Election Notice:  Election Night Returns
EFFECTIVE SEPTEMBER 1, 2023, OUR LOBBY WALK-IN HOURS WILL BE 9 A.M. - 4 P.M. (CENTRAL), MONDAY - FRIDAY.

Election Advisory No. 2019-12

To: Election Officials
From: Keith Ingram, Director of Elections
Keith Ingram's signature
Date: August 5, 2019

RE:

House Bill 1421 and Election Security Assessments

In its 86th Regular Session (2019), the Texas Legislature enacted House Bill 1421, adding Chapter 279 to the Texas Election Code. The new Chapter 279—titled “Cybersecurity of Election Systems”—defines key election terms and imposes requirements on the Secretary of State and county election officers related to election security. HB 1421 takes effect September 1, 2019.

Election Security Best Practices

Under Section 279.002 of the Texas Election Code, the Secretary of State is required to adopt rules that (1) define classes of protected election data, and (2) establish best practices for identifying and reducing risk to the electronic use, storage, and transmission of election data and the security of election systems. The new legislation further provides that if state funds are available to assist counties, county election officers must implement cybersecurity measures to ensure that all devices with access to election data comply to the highest extent possible with the rules promulgated by the Secretary of State.

The Secretary of State's office is working with information security resources and county election officials to develop these best practices. When they are finalized, we will be sending out an election law advisory regarding these new policies and procedures.  

Training Requirements

Under Section 279.002, the Secretary of State is required to offer training on election security best practices to all appropriate personnel in the Secretary of State’s office and, on request, to county election officers. County election officers are required to request such training on an annual basis. All costs associated with such training shall be paid for by the Secretary of State with available state funds. The training will be web-based unless a county election officer requests in-person training, which will be provided when feasible. The Secretary of State will monitor web-based training compliance via the TEAM application. All users to TEAM will be required to complete this security training to maintain access to TEAM. 

We will be sending out a separate email with instructions on how to request training for your county office. Please note that training will become available immediately and must be completed by September 30, 2019. Users who have not completed their security training by this date will no longer be allowed to access the TEAM application.

Breach Notification Requirements

HB 1421 also contains reporting requirements related to cybersecurity breaches. First, it states that if a county election officer becomes aware of a breach of cybersecurity that affects election data, the officer shall immediately notify the Secretary of State of such breach. Additionally, the bill provides that if the Secretary of State becomes aware of a cybersecurity breach, the Secretary shall immediately provide notice of the breach to members of the standing committees of each house of the legislature with jurisdiction over elections.

Once a county election officer becomes aware of a potential breach, they should make contact with the Secretary of State’s office within 24 hours of receiving such notification. County election officers can report cybersecurity breaches by contacting the Secretary of State’s office in person or by phone or email. The communication should be directed to the Director of Elections or the agency IT director. The best practices that our office is currently developing will include examples of reportable breaches and the necessary protocols to follow.

Election Security Assessments

HB 1421 also provides that if there are state funds available and the Secretary of State recommends an assessment, a county election officer shall request an assessment of the cybersecurity of the county’s election system from a provider of cybersecurity assessments. Texas has received funding from the U.S. Election Assistance Commission as a result of the 2018 Help America Vote Act (“HAVA”) Security Funding. As we announced in August 2018, the Secretary of State has partnered with the Texas Department of Information Resources (“DIR”) to provide an Election Security Assessment (“ESA”) program through DIR’s shared services contract. At the time the program was created, the ESAs were optional. HB 1421 makes these assessments mandatory for all counties.  

All paperwork associated with initiating a county ESA must be completed by December 31, 2019. Counties must complete their ESA by July 31, 2020.

If you have not already scheduled your ESA, please contact elecassessment@sos.texas.gov for more details about the program. 

Funding for Remediation

The Secretary of State is working with the DIR ESA vendor to develop remediation strategies and tools that will benefit counties statewide. Having an assessment will make those tools more understandable and effective. In addition, SOS will not be able to assess funding options for county-specific remediation recommendations until a significant number of counties have completed the ESAs. In other words, counties that do not complete an assessment in a timely manner may not benefit from additional HAVA-funded products and services.

KI:CA