We are thrilled to see a bill like H.B. 8 this legislative session, and with such a low bill number indicating a high commitment from leadership on this issue. H.B. 8 mandates a number of important cybersecurity measures to protect state agencies and personally identifiable information (PII). This kind of digital housekeeping is long overdue, and we hope to see it easily passed before the end of the session. In this spotlight, we’ll highlight some of the main action points of the bill and what we like about them.
Protection of Sensitive Information
We are especially fond of the provision that state agencies must destroy PII that agencies are not required to retain under the law. In the digital age, PII is currency and is commonly used for extortion. PII should only be collected and retained when absolutely necessary, and it should be protected at all costs. H.B 8 also mandates the reduction of sensitive information on legacy systems, and dictates that procedures should be developed for modernizing, replacing, renewing or disposing of legacy systems. Older systems are often more vulnerable to cyber threats, and we would be pleased to see these systems modernized.
Cybersecurity Training & Procedures
H.B. 8 also dictates the development of mandatory guidelines regarding cybersecurity training and certification to be completed by all information resources employees in state agencies. It also mandates the establishment of a cyberattack response plan to be implemented by state agencies in the event of a cyberattack. Most companies have implemented continuity of operation plans and incident response plans to ensure systems continue to function in the event of an attack, and government agencies should be no different. Some would argue government agencies should be more prepared than most organizations in the private sector.
We also like that the bill calls for the establishment of a Committee on Cybersecurity in the House and the Senate to study cybersecurity in the state, information security of each state agency, and risks and vulnerabilities of state agency cybersecurity. We have recently openly called for the creation of a technology and information committee in the house and senate to oversee these and other tech specific issues, and while this falls short of that more comprehensive committee, we consider this progress.
Third Party Security Audits
Many companies that deal with PII and sensitive data submit themselves to independent third party audits to ensure their systems and facilities are as secure as possible. Government agencies should be no different. This bill mandates that at least every 5 years, state agencies must submit to an independent third-party audit for the assessment of exposure to security risks in information resources systems and address any threats or vulnerabilities.
Additionally, every time an agency launches a new website or application that processes any PII, it must submit a data security plan and must subject the new site or app to a vulnerability and penetration test conducted by an independent third party.
Election Cyberattack Study
The bill also dictates that the Texas Rangers shall conduct a study regarding cyberattacks on election infrastructure. The study shall include an investigation of vulnerabilities and risks of attack against county voting system machines or lists of voters, and recommendations for protecting a county’s voting system machines. Data breaches are a threat to modern voting systems, and our systems should be thoroughly assessed and protected by the most cutting-edge cybersecurity technologies and procedures available to uphold the integrity of our elections.
We believe these are all necessary actions that should be taken by our state’s government agencies to protect the data privacy and security of all, which is why we have rated this bill a 5. We commend the author of the bill for addressing these tedious but critical actions that must be taken to ensure our state government and our residents are protected from cyber threats.
Go to our scorecards page to see more.