Strengthening Cybersecurity for Municipalities in Texas is Now a Mandate
Sunday, September 1st, opens dove season in the north zone in Texas, college football will have started, and new laws go into effect in Texas. That priority is intentional!
One new bill mandates that cities train their personnel in cybersecurity every year. Of course, this is an unfunded mandate but still good policy. House Bill 3834 requires the Texas Department of Information Resources to certify 5 cybersecurity training programs for state and local government employees. This department currently has no certified programs but promises to publish a list of certified programs by October 2019. You can check back with the agency here: dir.texas.gov/view-about-DIR/information-security
The purpose of the program is to help you form security habits and procedures, and teach best practices for detecting, assessing, reporting and addressing threats. Who is required to take the training? Any local government employee that uses a computer to complete at least 25% of his or her duties. That person must complete a certified cybersecurity training program every year. The deadline is June 14, 2020, which is a Sunday. (Expect a computer crash on Saturday.) This applies to contractors of state agencies who have access to a state computer system or database. Local governments are required to verify completion of the training program and the new law requires audits to assure completion. It’s as if they don’t trust us.
THIS TRAINING PROGRAM REQUIREMENT APPLIES TO LOCAL ELECTED OFFICIALS
Local governments may use for training a “dedicated information resource cybersecurity officer” defined as an employee who: 1.) has responsibility for information security for their represented organization; 2.) possesses the training and experience required to administer cybersecurity functions; and 3.) has information security duties as their primary duty (primary is defined as greater than 50% of the employee’s workload). What steps are required to request a dedicated cybersecurity officer exception? The cybersecurity officer will need to submit a form confirming they meet the exception requirements. This form will be posted to the DIR website in September 2019. Will there be any low- or no-cost certified training programs available? The DIR states that options for low- or no-cost training programs are being explored and details will be published once finalized. Stay tuned. Can a local government submit a program for certification? Nope, the vender must acquire the certification.
How serious is this? Very. On Friday morning, August 16th, more than 20 entities in Texas reported a ransomware attack, the majority of these were smaller local governments. One of those 20 was a client of mine and had just upgraded and updated their city hall servers. They sustained 60 virus attacks in a matter of minutes. Because of this coordinated attack, the State Operations Center was activated and 14 agencies, both federal and state (including the Texas Military Department, didn’t know we had one) are supporting fighting this incident. Ransomware is big business for hackers, with an estimated cost to date in Texas for public entities closing in on $13 million.
Hackers usually try to hack a universal system across government entities. The usual one is the police communication system because everyone has a police department. What else do local governments have that is universal? Lawyers. I know of one law firm that within 24 hours had their email, desk phone system, American Express card, and cell phone hacked because of an app on the cell phone that connected to the desk phone. Not a single dollar was lost or client file disturbed. But the FBI was concerned about ransomware to the firm’s client. What is the most important website for you to remember in this age of fighting cyber threats? The FBI’s Internet Crime Complaint Center (IC3).
Remember: www. IC3.GOV
Please do not rely on this article as legal advice. We can tell you what the law is, but until we know the facts of your given situation, we cannot provide legal guidance. This website is for informational purposes and not for the purposes of providing legal advice. Information about our municipal law practice can be found here.