Sec. 2054.5191. CYBERSECURITY TRAINING REQUIRED: CERTAIN EMPLOYEES AND OFFICIALS. (a) Each state agency shall identify state employees who use a computer to complete at least 25 percent of the employee's required duties. At least once each year, an employee identified by the state agency and each elected or appointed officer of the agency shall complete a cybersecurity training program certified under Section 2054.519.
(a-1) At least once each year, a local government shall:
(1) identify local government employees and elected and appointed officials who have access to a local government computer system or database and use a computer to perform at least 25 percent of the employee's or official's required duties; and
(2) require the employees and officials identified under Subdivision (1) to complete a cybersecurity training program certified under Section 2054.519.
(a-2) The governing body of a local government or the governing body's designee may deny access to the local government's computer system or database to an individual described by Subsection (a-1)(1) who the governing body or the governing body's designee determines is noncompliant with the requirements of Subsection (a-1)(2).
(b) The governing body of a local government may select the most appropriate cybersecurity training program certified under Section 2054.519 for employees and officials of the local government to complete. The governing body shall:
(1) verify and report on the completion of a cybersecurity training program by employees and officials of the local government to the department; and
(2) require periodic audits to ensure compliance with this section.
(c) A state agency may select the most appropriate cybersecurity training program certified under Section 2054.519 for employees of the state agency. The executive head of each state agency shall verify completion of a cybersecurity training program by employees of the state agency in a manner specified by the department.
(d) The executive head of each state agency shall periodically require an internal review of the agency to ensure compliance with this section.
(e) The department shall develop a form for use by state agencies and local governments in verifying completion of cybersecurity training program requirements under this section. The form must allow the state agency and local government to indicate the percentage of employee completion.
(f) The requirements of Subsections (a) and (a-1) do not apply to employees and officials who have been:
(1) granted military leave;
(2) granted leave under the federal Family and Medical Leave Act of 1993 (29 U.S.C. Section 2601 et seq.);
(3) granted leave related to a sickness or disability covered by workers' compensation benefits, if that employee no longer has access to the state agency's or local government's database and systems;
(4) granted any other type of extended leave or authorization to work from an alternative work site if that employee no longer has access to the state agency's or local government's database and systems; or
(5) denied access to a local government's computer system or database by the governing body of the local government or the governing body's designee under Subsection (a-2) for noncompliance with the requirements of Subsection (a-1)(2).
Added by Acts 2019, 86th Leg., R.S., Ch. 1308 (H.B. 3834), Sec. 3, eff. June 14, 2019.
Amended by:
Acts 2021, 87th Leg., R.S., Ch. 51 (H.B. 1118), Sec. 2, eff. May 18, 2021.
Acts 2021, 87th Leg., R.S., Ch. 51 (H.B. 1118), Sec. 3, eff. May 18, 2021.