The Texas State Legislature meets every 2 years for 140 calendar days beginning second Tuesday in January. That is, unless the Governor calls for special sessions. Any bill it passes takes effect 90 days later unless it has a two thirds majority. The 2019 session closed on May 27. Hence this is a good time to review their decisions regarding data breach and data security.
We present the three most significant pieces of legislation they covered. Briefly, these are:
- NEW BILL HB 4390 “Relating to the privacy of personal identifying information and the creation of the Texas Privacy Protection Advisory Council”
- MODIFICATION TO EXISTING SB 122 “Identity Theft Enforcement and Protection Act”
- NEW BILL SB 936 “Relating to a Cyber Security Monitor for Certain Electrical Utilities”
Towards the close of this article we consider Texas lawmakers’ thinking regarding storing sensitive state government data in future.
Bill HB 4390 Privacy of Personal Information / Protection Advisory Council
The Texas Governor signed HB 4390 on June 14, 2019. The authors modelled their Bill on the California Consumer Privacy Act. However the legislature diluted it to the extent it no longer provides residents with additional privacy rights.
Instead, HB 4390 established a Texas Privacy Protection Advisory Council to “study data privacy laws in this state.” It furthermore determined:
- A complainant must report a breach of personal information within 60 days of becoming aware of it
- Under certain circumstances the breach must also be reported to the Texas Attorney General’s office
- The Texas Privacy Protection Advisory Council must report its findings to the legislature by September 1, 2020
The act broadly takes effect on September 1, 2019. However the Texas Privacy Protection Advisory Council will have to wait until January 1, 2020 for their authority to commence. This link takes you to the full text.
Modification to SB 122 “Identity Theft Enforcement and Protection Act”
HB 4390 adds a reporting time constraint to the Identity Theft Enforcement and Protection Act. In summary form, this Act as it stood laid down the following:
- No person shall obtain another person’s information without their consent when providing a service to them
- Breaches of personal confidentiality shall be reported to individuals concerned by service providers
- Moreover the offender shall file a report with the Texas Attorney General if a breach affects 250 or more state residents
- A police officer to whom breaches are reported shall make a written report to their employing agency
- Any person who violates the act may be liable for civil penalties recoverable by the attorney general
- Victims of identity theft may file a court application declaring they are a victim of said identity theft
As previously mentioned, HB 4390 added a provision such court application must be made within 60 days of it coming to the aggrieved person’s attention.
Bill SB 936 “A Cyber Security Monitor for Certain Electrical Utilities”
This new Bill, signed by the governor on June 10, 2019 will be effective on September 1 the same year. Its intention is to create a partnership between the Electric Reliability Council of Texas, the Public Utility Commission, and individual utilities to secure critical networks from cyber-attacks.
In terms of this new piece of legislation the Public Utility Commission shall subcontract an entity to:Manage a cybersecurity outreach program for monitored utilities
- Meet regularly with monitored utilities to discuss emerging threats
- Review self-assessments by monitored utilities of cybersecurity efforts
- Research and develop best business practices regarding cybersecurity
- Advise the Public Utility Commission on utility cybersecurity preparedness.
- The Electric Reliability Council of Texas shall further support the program using funds from its system administration budget.
This new piece of legislation updates the Texas Cybersecurity Act of 2017 that established certain cybersecurity-related requirements for all state agencies. This link takes you to the full text.
SB 819 Texas Lawmakers’ Thinking on Their Own Data Security
The Texas Department of Information Resources manages two state-of-the-art data centers. One of these is in North Austin, while the other is at Angelo State University. Both date back to a 2005 decision to consolidate individual state agency data.
The overarching goal was to make information simpler to retrieve, enable centralized technology upgrades, and improve disaster recovery readiness.
In summary form, these combined data centers deliver the following services to Texas user agencies:
- Create synergy between them through sharing costly facilities, simplifying own data processing, and focusing on their core business
- Deliver ancillary services including mainframe, server, network, data center, and print / mail support
- Support user agency legacy-centers while transferring their operations across to Texas Department of Information Resources facilities
- Provide services to smaller customers, while giving priority to larger state agencies in Texas.
A conversation developed quite early in 2019 whether to transfer these services to a cloud company like Amazon or Microsoft. Needless to say opinions were divided between what made commercial sense for some, and whether the state had a duty to curate its citizens’ own data.
A current contract with French-owned Atos to operate the facilities at North Austin and Angelo State University further muddied the debate. This agreement – worth $1.5 billion – expires in 2020 whereafter it could be possible to reassign the agreement, or discontinue it.
Following lengthy discussions the Texas legislature agreed Bill SB 819 relating to state agency electronic information and processes on May 25, 2019. The governor signed it on 10 June effective September the same year.
While this legislation does not enforce a decision on the future of the two Texas state data centers, the full text does require the Chief Data Officer to “reduce information collection costs incurred by this state”.
Currently 75% of state data is either at North Austin and Angelo State University. SB 819 potentially opens the doors to moving this to a private cloud. However, we predict the debates will roll on late into the night before Texas lawmakers reach a consensus on this one.
Not to mention what to do with 2 state-of-the-art data centers if the state contracts out its storage,