New laws are putting Texas at the forefront in addressing cybersecurity as a matter of public policy.
By Elizabeth Rogers
The 85th Texas Legislature considered and approved a variety of cybersecurity-related legislation during the regular session that went into effect a little over a year ago on September 1, 2017. From a substantive perspective, versus a numeric one, Texas has taken a leadership role in addressing various public sector cybersecurity and data privacy issues.
Texas laws cover a range of relevant concerns, such as required practices for state agencies, continuous monitoring and auditing of network systems and processes, updating the penal code for the digital era, and important student data privacy protections. Other states have taken steps to address some of these issues but the newly adopted Texas legislative approach is comprehensive.
House Bill 8—Texas Cybersecurity Act
The Texas Cybersecurity Act establishes certain cybersecurity requirements for all state agencies in Texas, adds cybersecurity as an element of the Sunset review process, creates a cybersecurity council, and requires that certain agencies conduct studies and reports related to cybersecurity threats and responses. Texas House Speaker Joe Straus commented that the overarching goal of HB 8 is “to ensure state agencies are good stewards of private data.”1
Consideration of Cybersecurity in Sunset Review Process. The Sunset Advisory Commission, an agency of the Texas Legislature, evaluates whether state agencies should be reformed, continued, or abolished, and makes recommendations to the Legislature to that effect. When determining whether a public need exists for the continuation of a state agency, the commission is now required to assess the agency’s cybersecurity practices using information provided by the Department of Information Resources, or DIR, or any other appropriate state agency.2
Expanding the Role of the Texas DIR. HB 8 requires the DIR to develop and implement a plan to address cybersecurity risks and incidents in the state and authorized the agency to enter into an agreement, as needed, with an organization such as the National Cybersecurity Preparedness Consortium to support implementation efforts.3 Earlier this year, the DIR worked with the Statewide Information Security Advisory Committee to create a statewide strategic five-year plan, with five goals.4
As part of the requirements of HB 8, the DIR will establish an “information sharing and analysis center,” or ISAC, in the fourth quarter of 2018, “to provide a forum for agencies to share information regarding cybersecurity threats, best practices, and remediation strategies.”5 And, mandatory guidelines and requirements are in progress for the cybersecurity training to be completed by all state agency information resources employees6 and the biennial information security assessment and report that all state agencies must now conduct (discussed further below).7
Changes for State Agencies. Prior to passage of HB 8, state agencies were required to identify information security issues and develop a plan to prioritize the remediation and mitigation of those issues. This legislation adds specificity to that requirement by delineating five specific elements that an agency must consider when identifying the issues and developing the plan.8,9
Each state agency is now required to conduct an information security assessment of the agency’s network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR.10 Similarly, each state agency shall submit a biennial data security plan to the DIR and conduct a vulnerability and penetration test of the agency’s website and any mobile applications that process any personally identifiable or confidential information.11
Colleges and Universities. Institutions of higher education must adopt and implement a policy for websites or mobile applications operated by the institution to ensure that the privacy of individuals is protected and the confidentiality of information processed by the websites or applications is preserved.12
Open Meetings Act. The Texas Cybersecurity Act makes key changes to the state’s Open Meetings Act. All governmental bodies in Texas are now permitted to conduct closed meetings to deliberate network security assessments or deployments of security personnel, infrastructure, or devices.13 This new exception offers the freedom that an entity needs to properly deliberate these sensitive matters. Yet, any entity utilizing this provision must be careful to limit such deliberations to the appropriate topic so as to not violate separate provisions of the Open Meetings Act.
Data Breaches. With respect to data breaches, HB 8 expands the categories of information that, if compromised, would trigger an agency’s duty to notify affected individuals.14 HB 8 also adds an additional requirement that state agencies must now report a data breach or suspected data breach of system security to the DIR.15
Another provision of the bill requires the Texas secretary of state to conduct a study regarding cyberattacks on election infrastructure. The study must include an investigation of vulnerabilities in election infrastructure, information on any attempted cyberattack on a county’s voting machines or registered voter lists, and recommendations for protecting voting machines and voter lists.16 The secretary of state must prepare a public summary of the report as well as a confidential report for elected officials who are exempt from disclosure under the Texas Public Information Act.17
Cybersecurity Council and Select Legislative
Cybersecurity Council. In the first quarter of 2018, the Texas Cybersecurity Council was established to assist with implementation of HB 8. The council is led by the state cybersecurity coordinator and also includes representatives from the offices of the governor, the lieutenant governor, and the speaker of the House of Representatives, private sector leaders, and representatives of institutions of higher education.18 The Cybersecurity Council’s requirement to establish a computer emergency readiness team, or CERT, is in progress, including a review of its costs and benefits. Additionally, the Cybersecurity Council will further implement HB 8 by establishing criteria for addressing cybersecurity threats; assessing the knowledge, skills, and capabilities of the existing state cybersecurity workforce; consolidating and synthesizing best practices; and providing recommendations to the Legislature on legislation necessary to implement cybersecurity appropriate practices.19
Senate/House Committees on Cybersecurity. Finally, HB 8 calls for the creation of a Select Committee on Cybersecurity in both the House and Senate. Those committees must, either jointly or separately, study the information security plans of each state agency and the risks and vulnerabilities of state agency cybersecurity.
House Bill 9—the Texas Cybercrime Act
The Texas Cybercrime Act is a response to the lack of clearly defined criminal offenses related to cyberattacks, hacking, and other nefarious activity related to networks, devices, and digital information. The bill creates classes of criminal offenses for denial of service attacks, ransomware, and intentional deceptive data alteration.
Electronic Access Interference. The Cybercrime Act creates the offense of electronic access interference, a third-degree felony. A person commits this offense by intentionally interrupting or suspending access to a computer system or network without the effective consent of the owner.20 Importantly, the definition of this crime includes a defense to prosecution if the person who took an action described above did so with the intent to facilitate lawful access to a computer network or system for a legitimate law enforcement purpose.21
Electronic Data Tampering and Ransomware. HB 9 defines “ransomware” as a computer contaminant or lock that restricts access, to an entire computer system or a computer file, by an unauthorized person to extort money from an authorized user and creates the offense of electronic data tampering.22 A person commits this offense if the person intentionally alters data as it transmits between two computers through deception and without a legitimate business purpose or intentionally introduces ransomware onto a computer network or system through deception and without a legitimate business purpose.23 The seriousness of this offense is dependent on the aggregate amount of financial losses involved, starting with a Class A misdemeanor for $100 or less and scaling up to a first-degree felony for $300,000 or more.24 The starting point is raised to a state jail felony for an amount of $2,500 or less if it is shown that the defendant knowingly restricted a victim’s access to privileged information.25
This legislation is a positive step in the process of modernizing the Texas Penal Code and provides law enforcement agencies in Texas with more robust tools for fighting cybercrimes. One key element of each of these new criminal statutes is the exception for legitimate business or law enforcement purposes. This important exception ensures that “white hat” operations, internal network security testing conducted by a company on its own network or devices, or legal law enforcement activities do not unintentionally subject employees, contractors, or law enforcement personnel to criminal liability.
House Bill 2087—Student Data Privacy Act
This legislation provides strong privacy protections for student data within Texas public schools. Digital learning resources and internet-connected technology are transforming the classroom experience and the overall learning environment.
However, along with the many benefits that digital tools offer, there are also new risks that must be addressed, especially with respect to student data. HB 2087 struck a balance between addressing those risks while being careful not to stifle the benefits that these new digital tools offer. The legislation was based on a model student privacy law that had previously been enacted, with some variations, in at least 14 other states.
The Student Privacy Act prohibits the sale or rental of any student’s data,26 bans targeted advertising to students based upon their use of educational services,27 and prohibits the use of a student’s data to build a student profile for any purpose other than an educational purpose.28 These important prohibitions protect students’ privacy while still allowing the flow of data and information inherently necessary for the utilization of digital learning technology.
HB 2087 generally prohibits disclosure of student data but also specifies when a third-party operator of an online service or application may permissibly disclose student data, including: to ensure legal or regulatory compliance; to protect against liability; to protect the safety and security of a website or application or the users of the website or application; for legitimate educational or research purposes; to comply with a request by the Texas Education Agency or a school district for a school purpose; and, with express consent of a student, to share data solely to provide access to employment, scholarships, or other educational opportunities for the student.29
The Student Data Privacy Act also specifies for what purposes an operator may use a student’s data, which is essentially limited to educational purposes and to improve educational products, but only if no data will be associated with an identifiable student.30
Educational technology operators are also required to implement and maintain reasonable security procedures and practices designed to protect student data from unauthorized access, deletion, use, modification, or disclosure.31 Lastly, an operator must delete student data whenever a school or school district requests that the data be deleted, unless the student or student’s parent consents to the operator’s continued maintenance of the student’s data.32
Interactive websites and mobile applications have already changed the way that students, teachers, parents, and administrators interact with each other and the learning environment. These important privacy protections will allow such innovative technology to continue to thrive.
Senate Bill 1196—the Nuisance Website
SB 1196 authorizes an individual, the Texas attorney general, or a Texas district, county, or city attorney to bring a suit to declare that a person operating a web address or network of two or more computers is maintaining a common nuisance in certain circumstances.33
Nuisance Website Act actions may be brought under the Texas Civil Practice and Remedies Code against a person operating a web address engaging in: organized criminal activity as a member of a combination; prostitution, promotion of prostitution, or aggravated promotion of prostitution; compelling prostitution; sexual assault; aggravated sexual assault; continuous sexual abuse of a young child or children; massage therapy or other massage services in violation of business of which is the offering of a service or the selling, renting, or exhibiting of items intended to provide sexual stimulation or sexual gratification to the customer; trafficking of persons; sexual conduct or performance by a child; or employment harmful to a child.34
This legislation represents a novel attempt to combat human trafficking through innovative means and by extending the already-existing framework of nuisance law into the digital arena. The bill was crafted with the goal of substantially slowing down the rapidly increasing use of websites and digital platforms to facilitate the practice of human trafficking. Law enforcement agencies now have an expanded arsenal of civil tools to shut down portals to criminal activity. Attorneys experienced in nuisance actions should be aware of this application of nuisance law.
Bill 3593—Cybersecurity Education Act
The Cybersecurity Education Act, which went into effect on May 15, 2017, requires the State Board of Education to allow public school districts to offer cybersecurity courses for credit for high school graduation and to create language credits for coding courses.35 In addition, a school district may offer a course about cybersecurity issues for credit without state board approval if it partners with one or more institutions of higher education to develop and provide the course.36
The act expands the New Instructional Facilities Allotment to renovate existing facilities for cybersecurity labs,37 moves technical application courses under career and technical education, or CTE,38 gives teachers a CTE certification subsidy, and lists cybersecurity and coding under the Science, Technology, Engineering, and Mathematics, or STEM, endorsement options.39
HB 3593 is an important step toward ensuring that the public education system in Texas is producing students equipped to be part of a 21st-century workforce. Understanding the various elements of cybersecurity and how to code are crucial skills for many jobs that exist today and even more that will exist in the future. The technology sector has grown by leaps and bounds in Texas in recent decades, and creating a pipeline of students who are familiar with cybersecurity and coding is a key element to continuing that growth.
The successful enactment of the Texas Cybersecurity Act, and a number of other laws in the 85th Legislature, shows that Texas is serious about addressing cybersecurity as a matter of public policy. The DIR has been given significant new responsibilities related to cybersecurity and will likely emerge as the go-to resource for such issues across Texas state government. The practical and immediate impact of HB 8 is that it elevates information network and data security as a top priority for state agencies and institutions of higher education in Texas. And the secretary of state is now expected to ensure that the state is following (and perhaps creating) adequate safeguards for election infrastructure. Given the vast amount of confidential and/or personally identifiable information held by state agencies, this legislation provided a critical response to the ever-evolving cyber threats present today.
The Texas Legislature is currently examining all of these issues closely via committees, the reports and studies required by HB 8, and the recommended priorities for the 86th Legislature that will be recommended by the Cybersecurity Council. Some trade associations are also weighing in to suggest a focus on requirements for local government and mandatory cybersecurity insurance for the public sector.
To effectively implement these new responsibilities, and those on the horizon, state agencies and institutions of higher education need to develop reliable internal and external resources. It is also important for state agencies and institutions of higher education to collaborate and coordinate among each other, and with the DIR, to sort through how best to comply with these myriad new responsibilities. Last, developing a network of subject matter experts will assist those impacted by HB 8 to comply with updated data breach notification procedures and Open Meetings Act exceptions.TBJ
The author would like to give a special thanks to Aaron C. Gregg, who is an associate in the Government, Law & Policy Practice Group at Greenberg Traurig, and to Tom Morgan, industry relations director at Qualia. Gregg has more than a decade of experience, before and after law school, in working at the Texas Capitol, including advising clients concerning privacy legislation. Morgan has been involved in providing governmental affairs strategy in a variety of industries for over a decade.
is a partner in the Privacy and Cybersecurity Practice Group of Michael Best & Friedrich. She was the first chief privacy officer in Texas state government and has firsthand experience working with the DIR in developing a state agency cybersecurity and privacy division.