Texas Municipal League Update: June 2019

The Texas Municipal League has had a busy year tracking city related legislation and lobbying on behalf of their member cities. There were over 2,000 city related bills introduced and more than 330 passed. If you are interested in more information on the 2019 Legislative Session efforts, please visit TML Legislative Update. 

Among the bills passed into law were four cybersecurity bills that may be of particular interest to our members.  Summaries of these are provided below:

• H.B. 3834 (Caprigilone/Paxton) – Cybersecurity Training: provides that: (1) the Department of Information Resources (DIR) with the cybersecurity council and industry stakeholders shall annually: (a) certify at least five cybersecurity training programs for state and local government employees; and (b) update standards for maintenance of certification by the cybersecurity training programs; (2) a certified training program must: (a) focus on forming information security habits and procedures that protect and procedures that protect information resources; (b) teach best practices for detecting, assessing, reporting and addressing information security threats; (3) DIR may identify and certify training programs provided by state agencies and local governments that satisfy the above requirements; (4) DIR shall annually publish on the its website the list of certified cybersecurity training programs; (5) a local government that employs a dedicated information resources cybersecurity officer may offer to its employees a cybersecurity training program that satisfies the certified requirements described in (2); (6) at least once a year, a local government shall identify employees who have access to a local government computer system or database and require those employees and elected officials of the local government to complete a certified cybersecurity training program; and (6) the governing body of the local government may select the most appropriate certified cybersecurity training program for employees to complete and shall: (a) verify and report on the completion of a cybersecurity training program by employees of the local government to DIR; and (b) require periodic audits to ensure compliance (effective immediately).
• S.B. 64 (Nelson/Phelan) – Cybersecurity: provides that: (1) a cybersecurity event is added to the definition of disaster under the Texas Disaster Act; (2) the Department of Information Resources (DIR) shall submit to the governor, the lieutenant governor and speaker of the house of representatives a report identifying preventative and recovery efforts the state can undertake to improve cybersecurity in this state, including an evaluation of a program that provides an information security officer to assist small state agencies and local governments that are unable to justify hiring a full-time information security officer; (3) DIR shall establish an information sharing and analysis organization to provide a forum for state agencies, local governments, public and private institutions of higher education and the private sector to share information regarding cybersecurity threats, best practices and remediation strategies; (4) the state cybersecurity coordinator shall establish a cyberstar certificate program to recognize public and private entities that implement the best practices for cybersecurity developed including: (a) measurable, flexible and voluntary cybersecurity risk management programs for public and private entities to adopt to prepare for and respond to cyber incidents that compromise the confidentiality, integrity and availability of the entities’ information systems; (b) appropriate training and information for employees or other individuals who are most responsible for maintaining security of the entities’ information systems; (c) consistency with the National Institute of Standards and Technology standards for information systems; (d) public service announcements to encourage cybersecurity awareness; and (e) coordination with local and state governmental entities; (5) each state agency and local government shall, in the administration of the agency or local government, consider using next generation technologies, including cryptocurrency, blockchain technology and artificial intelligence; and (6) the Public Utility Commission shall establish a program to monitor cybersecurity efforts among utilities, including a municipally owned electric utility, and the program shall: (a) provide guidance on best practices in cybersecurity and facilitate the sharing of cybersecurity information between utilities; (b) provide guidance on best practices for cybersecurity controls for supply chain risk management of cybersecurity systems used by utilities, which may include best practices related to: (i) software integrity and authenticity; (ii) vender risk management and procurement controls, including notification by vendors of incidents related to the vendor’s products and services; and (iii) vendor remote access (effective September 1, 2019).
• H.B. 1421 (Israel) – Election Cybersecurity: provides that: (1) the secretary of state shall adopt rules defining classes of protected election data and establishing best practices for identifying and reducing risk to the electronic use, storage and transmission of election data and the security of election systems; and (2) a county election officer shall request an assessment of the cybersecurity of the county’s election system from a provider of cybersecurity assessments if the secretary of state recommends an assessment and the necessary funds are available; and (3) if a county election officer becomes aware of a breach of cybersecurity that impacts election data, the officer shall immediately notify the secretary of state (effective September 1, 2019).
• S.B. 936 (Hancock) – Electric Cybersecurity Monitor: provides that: (1) a monitored utility is defined as: (a) a municipally owned utility or electric cooperative that owns or operates equipment or facilities in the ERCOT power region to transmit electricity at 60 or more kilovolts; or (b) an electric utility, municipally owned utility or electric cooperative that operates solely outside the ERCOT power region that has elected to participate in the cybersecurity monitor program; (2) the Public Utility Commission and ERCOT shall contract with an entity selected by the commission to act as the commission’s cybersecurity monitor to: (a) manage a comprehensive cybersecurity outreach program for monitored utilities; (b) meet regularly with monitored utilities to discuss emerging threats, best business practices and training opportunities; (c) review self-assessments voluntarily disclosed by monitored utilities of cybersecurity efforts; (d) research and develop best business practices regarding cybersecurity; (e) report to the commission on monitored utility cybersecurity preparedness; and (2) for an electric utility, municipally owned utility or electric cooperative that operates solely outside the ERCOT power region, the commission shall adopt rules establishing: (a) procedures to notify the commission, the independent organization and the cybersecurity monitor that the utility or cooperative elects to participate or to discontinue participation; and (b) a mechanism to require an electric utility, municipally owned utility or electric cooperative that elects to participate to contribute to the costs incurred by the independent organization (ffective September 1, 2019).

Texas DIR is charged with the development and roll-out of programs associated with two of these new laws. During the Strategic Planning Session later this month, the TAGITM Board will be discussing opportunities to engage with DIR to represent the interests of our members in the development of these new programs.

Just a reminder, the 2019 TML Conference will be held October 9-11 in San Antonio.  Housing and registration open in July.