Bill Text: TX SB1779 | 2019-2020 | 86th Legislature | Comm Sub
Bill Title: Relating to security for state agency information and information technologies.
Spectrum: Partisan Bill (Republican 2-0)
Status: (Engrossed - Dead) 2019-05-21 - Placed on General State Calendar [SB1779 Detail]
Download: Texas-2019-SB1779-Comm_Sub.html
By: Paxton | S.B. No. 1779 | |
(Parker) | ||
|
||
|
||
relating to security for state agency information and information | ||
technologies. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Subtitle B, Title 10, Government Code, is | ||
amended by adding Chapter 2061, and a heading is added to that | ||
chapter to read as follows: | ||
CHAPTER 2061. INFORMATION SECURITY | ||
SECTION 2. Chapter 2061, Government Code, as added by this | ||
Act, is amended by adding Subchapter A to read as follows: | ||
SUBCHAPTER A. GENERAL PROVISIONS | ||
Sec. 2061.0001. DEFINITIONS. In this chapter: | ||
(1) "Breach of system security" has the meaning | ||
assigned by Section 521.053(a), Business & Commerce Code. | ||
(2) "Computer," "computer network," "computer | ||
program," "computer system," and "computer software" have the | ||
meanings assigned by Section 33.01, Penal Code. | ||
(3) "Confidential information" means information that | ||
is required to be protected from unauthorized disclosure or public | ||
release under state or federal law or a legal agreement. | ||
(4) "Cybersecurity" means the measures taken to | ||
protect a computer or computer system against unauthorized use or | ||
access. | ||
(5) "Data" has the meaning assigned by Section 33.01, | ||
Penal Code. | ||
(6) "Department" means the Department of Information | ||
Resources. | ||
(7) "Information resources" has the meaning assigned | ||
by Section 2054.003. | ||
(8) "Information security" means the protection of | ||
information and information systems from unauthorized access, use, | ||
disclosure, disruption, modification, or destruction to maintain | ||
the confidentiality, integrity, and availability of the | ||
information. | ||
(9) "Risk management" means the process of aligning | ||
information resources risk exposure with the organization's risk | ||
tolerance by accepting, transferring, or mitigating risk | ||
exposures. | ||
(10) "Security incident" means an event that results | ||
in the accidental or deliberate unauthorized access, loss, | ||
disclosure, disruption, modification, or destruction of | ||
information or information resources. | ||
(11) "Sensitive personal information" has the meaning | ||
assigned by Section 521.002, Business & Commerce Code. | ||
(12) "State agency" has the meaning assigned by | ||
Section 2054.003. | ||
(13) "Vulnerability" means a weakness in a system, | ||
application, or network that is subject to exploitation or misuse. | ||
Sec. 2061.0002. GENERAL POWERS OF DEPARTMENT. (a) The | ||
department may adopt rules as necessary to implement its | ||
responsibilities under this chapter. | ||
(b) The department may require each state agency to report | ||
to the department: | ||
(1) each agency's use of information security and | ||
cybersecurity technologies; | ||
(2) the effect of those technologies on the duties and | ||
functions of the agency; | ||
(3) the costs incurred by the agency in the | ||
acquisition and use of those technologies; | ||
(4) the procedures followed in obtaining those | ||
technologies; and | ||
(5) other information relating to information | ||
security and cybersecurity management that in the judgment of the | ||
department should be reported. | ||
(c) At the request of a state agency, the department may | ||
provide technical and managerial assistance relating to | ||
information security and cybersecurity management and | ||
technologies. | ||
(d) The department may report to the governor and to the | ||
presiding officer of each house of the legislature any factors that | ||
in the opinion of the department are outside the duties of the | ||
department but that inhibit or promote effective communication | ||
about and the use of information security and cybersecurity in | ||
state government. | ||
SECTION 3. Chapter 2061, Government Code, as added by this | ||
Act, is amended by adding Subchapter B, and a heading is added to | ||
that subchapter to read as follows: | ||
SUBCHAPTER B. GENERAL DUTIES RELATED TO CYBERSECURITY | ||
SECTION 4. Sections 2054.059, 2054.0591, 2054.0592, and | ||
2054.0594, Government Code, are transferred to Subchapter B, | ||
Chapter 2061, Government Code, as added by this Act, and | ||
redesignated as Sections 2061.0051, 2061.0052, 2061.0053, and | ||
2061.0054, Government Code, respectively, and amended to read as | ||
follows: | ||
Sec. 2061.0051 [ |
||
funds, the department shall: | ||
(1) establish and administer a clearinghouse for | ||
information relating to all aspects of protecting the cybersecurity | ||
of state agency information; | ||
(2) develop strategies and a framework for: | ||
(A) the securing of cyberinfrastructure by state | ||
agencies, including critical infrastructure; and | ||
(B) cybersecurity risk assessment and mitigation | ||
planning; | ||
(3) develop and provide training to state agencies on | ||
cybersecurity measures and awareness; | ||
(4) provide assistance to state agencies on request | ||
regarding the strategies and framework developed under Subdivision | ||
(2); and | ||
(5) promote public awareness of cybersecurity issues. | ||
Sec. 2061.0052 [ |
||
(a) Not later than November 15 of each even-numbered year, the | ||
department shall submit to the governor, the lieutenant governor, | ||
the speaker of the house of representatives, and the standing | ||
committee of each house of the legislature with primary | ||
jurisdiction over state government operations a report identifying | ||
preventive and recovery efforts the state can undertake to improve | ||
cybersecurity in this state. The report must include: | ||
(1) an assessment of the resources available to | ||
address the operational and financial impacts of a cybersecurity | ||
event; | ||
(2) a review of existing statutes regarding | ||
cybersecurity and information resources technologies; | ||
(3) recommendations for legislative action to | ||
increase the state's cybersecurity and protect against adverse | ||
impacts from a cybersecurity event; and | ||
(4) an evaluation of a program that provides an | ||
information security officer to assist small state agencies and | ||
local governments that are unable to justify hiring a full-time | ||
information security officer [ |
||
|
||
[ |
||
|
||
(b) The department or a recipient of a report under this | ||
section may redact or withhold information confidential under | ||
Chapter 552, including Section 552.139, or other state or federal | ||
law that is contained in the report in response to a request under | ||
Chapter 552 without the necessity of requesting a decision from the | ||
attorney general under Subchapter G, Chapter 552. | ||
Sec. 2061.0053 [ |
||
FUNDING. If a cybersecurity event creates a need for emergency | ||
funding, the department may request that the governor or | ||
Legislative Budget Board make a proposal under Chapter 317 to | ||
provide funding to manage the operational and financial impacts | ||
from the cybersecurity event. | ||
Sec. 2061.0054 [ |
||
ANALYSIS ORGANIZATION [ |
||
establish an information sharing and analysis organization | ||
[ |
||
public and private institutions of higher education, and the | ||
private sector to share information regarding cybersecurity | ||
threats, best practices, and remediation strategies. | ||
(b) [ |
||
|
||
|
||
[ |
||
|
||
shall provide administrative support to the information sharing and | ||
analysis organization [ |
||
(c) A participant in the information sharing and analysis | ||
organization shall assert any exception available under state or | ||
federal law, including Section 552.139, in response to a request | ||
for public disclosure of information shared through the | ||
organization. | ||
(d) A participant described by Subsection (c) may not make a | ||
voluntary disclosure under Section 552.007. | ||
SECTION 5. Chapter 2061, Government Code, as added by this | ||
Act, is amended by adding Subchapter C, and a heading is added to | ||
that subchapter to read as follows: | ||
SUBCHAPTER C. INFORMATION SECURITY OFFICER; INFORMATION SECURITY | ||
TRAINING AND REPORTS | ||
SECTION 6. Section 2054.136, Government Code, is | ||
transferred to Subchapter C, Chapter 2061, Government Code, as | ||
added by this Act, redesignated as Section 2061.0101, Government | ||
Code, and amended to read as follows: | ||
Sec. 2061.0101 [ |
||
INFORMATION SECURITY OFFICER. (a) Each state agency shall | ||
designate an information security officer who: | ||
(1) reports to the agency's executive-level | ||
management; | ||
(2) has authority over information security for the | ||
entire agency; | ||
(3) possesses the training and experience required to | ||
perform the duties required by department rules; and | ||
(4) to the extent feasible, has information security | ||
duties as the officer's primary duties. | ||
(b) On the department's approval, two or more state agencies | ||
may jointly designate an information security officer under | ||
Subsection (a) to serve as the information security officer for | ||
each agency. | ||
SECTION 7. Subchapter C, Chapter 2061, Government Code, as | ||
added by this Act, is amended by adding Section 2061.0102 to read as | ||
follows: | ||
Sec. 2061.0102. INFORMATION SECURITY TRAINING. The | ||
department may provide information security training for appointed | ||
board members, agency heads, and executive management of state | ||
agencies that is consistent with the cybersecurity awareness | ||
training provided in Section 2061.0108. | ||
SECTION 8. Section 2054.1125, Government Code, is | ||
transferred to Subchapter C, Chapter 2061, Government Code, as | ||
added by this Act, redesignated as Section 2061.0103, Government | ||
Code, and amended to read as follows: | ||
Sec. 2061.0103 [ |
||
BY STATE AGENCY. (a) The information security officer of a [ |
||
|
||
[ |
||
|
||
[ |
||
|
||
[ |
||
computerized data that includes sensitive personal information, | ||
confidential information, or information the disclosure of which is | ||
regulated by law shall, in the event of a breach or suspected breach | ||
of system security or an unauthorized exposure of that information: | ||
(1) comply with the notification requirements of | ||
Section 521.053, Business & Commerce Code, to the same extent as a | ||
person who conducts business in this state; and | ||
(2) not later than 48 hours after the discovery of the | ||
breach, suspected breach, or unauthorized exposure, notify: | ||
(A) the department, including the chief | ||
information security officer [ |
||
|
||
(B) if the breach, suspected breach, or | ||
unauthorized exposure involves election data, the secretary of | ||
state. | ||
(b) Not later than the 10th business day after the date of | ||
the eradication, closure, and recovery from a breach, suspected | ||
breach, or unauthorized exposure, a state agency shall notify the | ||
department, including the chief information security officer, of | ||
the details of the event. | ||
SECTION 9. Sections 2054.077, 2054.133, and 2054.515, | ||
Government Code, are transferred to Subchapter C, Chapter 2061, | ||
Government Code, as added by this Act, redesignated as Sections | ||
2061.0104, 2061.0105, and 2061.0106, Government Code, | ||
respectively, and amended to read as follows: | ||
Sec. 2061.0104 [ |
||
(a) [ |
||
|
||
[ |
||
of a state agency shall prepare or have prepared a report, including | ||
an executive summary of the findings of the biennial report, not | ||
later than October 15 of each even-numbered year, assessing the | ||
extent to which a computer, a computer program, a computer network, | ||
a computer system, a printer, an interface to a computer system, | ||
including mobile and peripheral devices, computer software, or data | ||
processing of the agency or of a contractor of the agency is | ||
vulnerable to unauthorized access or harm, including the extent to | ||
which the agency's or contractor's electronically stored | ||
information is vulnerable to alteration, damage, erasure, or | ||
inappropriate use. | ||
(b) [ |
||
vulnerability report and any information or communication prepared | ||
or maintained for use in the preparation of a vulnerability report | ||
is confidential and is not subject to disclosure under Chapter 552. | ||
(c) [ |
||
agency [ |
||
vulnerability report on its completion to: | ||
(1) the department; | ||
(2) the state auditor; | ||
(3) the agency's executive director; [ |
||
(4) the agency's designated information resources | ||
manager; and | ||
(5) any other information technology security | ||
oversight group specifically authorized by the legislature to | ||
receive the report. | ||
(d) [ |
||
Subsection (a) [ |
||
agency shall prepare a summary of the agency's vulnerability report | ||
that does not contain any information the release of which might | ||
compromise the security of the state agency's or state agency | ||
contractor's computers, computer programs, computer networks, | ||
computer systems, printers, interfaces to computer systems, | ||
including mobile and peripheral devices, computer software, data | ||
processing, or electronically stored information. The summary is | ||
available to the public on request. | ||
Sec. 2061.0105 [ |
||
(a) Each state agency shall develop, and periodically update, an | ||
information security plan for protecting the security of the | ||
agency's information. | ||
(b) In developing the plan, the state agency shall: | ||
(1) consider any vulnerability report prepared under | ||
Section 2061.0104 [ |
||
(2) incorporate the network security services | ||
provided by the department to the agency under Chapter 2059; | ||
(3) identify and define the responsibilities of agency | ||
staff who produce, access, use, or serve as custodians of the | ||
agency's information; | ||
(4) identify risk management and other measures taken | ||
to protect the agency's information from unauthorized access, | ||
disclosure, modification, or destruction; | ||
(5) include: | ||
(A) the best practices for information security | ||
developed by the department; or | ||
(B) a written explanation of why the best | ||
practices are not sufficient for the agency's security; and | ||
(6) omit from any written copies of the plan | ||
information that could expose vulnerabilities in the agency's | ||
network or online systems. | ||
(c) Not later than October 15 of each even-numbered year, | ||
each state agency shall submit a copy of the agency's information | ||
security plan to the department. Subject to available resources, | ||
the department may select a portion of the submitted security plans | ||
to be assessed by the department in accordance with department | ||
rules. | ||
(d) Each state agency's information security plan is | ||
confidential and exempt from disclosure under Chapter 552. | ||
(e) Each state agency shall include in the agency's | ||
information security plan a written document that is signed by | ||
[ |
||
agency, the chief financial officer, and each executive manager | ||
[ |
||
persons have been made aware of the risks revealed during the | ||
preparation of the agency's information security plan. | ||
(f) Not later than January 13 of each odd-numbered year, the | ||
department shall submit a written report to the governor, the | ||
lieutenant governor, and the legislature evaluating information | ||
security for this state's information resources. In preparing the | ||
report, the department shall consider the information security | ||
plans submitted by state agencies under this section, any | ||
vulnerability reports submitted under Section 2061.0104 | ||
[ |
||
of this state's information resources. The department shall omit | ||
from any written copies of the report information that could expose | ||
specific vulnerabilities in the security of this state's | ||
information resources. | ||
Sec. 2061.0106 [ |
||
SECURITY ASSESSMENT AND REPORT. (a) At least once every two | ||
years, each state agency shall conduct an information security | ||
assessment of the agency's information resources systems, network | ||
systems, digital data storage systems, digital data security | ||
measures, and information resources vulnerabilities. | ||
(b) Not later than December 1 of the year in which a state | ||
agency conducts the assessment under Subsection (a), the agency | ||
shall report the results of the assessment to the department. The[ |
||
|
||
house of representatives may obtain the report upon request to the | ||
department. | ||
(c) The department by rule shall [ |
||
requirements for the information security assessment and report | ||
required by this section. | ||
SECTION 10. Section 2054.516, Government Code, as added by | ||
Chapters 683 (H.B. 8) and 955 (S.B. 1910), Acts of the 85th | ||
Legislature, Regular Session, 2017, is reenacted, transferred to | ||
Subchapter C, Chapter 2061, Government Code, as added by this Act, | ||
redesignated as Section 2061.0107, Government Code, and amended to | ||
read as follows: | ||
Sec. 2061.0107 [ |
||
AND MOBILE APPLICATIONS OF STATE AGENCIES. (a) Each state | ||
agency[ |
||
|
||
application that processes any sensitive [ |
||
identifiable information or confidential information must: | ||
(1) submit a biennial data security plan to the | ||
department not later than October 15 of each even-numbered year to | ||
establish planned beta testing for the website or application; and | ||
(2) subject the website or application to a | ||
vulnerability and penetration test and address any vulnerability | ||
identified in the test. | ||
(b) The department shall review each data security plan | ||
submitted under Subsection (a) and make any recommendations for | ||
changes to the plan to the state agency as soon as practicable after | ||
the department reviews the plan. | ||
SECTION 11. Section 2054.135, Government Code, is | ||
transferred to Subchapter C, Chapter 2061, Government Code, as | ||
added by this Act, and redesignated as Section 2061.0108, | ||
Government Code, to read as follows: | ||
Sec. 2061.0108 [ |
||
state agency shall develop a data use agreement for use by the | ||
agency that meets the particular needs of the agency and is | ||
consistent with rules adopted by the department that relate to | ||
information security standards for state agencies. | ||
(b) A state agency shall update the data use agreement at | ||
least biennially, but may update the agreement at any time as | ||
necessary to accommodate best practices in data management. | ||
(c) A state agency shall distribute the data use agreement | ||
developed under this section, and each update to that agreement, to | ||
employees of the agency who handle sensitive information, including | ||
financial, medical, personnel, or student data. The employee shall | ||
sign the data use agreement distributed and each update to the | ||
agreement. | ||
(d) To the extent possible, a state agency shall provide | ||
employees described by Subsection (c) with cybersecurity awareness | ||
training to coincide with the distribution of: | ||
(1) the data use agreement required under this | ||
section; and | ||
(2) each biennial update to that agreement. | ||
SECTION 12. Subchapter C, Chapter 2061, Government Code, as | ||
added by this Act, is amended by adding Section 2061.0109 to read as | ||
follows: | ||
Sec. 2061.0109. BIENNIAL INFORMATION SECURITY REPORT. Not | ||
later than October 15 of each even-numbered year, the information | ||
security officer of each state agency shall submit an information | ||
security report for the agency. The report must include: | ||
(1) the vulnerability report required under Section | ||
2061.0104; | ||
(2) the information security plan developed under | ||
Section 2061.0105; | ||
(3) the information security assessment developed | ||
under Section 2061.0106; | ||
(4) the data security plan for online and mobile | ||
applications required under Section 2061.0107; and | ||
(5) the recommendations for cybersecurity and | ||
information resources and technology security training established | ||
under Section 2061.0155. | ||
SECTION 13. Chapter 2061, Government Code, as added by this | ||
Act, is amended by adding Subchapter D, and a heading is added to | ||
that subchapter to read as follows: | ||
SUBCHAPTER D. STATE CYBERSECURITY AND STATE CYBERSECURITY | ||
COORDINATOR | ||
SECTION 14. Sections 2054.511 and 2054.518, Government | ||
Code, are transferred to Subchapter D, Chapter 2061, Government | ||
Code, as added by this Act, redesignated as Sections 2061.0151 and | ||
2061.0154, Government Code, respectively, and amended to read as | ||
follows: | ||
Sec. 2061.0151 [ |
||
CYBERSECURITY COORDINATOR. The executive director of the | ||
department shall designate an employee of the department as the | ||
state cybersecurity coordinator to oversee cybersecurity matters | ||
for this state. | ||
Sec. 2061.0154 [ |
||
INCIDENTS. (a) The department shall develop a plan to address | ||
cybersecurity risks and incidents in this state. The department | ||
may enter into an agreement with a national organization, including | ||
the National Cybersecurity Preparedness Consortium, to support the | ||
department's efforts in implementing the components of the plan for | ||
which the department lacks resources to address internally. The | ||
agreement may include provisions for: | ||
(1) providing fee reimbursement for appropriate | ||
industry-recognized certification examinations for and training to | ||
state agency personnel [ |
||
cybersecurity risks and incidents; | ||
(2) developing and maintaining a cybersecurity risks | ||
and incidents curriculum using existing programs and models for | ||
training state agency personnel [ |
||
(3) delivering to state agency personnel with access | ||
to state agency networks routine training related to appropriately | ||
protecting and maintaining information technology systems and | ||
devices, implementing cybersecurity best practices, and mitigating | ||
cybersecurity risks and vulnerabilities; | ||
(4) providing technical assistance services to | ||
support preparedness for and response to cybersecurity risks and | ||
incidents; | ||
(5) conducting cybersecurity training and simulation | ||
exercises for state agency personnel [ |
||
coordination in defending against and responding to cybersecurity | ||
risks and incidents; | ||
(6) assisting state agencies in developing | ||
cybersecurity information-sharing programs to disseminate | ||
information related to cybersecurity risks and incidents; and | ||
(7) incorporating cybersecurity risk and incident | ||
prevention and response methods into existing state emergency | ||
plans, including continuity of operation plans and incident | ||
response plans. | ||
(b) In implementing the provisions of the agreement | ||
prescribed by Subsection (a), the department shall seek to prevent | ||
unnecessary duplication of existing programs or efforts of the | ||
department or another state agency. | ||
(c) In selecting an organization under Subsection (a), the | ||
department shall consider the organization's previous experience | ||
in conducting cybersecurity training and exercises for state | ||
agencies and political subdivisions. | ||
(d) The department shall consult with institutions of | ||
higher education in this state when appropriate based on an | ||
institution's expertise in addressing specific cybersecurity risks | ||
and incidents. | ||
SECTION 15. Sections 2054.512 and 2054.513, Government | ||
Code, are transferred to Subchapter D, Chapter 2061, Government | ||
Code, as added by this Act, and redesignated as Sections 2061.0152 | ||
and 2061.0153, Government Code, respectively, to read as follows: | ||
Sec. 2061.0152 [ |
||
(a) The state cybersecurity coordinator shall establish and lead a | ||
cybersecurity council that includes public and private sector | ||
leaders and cybersecurity practitioners to collaborate on matters | ||
of cybersecurity concerning this state. | ||
(b) The cybersecurity council must include: | ||
(1) one member who is an employee of the office of the | ||
governor; | ||
(2) one member of the senate appointed by the | ||
lieutenant governor; | ||
(3) one member of the house of representatives | ||
appointed by the speaker of the house of representatives; and | ||
(4) additional members appointed by the state | ||
cybersecurity coordinator, including representatives of | ||
institutions of higher education and private sector leaders. | ||
(c) In appointing representatives from institutions of | ||
higher education to the cybersecurity council, the state | ||
cybersecurity coordinator shall consider appointing members of the | ||
Information Technology Council for Higher Education. | ||
(d) The cybersecurity council shall: | ||
(1) consider the costs and benefits of establishing a | ||
computer emergency readiness team to address cyber attacks | ||
occurring in this state during routine and emergency situations; | ||
(2) establish criteria and priorities for addressing | ||
cybersecurity threats to critical state installations; | ||
(3) consolidate and synthesize best practices to | ||
assist state agencies in understanding and implementing | ||
cybersecurity measures that are most beneficial to this state; and | ||
(4) assess the knowledge, skills, and capabilities of | ||
the existing information technology and cybersecurity workforce to | ||
mitigate and respond to cyber threats and develop recommendations | ||
for addressing immediate workforce deficiencies and ensuring a | ||
long-term pool of qualified applicants. | ||
(e) The cybersecurity council shall provide recommendations | ||
to the legislature on any legislation necessary to implement | ||
cybersecurity best practices and remediation strategies for this | ||
state. | ||
Sec. 2061.0153 [ |
||
The state cybersecurity coordinator may establish a voluntary | ||
program that recognizes private and public entities functioning | ||
with exemplary cybersecurity practices. | ||
SECTION 16. Subchapter D, Chapter 2061, Government Code, as | ||
added by this Act, is amended by adding Section 2061.0155 to read as | ||
follows: | ||
Sec. 2061.0155. RECOMMENDATIONS FOR CYBERSECURITY AND | ||
INFORMATION RESOURCES AND TECHNOLOGY SECURITY TRAINING. The | ||
department shall develop recommendations for cybersecurity and | ||
information resources and technology security training for state | ||
agency personnel and post those recommendations on the department's | ||
Internet website. | ||
SECTION 17. Section 815.103, Government Code, is amended by | ||
adding Subsection (g) to read as follows: | ||
(g) The retirement system shall comply with cybersecurity | ||
and information security standards established by the Department of | ||
Information Resources under Chapter 2061. | ||
SECTION 18. Section 825.103, Government Code, is amended by | ||
amending Subsection (e) and adding Subsection (e-1) to read as | ||
follows: | ||
(e) Except as provided by Subsection (e-1), Chapters 2054, | ||
[ |
||
board of trustees shall control all aspects of information | ||
technology and associated resources relating to the retirement | ||
system, including computer, data management, and telecommunication | ||
operations, procurement of hardware, software, and middleware, and | ||
telecommunication equipment and systems, location, operation, and | ||
replacement of computers, computer systems, and telecommunication | ||
systems, data processing, security, disaster recovery, and | ||
storage. The Department of Information Resources shall assist the | ||
retirement system at the request of the retirement system, and the | ||
retirement system may use any service that is available through | ||
that department. | ||
(e-1) The retirement system shall comply with cybersecurity | ||
and information security standards established by the Department of | ||
Information Resources under Chapter 2061. | ||
SECTION 19. The following provisions of the Government Code | ||
are repealed: | ||
(1) Section 2054.076(b-1); | ||
(2) Section 2054.514; | ||
(3) Section 2054.517; and | ||
(4) the heading to Subchapter N-1, Chapter 2054. | ||
SECTION 20. (a) As soon as practicable after the effective | ||
date of this Act, but not later than August 31, 2020, the Department | ||
of Information Resources shall adopt rules necessary to implement | ||
the changes in law made by this Act. | ||
(b) A rule adopted by the Department of Information | ||
Resources under Chapter 2054, Government Code, related to | ||
information security and cybersecurity continues in effect under | ||
Chapter 2061, Government Code, as added by this Act. | ||
SECTION 21. To the extent of any conflict, this Act prevails | ||
over another Act of the 86th Legislature, Regular Session, 2019, | ||
relating to nonsubstantive additions to and corrections in enacted | ||
codes. | ||
SECTION 22. This Act takes effect September 1, 2019. |