Current through Reg. 49, No. 50; December 13, 2024
Section 1.24 - Information Security and Privacy Requirements(a) Purpose. The purpose of this rule is to provide the mechanism by which the Department will ensure the security and privacy of Protected Information belonging to persons who do business with the Department and those they serve.(b) Definitions. The following words and terms, when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise.(1) Affiliate--Shall have the meaning assigned by the specific program or programs described in this title.(2) Computing Device--Any computer, laptop, server, smart phone, or any other data processing device that is used to connect to the Department's network.(3) Contractor--A third party, including, but not limited to, outside auditors and legal counsel, funding agencies, Vendors or Subrecipients, including any and of its Representatives that may gain access to Protected Information on account of a contract with the Department.(4) Criminal History Records Information--For the purposes of Tex. Gov't Code Chapter 411, Subchapter F, information collected about a person by a Criminal Justice Agency that consists of identifiable descriptions and notations of arrests, detentions, indictments, information, and other formal criminal charges and their dispositions. The term does not include: (A) Identification information, including fingerprint records, to the extent that the identification information does not indicate involvement of the person in the criminal justice system; or(B) Driving record information under Subchapter C, Chapter 521 Transportation Code.(5) Department--The Texas Department of Housing and Community Affairs.(6) Financial Statements of a Tax Credit Applicant--For purposes of Tex. Gov't Code § 2306.6717(d) (Public Information and Hearings), a formal statement of the financial activities of a Low Income Housing Tax Credit Applicant, submitted to the Department as part of a Low Income Housing Tax Credit Application, including but not limited to, the balance sheet, income statement, cash flow statement or changes in equity.(7) Information Resources--The procedures, equipment, and software that are employed, designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel including consultants and contractors.(8) Information Security and Privacy Agreement (ISPA)--An agreement between the Department and a Contractor implementing information security and privacy requirements of the Department.(9) Non-Public Personal Information--For purposes of the Graham-Leach-Bliley Act (15 USC §§ 6801-6809 and 6821-6827), and implementing regulations, personally identifiable financial information provided to the Department or any of its Contractors, resulting from any transaction with, or any service performed for a client or consumer, or otherwise obtained by the Department or its Contractors, unless the information is otherwise publically available.(10) Personal Identifying Information--For purposes of Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying Information), and any implementing regulations, information that alone or in conjunction with other information identifies an individual, including an individual's name, Social Security number, date of birth, or government-issued identification number, mother's maiden name, unique biometric data including fingerprint, voice print, retina or iris image, unique electronic identification number, address, or routing code, and telecommunication access devices as defined by Tex. Penal Code § 32.51.(11) Personal or Business Financial Information--For purposes of Tex. Gov't Code § 2306.039 (Open Meetings and Open Records), any personal or business financial information including, but not limited to, Social Security numbers, tax payer identification numbers, or bank account numbers submitted to the Department to receive a loan, grant, or other housing assistance by a housing sponsor, individual or family.(12) Protected Health Information--For purposes of Tex. Health & Safety Code Chap. 181 (adopting definitions in 45 CFR § 160.103), any information that relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual, and that identifies the individual, or can be used to identify the individual.(13) Protected Information--Protected Health Information, Personal Identifying Information, Sensitive Personal Information, Personal or Business Financial Information, Non-Public Personal Information, Financial Statement of a Tax Credit Applicant, WAP Applications and Participation Information, Criminal History Records Information, and Victims of Violence Information.(14) Representative--Any officer, employee, contractor, subcontractor, member, director, advisor, partner, or agent of Vendor/Subrecipient, or any person serving in such a role, however titled or designated.(15) Sensitive Personal Information--For purposes of Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying Information), an individual's first name or first initial and last name in combination with any one or more of the following items if the name and items are not encrypted: (A) Social Security number;(B) Driver's license or government-issued identification number;(C) Account or credit/debit card number in combination with any required security code, access code, or password that would permit access; or(D) Information that identifies or reveals an individual and the physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual.(E) The term does not include publicly available information that is lawfully made publicly available.(16) Subrecipient--An organization with whom the Department contracts, and entrusts to administer federal or state programs or funds, including but not limited to, units of local government, non-profit and for-profit corporations, administrators, community action agencies, collaborative applications, sub-grantees, developers, owners, land banks, participating mortgage lenders, and non-profit owner-builder housing providers. This also includes an Affiliate of a Subrecipient.(17) Vendor--A person or organization that supplies goods or services, properly procured under relevant laws, to the Department.(18) Victims of Violence Information--Any information submitted to a covered housing provider, including the Department and its Contractors pursuant to 24 CFR § 5.2007, including the fact that an individual is a victim of domestic violence, dating violence, sexual assault, or stalking. Also included pursuant to Tex. Gov't Code § 552.138 is information regarding the location or physical layout, an employee, volunteer, former or current client, or the provision of services to a former or current client, a private donor, or a member of a board of directors or board of trustees of a family violence shelter center, victims of trafficking shelter center, or sexual assault program.(19) WAP Applications and Participation Information--For purposes of Weatherization Program Notice 10-08, U.S. Department of Energy, issued February 1, 2010, regarding the Department of Energy Weatherization Assistance Program (WAP), any specifically identifying information related to an individual's eligibility application for WAP or the individual's participation in WAP, such as name, address, or income information.(c) Applicability and Implementation.(1) This rule applies to Contractors as defined in subsection (b)(3) of this section. This rule is not applicable to third parties that contract with the Department but have no access to Department Protected Information.(2) Contractors with Department contracts that are active on the effective date of this rule shall have 180 calendar days from the effective date of this rule to enter into an ISPA with the Department. Contractors that execute new Department contracts or contract renewals on or after the effective date of this rule shall enter into an ISPA with the Department no later than the date of contract execution, if an ISPA with the Department is not already in place. The ISPA shall be in a form provided by the Department on its website. A Contractor must download, execute and return the contract according to instructions on the website and as directed by the Program Services Division of the Department. A Contractor need only execute one ISPA, even if they participate with the Department in multiple programs or activities.(3) The ISPA shall be effective with respect to all current and future contracts that Contractor has or will have with the Department for as long as the Contractor has access to Protected Information. Contractors receiving awards or contracts after the effective date of this rule must have an executed ISP Agreement on file with the Department's Program Services Division or enter into an ISP Agreement before work can begin on the new award or contract.(4) Contractor and Department may agree to eliminate or reduce access to, or the generation of, any class of Protected Information related to Contractor's obligations to the Department, provided it does not impair Contractor's ability to fulfill its obligations to the Department.(5) Contractor shall accept responsibility for all Representatives and ensure the safeguarding of Protected Information in accordance with applicable federal and state laws, and the terms and conditions set forth in the ISPA.(6) The Department may, in its sole discretion, require Contractor to amend an ISPA in order to conform to state and/or federal law.(d) ISPA Security Measures. The ISPA shall include, among other requirements: (1) Security measures for devices that connect to the Department network, and(2) Security measures for maintenance of Department information external to the Department network, including, but not limited to:(A) Maintaining an inventory of all information technology (IT) assets;(B) Implementing and maintaining a risk management program;(C) Ensuring information is recoverable in accordance with risk management decisions;(D) Adhering to monitoring techniques for detecting, reporting, and investigating security incidents;(E) Providing IT security training to employees;(F) Conducting criminal background checks on employees with access to department information;(G) Separating development and production environments;(H) Following a software change control process;(I) Maintaining and following an IT security policy that has been approved by the department; and(J) Implementing other requirements reasonably necessary to ensure the security and privacy of Protected Information in the Contractor's possession or control.(e) Breach. In the event of an actual or suspected breach involving Department Private Information stored by the Contractor, Contractor shall promptly notify the Department no later than twenty-four hours after discovery of the incident. The Contractor will coordinate and cooperate fully with the Department in making all breach notifications and taking all actions required by law to effect the required notifications.(f) Texas Public Information Act. If Contractor receives a request pursuant to the Texas Public Information Act for Information maintained by Contractor on account of a contract with TDHCA, Contractor shall notify the Department within three calendar days of the receipt of the request by forwarding the request to open.records@tdhca.state.tx.us(g) Department Review. Contractor and Representatives shall permit Department to conduct periodic IT general controls audits, Internet security scans, and internal network vulnerability assessments, and contract monitoring audits at reasonable times, and upon reasonable notice. Such reviews may be conducted by the Department, the Texas State Auditor's Office, the Texas Department of Information Resources, an applicable federal oversight agency, or any third parties under contract with one of these agencies.10 Tex. Admin. Code § 1.24
The provisions of this §1.24 adopted to be effective June 29, 2014, 39 TexReg 4742; Adopted by Texas Register, Volume 44, Number 30, July 26, 2019, TexReg 3796, eff. 7/29/2019; Adopted by Texas Register, Volume 48, Number 17, April 28, 2023, TexReg 2180, eff. 5/4/2023