KEY QUESTION: Are county employees and elected officials required by law to complete cybersecurity training?
MAIN REFERENCE POINT: Information Resources Act, Government Code, Chapter 2054, New Section 2054.5191
- House Bill 3834 passed by the 86th Texas Legislature requires certain local government employees and elected officials to complete a cybersecurity training program certified by the Texas Department of Information Resources (DIR).
- The statute reads: “At least once each year, a local government shall identify local government employees who have access to a local government computer system or database and require those employees and elected officials of the local government to complete a cybersecurity training program certified under Section 2054.519 or offered under Section 2054.519(f).”
- The DIR, in consultation with the Texas Cybersecurity Council, is required to certify at least five cybersecurity training programs as required by this legislation. A link to the certified programs is available at https://bit.ly/2GZM7Oa. The Texas Association of Counties (TAC) cybersecurity training program has been certified by the DIR; for more information on TAC’s free course, go to https://www.county.org/Education-Training/State-Mandated-Cybersecurity-Course.
- Local governments must use a certified training program unless the local government employs a “dedicated information resources cybersecurity officer” and has a cybersecurity training program that satisfies the requirements.
- A dedicated information resources cybersecurity officer is an employee who: 1) has responsibility for information security for the represented organization; 2) possesses the training and experience required to administer cybersecurity functions; and 3) has information security duties as his or her primary duty (primary is defined as greater than 50 percent of the employee’s workload).
- The cybersecurity officer will need to submit a form confirming the officer meets the exception requirements. The online form, Local Government Cybersecurity Training & Awareness Program Exception Form, is available at https://bit.ly/2GZM7Oa.
- If part-time employees have access to a local government computer system or database, then they are required to complete training, according to the DIR.
- Appointed officials of local governments are not required to complete cybersecurity awareness training, according to the DIR. However, “ensuring that everyone has appropriate awareness of cybersecurity best practices can be beneficial to any organization.”
- The effective date of House Bill 3834 was June 14, 2019, meaning the annual training must be completed by June 14, 2020.
- According to the new law, the governing body shall:
- verify and report on the completion of a cybersecurity training program by employees of the local government to the DIR; and
- require periodic audits to ensure compliance with this section.