KBS Reference Desk: Cybersecurity Training HB 3834

Q:       I noticed several provisions related to cybersecurity during the recent legislative session; is every district employee required to complete the referenced “cybersecurity training”? If not, how do we determine which employees must complete the training?

 

A:       No, not all employees must be trained. House Bill 3834 requires training only for employees who use a computer at least 25 percent of their day to complete required duties. 

House Bill 3834, effective June 14, 2019, was enacted to ensure that sensitive information maintained by the State and local governments remains protected from unauthorized users. The Bill requires that certain employees, as well as all of the State’s elected officials, annually complete a cybersecurity training program certified by the Texas Department of Information Resources (TDPI). The determining factor as to whether a particular employee is required to complete the cybersecurity training is the individual’s job duties.  Specifically, the Bill applies to employees “who use a computer to complete at least 25 percent of [their] required duties.” Gov’t. Code Sec. 2054.5191.  

HB 3834 also requires school district contractors and subcontractors to complete a certified cybersecurity training program if the contractor or subcontractor has access to a district computer system or database. The cybersecurity training program can be selected by the school district and must be completed by the contractor during the term of the given contract, including any renewal period (such as an automatic renewal). For contracts entered into or renewed after June 14, 2019, the required completion of a cybersecurity training program must be included in the terms of the contract. HB 3834 does not apply to contracts entered into or renewed before June 14, 2019. 

TDIR indicates it will release a list of certified training programs this October. Moreover, school districts that employ a dedicated information resource cybersecurity officer may offer the training internally so long as the program meets the statutory requirements. For specific questions pertaining to cybersecurity training, please contact your local school attorney.