HBA-SEP H.B. 249 77(R)BILL ANALYSIS Office of House Bill AnalysisH.B. 249 By: Pitts State Affairs 7/9/2001 Enrolled BACKGROUND AND PURPOSE Prior to the 77th Legislature, the findings of a computer system vulnerability report conducted on or by a state agency may have been required to be made accessible to the public, a practice that could have compromised the safety of the state agency's electronically stored sensitive and confidential information. House Bill 249 provides that a vulnerability report is not subject to disclosure and requires a state agency, whose manager has prepared a vulnerability report, to prepare a summary of the report that excludes information that might compromise security to be made available to the public on request. RULEMAKING AUTHORITY It is the opinion of the Office of House Bill Analysis that this bill does not expressly delegate any additional rulemaking authority to a state officer, department, agency, or institution. ANALYSIS House Bill 249 amends the Government Code to authorize the information resources manager (manager) of a state agency to prepare a report assessing the extent to which a computer, a computer program, a computer network, a computer system, computer software, or data processing (computer technology) of the agency or agency's contractor is vulnerable to unauthorized access or harm, including the extent to which the electronically stored information is vulnerable to alteration, damage, or erasure. A vulnerability report or information gathered in preparation of a vulnerability report is confidential and is not subject to disclosure except on request from the Department of Information Resources, the state auditor, or any other information technology security oversight group specifically authorized by the legislature to receive the report. The bill requires a state agency whose manager has prepared a vulnerability report to prepare a summary of the report that does not contain information that might compromise the security of the state agency's or agency contractor's computer technology, or electronically stored information. The summary is required to be made available to the public on request. EFFECTIVE DATE June 14, 2001.