The Texas Legislature considered and approved a variety of cybersecurity-related legislation during the 85th regular legislative session. Unless otherwise noted, each of the newly-enacted laws will go into effect on Sept. 1, 2017.
Substantively speaking, Texas has taken a leadership role in addressing various cybersecurity and data privacy issues. The Texas laws enacted in 2017 cover a wide range of relevant concerns, such as required practices for state agencies, continuous monitoring and auditing of network systems and processes, updating the penal code for the digital era, and important student data privacy protections. Other states have taken steps to address some of these issues, but the newly adopted Texas legislative approach is comprehensive.
House Bill 8 by Rep. Giovanni Capriglione – “Texas Cybersecurity Act”
The Texas Cybersecurity Act establishes certain cybersecurity requirements for all state agencies in Texas, adds cybersecurity as an element of the sunset review process, creates a cybersecurity council, and requires that certain agencies conduct studies and reports related to cybersecurity threats and responses. House Speaker Joe Straus commented that the overarching goal of HB 8 is “to ensure state agencies are good stewards of private data.”1
Consideration of Cybersecurity in Sunset Review Process
The Sunset Advisory Commission, an agency of the Texas Legislature, evaluates whether state agencies should be reformed, continued, or abolished, and makes recommendations to the Texas Legislature to that effect. When determining whether a public need exists for the continuation of a state agency, the Commission is now required to assess the agency’s cybersecurity practices using information provided by the Department of Information Resources (DIR) or any other appropriate state agency. (Tex. Gov’t Code § 325.011(14).)
Expanding the Role of the Texas DIR
HB 8 requires the DIR to develop and implement a plan to address cybersecurity risks and incidents in the state and authorized the agency to enter into an agreement, as needed, with an organization such as the National Cybersecurity Preparedness Consortium to support implementation efforts. (Tex. Gov’t Code § 2054.076(b-1).) The DIR is also required to establish an “information sharing and analysis center” to provide a forum for agencies to share information regarding cybersecurity threats, best practices, and remediation strategies. (Tex. Gov’t Code § 2054.518.)
The Cybersecurity Act requires the DIR to provide mandatory guidelines to state agencies regarding the continuing education requirements for cybersecurity training to be completed by all information resources employees. (Tex. Gov’t Code § 2054.076(b-1).) The DIR shall also establish the requirements for the biennial information security assessment and report that all state agencies must now conduct (discussed further below). (Tex. Gov’t Code § 2054.515(c).)
Changes for State Agencies
Prior to passage of HB 8, state agencies were required to identify information security issues and develop a plan to prioritize the remediation and mitigation of those issues. This legislation adds specificity to that requirement by delineating five specific elements that an agency must consider when identifying the issues and developing the plan. (Tex. Gov’t Code § 2054.575(a).)
Each state agency is now required to conduct an information security assessment of the agency's network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR. (Tex. Gov’t Code § 2054.515(a-b).) Similarly, each state agency shall submit a biennial data security plan to the DIR and conduct a vulnerability and penetration test of the agency's website and any mobile applications that process any personally identifiable or confidential information. (Tex. Gov’t Code § 2054.516.)
Institutions of higher education must adopt and implement a policy for websites or mobile applications operated by the institution to ensure that the privacy of individuals is protected and the confidentiality of information processed by the websites or applications is preserved. (Tex. Gov’t Code § 2054.517.)
The Texas Cybersecurity Act makes key changes to the state’s Open Meetings Act. All governmental bodies in Texas will now be permitted to conduct closed meetings to deliberate network security assessments or deployments of security personnel, infrastructure, or devices. (Tex. Gov’t Code § 551.089.) This new exception offers the freedom that an entity needs to properly deliberate these sensitive matters. Yet, any entity utilizing this provision must be careful to limit such deliberations to the appropriate topic so as to not violate separate provisions of the Open Meetings Act.
With respect to data breaches, HB 8 expands the categories of information that, if compromised, would trigger an agency’s duty to notify affected individuals. (Tex. Gov’t Code § 2054.1125(b).) HB 8 also adds an additional requirement that state agencies must now report a data breach or suspected data breach of system security to the DIR. (Tex. Gov’t Code § 2054.1125(b).)
Another provision of the bill requires the Texas Secretary of State to conduct a study regarding cyberattacks on election infrastructure. The study must include an investigation of vulnerabilities in election infrastructure, information on any attempted cyberattack on a county’s voting machines or registered voter lists, and recommendations for protecting voting machines and voter lists. (Tex. Elec. Code § 276.011.) The Secretary of State must prepare a public summary of the report as well as a confidential report for elected officials that will be exempt from disclosure under the Texas Public Information Act. (Tex. Elec. Code § 276.011.)
Cybersecurity Council & Select Legislative Committees
HB 8 requires the establishment of a Cybersecurity Council and specifies the make-up of the Council, which will be led by the state cybersecurity coordinator and will also include: representatives from the Offices of the Governor, the Lieutenant Governor, and the Speaker of the House of Representatives; private sector leaders; and representatives of institutions of higher education. (Tex. Gov’t Code § 2054.512(a-c).) The Cybersecurity Council shall consider the costs and benefits of establishing a computer emergency readiness team, establish criteria for addressing cybersecurity threats, assess the knowledge, skills, and capabilities of the existing state cybersecurity workforce, consolidate and synthesize best practices, and provide recommendations to the legislature on legislation necessary to implement cybersecurity appropriate practices. (Tex. Gov’t Code § 2054.512(d-e).)
Finally, HB 8 calls for the creation of a Select Committee on Cybersecurity in both the House and Senate. Those Committees must, either jointly or separately, study the information security plans of each state agency and the risks and vulnerabilities of state agency cybersecurity.
The successful enactment of the Texas Cybersecurity Act shows that the state of Texas is serious about addressing cybersecurity as a matter of public policy. The Texas Legislature will be examining these issues closely via committees that will be formed and the reports and studies required by HB 8. The DIR has been given significant new responsibilities related to cybersecurity and will likely emerge as the go-to resource for such issues across Texas state government. The practical and immediate impact of HB 8 is that it will elevate information network and data security to be a top priority for a state agency or institution of higher education. And the Secretary of State will be hard at work ensuring that the state is following (and perhaps creating) adequate safeguards for our election infrastructure. Given the vast amount of confidential and/or personally identifiable information held by state agencies, this legislation provided a critical response to the ever-evolving cyber threats present today.
To effectively implement these new responsibilities, state agencies and institutions of higher education will need to develop reliable internal and external resources. It also will be important for state agencies and institutions of higher education to collaborate and coordinate among each other, and with the DIR, to sort through how best to comply with these myriad new responsibilities. Last, developing a network of subject matter experts will assist those impacted by HB 8 to comply with updated data breach notification procedures and Open Meetings Act exceptions.
House Bill 9 by Rep. Capriglione - the Texas Cybercrime Act
The Texas Cybercrime Act is a response to the lack of clearly-defined criminal offenses related to cyberattacks, hacking, and other nefarious activity related to networks, devices, and digital information. The bill creates classes of criminal offenses for denial of service attacks, ransomware, and intentional deceptive data alteration.
Electronic Access Interference
The Cybercrime Act creates the offense of “Electronic Access Interference,” a third degree felony. A person commits this offense by intentionally interrupting or suspending access to a computer system or network without the effective consent of the owner. (Tex. Penal Code § 33.022(a-b).) Importantly, the definition of this crime includes a defense to prosecution if the person who took an action described above did so with the intent to facilitate lawful access to a computer network or system for a legitimate law enforcement purpose. (Tex. Penal Code § 33.022(c).)
Electronic Data Tampering and Ransomware
HB 9 defines “Ransomware” as a computer contaminant or lock that restricts access, to an entire computer system or a computer file, by an unauthorized person to extort money from an authorized user and creates the offense of “Electronic Data Tampering.” (Tex. Penal Code § 33.023(a).) A person commits this offense if the person: intentionally alters data as it transmits between two computers through deception and without a legitimate business purpose; or intentionally introduces ransomware onto a computer network or system through deception and without a legitimate business purpose. (Tex. Penal Code § 33.023(b-c).) The seriousness of this offense is dependent on the aggregate amount of financial losses involved, starting with a Class A misdemeanor for $100 or less and scaling up to a first degree felony for $300,000 or more. (Tex. Penal Code § 33.023(d-1).) The starting point is raised to a state jail felony for an amount of $2,500 or less if it is shown that the defendant knowingly restricted a victim’s access to privileged information. (Tex. Penal Code § 33.023(d-2).)
This legislation is a positive step in the process of modernizing the Texas Penal Code and provides law enforcement agencies in Texas with more robust tools for fighting cybercrimes.
One key element of each of these new criminal statutes is the exception for legitimate business or law enforcement purposes. This important exception ensures that ‘white hat’ operations, internal network security testing conducted by a company on its own network or devices, or legal law enforcement activities do not unintentionally subject employees, contractors, or law enforcement personnel to criminal liability.
House Bill 2087 by Rep. VanDeaver – “Student Data Privacy Act”
After making a significant effort at passing similar legislation during the 2015 legislative session, Rep. VanDeaver succeeded this session in passing the Student Privacy Act. This important legislation provides strong privacy protections for student data within Texas public schools. Digital learning resources and internet-connected technology are transforming the classroom experience and the overall learning environment.
However, along with the many benefits that digital tools offer, there are also new risks that must be addressed, especially with respect to student data. HB 2087 struck a balance between addressing those risks while being careful not to stifle the benefits that these new digital tools offer. The legislation was based on a model student privacy law that had previously been enacted, with some variations, in at least 14 other states.
The Student Privacy Act prohibits the sale or rental of any student’s data (Tex. Educ. Code § 32.152), bans targeted advertising to students based upon their use of educational services (Id.), and prohibits the use of a student’s data to build a student profile for any purpose other than an educational purpose. (Id.) These important prohibitions protect students’ privacy while still allowing the flow of data and information inherently necessary for the utilization of digital learning technology.
HB 2087 generally prohibits disclosure of student data, but also specifies when a third-party operator of an online service or application may permissibly disclose student data, including: to ensure legal or regulatory compliance; to protect against liability; to protect the safety and security of a website or application or the users of the website or application; for legitimate educational or research purposes; to comply with a request by the Texas Education Agency or a school district for a school purpose; with express consent of a student, to share data solely to provide access to employment, scholarships, or other educational opportunities for the student. (Tex. Educ. Code § 32.153.)
The Student Data Privacy Act also specifies for what purposes an operator may use a student’s data, which is essentially limited to educational purposes and to improve educational products, but only if no data will be associated with an identifiable student. (Tex. Educ. Code § 32.154.)
Educational technology operators are also required to implement and maintain reasonable security procedures and practices designed to protect student data from unauthorized access, deletion, use, modification, or disclosure. (Tex. Educ. Code § 32.155.) Lastly, an operator must delete student data whenever a school or school district requests that the data be deleted, unless the student or student’s parent consents to the operator’s continued maintenance of the student’s data. (Tex. Educ. Code § 32.156.)
Interactive websites and mobile applications have already changed the way that students, teachers, parents, and administrators interact with each other and the learning environment. These important privacy protections will allow such innovative technology to continue to thrive.
Senate Bill 1196 by Sen. Kolkhorst – the “Nuisance Website Act”
SB 1196 authorizes an individual, the Texas Attorney General, or a Texas district, county, or city attorney to bring a suit to declare that a person operating a web address or network of two or more computers is maintaining a common nuisance in certain circumstances. (Tex. Civ. Prac. & Rem. Code § 125.0025.)
Nuisance Website Act actions may be brought under the Texas Civil Practice and Remedies Code against a person operating a web address engaging in: organized criminal activity as a member of a combination; prostitution, promotion of prostitution, or aggravated promotion of prostitution; compelling prostitution; sexual assault; aggravated sexual assault; continuous sexual abuse of a young child or children; massage therapy or other massage services in violation of Occupations Code provisions regulating massage therapy; employing a minor at a commercial enterprise the primary business of which is the offering of a service or the selling, renting, or exhibiting of items intended to provide sexual stimulation or sexual gratification to the customer; trafficking of persons; sexual conduct or performance by a child; or employment harmful to a child. (Tex. Civ. Prac. & Rem. Code § 125.0015(c), (d).)
This legislation represents a novel attempt to combat human trafficking through innovative means and by extending the already-existing framework of nuisance law into the digital arena. The bill was crafted with the goal of substantially slowing down the rapidly-increasing use of websites and digital platforms to facilitate the practice of human trafficking. Law enforcement agencies now have an expanded arsenal of civil tools to shut down portals to criminal activity. Attorneys experienced in nuisance actions should be aware of this novel application of nuisance law.
House Bill 3593 by Rep. Bernal – “Cybersecurity Education Act”
The Cybersecurity Education Act, which went into effect on May 15, 2017, requires the State Board of Education to allow public school districts to offer cybersecurity courses for credit for high school graduation and to create language credits for coding courses. (Tex. Educ. Code § 28.002(f)(2); 28.025(b-12).) In addition, a school district may offer a course about cybersecurity issues for credit without State Board approval if it partners with one or more institutions of higher education to develop and provide the course. (Tex. Educ. Code § 28.002(g-1).)
The Act expands the New Instructional Facilities Allotment to renovate existing facilities for cybersecurity labs (Tex. Educ. Code § 42.158.), moves technical application courses under career and technical education (CTE) (Tex. Educ. Code § 42.154(b).), gives teachers a CTE certification subsidy, and lists cybersecurity and coding under the Science, Technology, Engineering, and Mathematics (STEM) endorsement options. (Tex. Educ. Code § 28.025(c-10); 29.190(b).)
HB 3593 is an important step towards ensuring that the public education system in Texas is producing students equipped to be part of a 21st century workforce. Understanding the various elements of cybersecurity and how to code are crucial skills for many jobs that exist today and even more that will exist in the future. The technology sector has grown by leaps and bounds in Texas in recent decades, and creating a pipeline of students that are familiar with cybersecurity and coding is a key element to continuing that growth.