Senator Wayne A. Harper proposes the following substitute bill:


1     
DATA SECURITY MANAGEMENT COUNCIL

2     
2015 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Wayne A. Harper

5     
House Sponsor: Sophia M. DiCaro

6     

7     LONG TITLE
8     General Description:
9          This bill creates a Data Security Management Council to develop recommendations for
10     data security and risk assessment.
11     Highlighted Provisions:
12          This bill:
13          ▸     creates the Data Security Management Council; and
14          ▸     directs the council to study statewide data security issues and develop best practice
15     recommendations.
16     Money Appropriated in this Bill:
17          None
18     Other Special Clauses:
19          None
20     Utah Code Sections Affected:
21     ENACTS:
22          63F-2-101, Utah Code Annotated 1953
23          63F-2-102, Utah Code Annotated 1953
24          63F-2-103, Utah Code Annotated 1953
25     


26     Be it enacted by the Legislature of the state of Utah:
27          Section 1. Section 63F-2-101 is enacted to read:
28     
CHAPTER 2. DATA SECURITY MANAGEMENT COUNCIL

29          63F-2-101. Title.
30          This chapter is known as "Data Security Management Council."
31          Section 2. Section 63F-2-102 is enacted to read:
32          63F-2-102. Data Security Management Council -- Membership -- Duties.
33          (1) There is created the Data Security Management Council composed of nine
34     members as follows:
35          (a) the chief information officer appointed under Section 63F-1-201, or the chief
36     information officer's designee;
37          (b) one individual appointed by the governor;
38          (c) one state legislator appointed by the speaker of the House of Representatives and
39     the president of the Senate from the Legislative Automation Committee of the Legislature; and
40          (d) the highest ranking information technology official, or the highest ranking
41     information technology official's designee, from each of:
42          (i) the Judicial Council;
43          (ii) the State Board of Regents;
44          (iii) the State Office of Education;
45          (iv) the Utah College of Applied Technology;
46          (v) the State Tax Commission; and
47          (vi) Office of the Attorney General.
48          (2) The council shall elect a chair of the council by majority vote.
49          (3) (a) A majority of the members of the council constitutes a quorum.
50          (b) Action by a majority of a quorum of the council constitutes an action of the council.
51          (4) The Department of Technology Services shall provide staff to the council.
52          (5) The council shall meet monthly, or as often as necessary, to:
53          (a) review existing state government data security policies;
54          (b) assess ongoing risks to state government information technology;
55          (c) create a method to notify state and local government entities of new risks;
56          (d) coordinate data breach simulation exercises with state and local government

57     entities; and
58          (e) develop data security best practice recommendations for state government that
59     include recommendations regarding:
60          (i) hiring and training a chief information security officer for each government entity;
61          (ii) continuous risk monitoring;
62          (iii) password management;
63          (iv) using the latest technology to identify and respond to vulnerabilities;
64          (v) protecting data in new and old systems; and
65          (vi) best procurement practices;
66          (6) A member who is not a member of the Legislature may not receive compensation
67     or benefits for the member's service but may receive per diem and travel expenses as provided
68     in:
69          (a) Section 63A-3-106;
70          (b) Section 63A-3-107; and
71          (c) rules made by the Division of Finance under Sections 63A-3-106 and 63A-3-107.
72          Section 3. Section 63F-2-103 is enacted to read:
73          63F-2-103. Data security management standards reporting.
74          (1) The council chair or the council chair's designee shall report annually no later than
75     October 1 of each year to the Public Utilities and Technology Interim Committee.
76          (2) The council's annual report shall contain:
77          (a) a summary of topics the council studied during the year;
78          (b) best practice recommendations for state government; and
79          (c) recommendations for implementing the council's best practice recommendations.