitions protect students’ privacy while still allowing the flow of data and information inherently necessary for the utilization of digital learning technology.

    HB 2087 generally prohibits disclosure of student data, but also specifies when a third-party operator of an online service or application may permissibly disclose student data, including: to ensure legal or regulatory compliance; to protect against liability; to protect the safety and security of a website or application or the users of the website or application; for legitimate educational or research purposes; to comply with a request by the Texas Education Agency or a school district for a school purpose; with express consent of a student, to share data solely to provide access to employment, scholarships, or other educational opportunities for the student. (Tex. Educ. Code § 32.153.)

    The Student Data Privacy Act also specifies for what purposes an operator may use a student’s data, which is essentially limited to educational purposes and to improve educational products, but only if no data will be associated with an identifiable student. (Tex. Educ. Code § 32.154.)

    Educational technology operators are also required to implement and maintain reasonable security procedures and practices designed to protect student data from unauthorized access, deletion, use, modification, or disclosure. (Tex. Educ. Code § 32.155.) Lastly, an operator must delete student data whenever a school or school district requests that the data be deleted, unless the student or student’s parent consents to the operator’s continued maintenance of the student’s data. (Tex. Educ. Code § 32.156.)

    Interactive websites and mobile applications have already changed the way that students, teachers, parents, and administrators interact with each other and the learning environment. These important privacy protections will allow such innovative technology to continue to thrive.