| (a) Purpose. The purpose of this rule is to provide
the mechanism by which the Department will ensure the security and
privacy of Protected Information belonging to persons who do business
with the Department and those they serve.
(b) Definitions. The following words and terms, when
used in this subchapter, shall have the following meanings, unless
the context clearly indicates otherwise.
(1) Affiliate--Shall have the meaning assigned by the
specific program or programs described in this title.
(2) Computing Device--Any computer, laptop, server,
smart phone, or any other data processing device that is used to connect
to the Department's network.
(3) Contractor--A third party, including, but not limited
to, outside auditors and legal counsel, funding agencies, Vendors
or Subrecipients, including any and of its Representatives that may
gain access to Protected Information on account of a contract with
the Department.
(4) Criminal History Records Information--For the purposes
of Tex. Gov't Code Chapter 411, Subchapter F, information collected
about a person by a Criminal Justice Agency that consists of identifiable
descriptions and notations of arrests, detentions, indictments, information,
and other formal criminal charges and their dispositions. The term
does not include:
(A) Identification information, including fingerprint
records, to the extent that the identification information does not
indicate involvement of the person in the criminal justice system;
or
(B) Driving record information under Subchapter C,
Chapter 521 Transportation Code.
(5) Department--The Texas Department of Housing and
Community Affairs.
(6) Financial Statements of a Tax Credit Applicant--For
purposes of Tex. Gov't Code §2306.6717(d)(Public Information
and Hearings), a formal statement of the financial activities of a
Low Income Housing Tax Credit Applicant, submitted to the Department
as part of a Low Income Housing Tax Credit Application, including
but not limited to, the balance sheet, income statement, cash flow
statement or changes in equity.
(7) Information Resources--The procedures, equipment,
and software that are employed, designed, built, operated, and maintained
to collect, record, process, store, retrieve, display, and transmit
information, and associated personnel including consultants and contractors.
(8) Information Security and Privacy Agreement (ISPA)--An
agreement between the Department and a Contractor implementing information
security and privacy requirements of the Department.
(9) Non-Public Personal Information--For purposes of
the Graham-Leach-Bliley Act (15 USC §§6801-6809 and 6821-6827),
and implementing regulations, personally identifiable financial information
provided to the Department or any of its Contractors, resulting from
any transaction with, or any service performed for a client or consumer,
or otherwise obtained by the Department or its Contractors, unless
the information is otherwise publically available.
(10) Personal Identifying Information--For purposes
of Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying
Information), and any implementing regulations, information that alone
or in conjunction with other information identifies an individual,
including an individual's name, Social Security number, date of birth,
or government-issued identification number, mother's maiden name,
unique biometric data including fingerprint, voice print, retina or
iris image, unique electronic identification number, address, or routing
code, and telecommunication access devices as defined by Tex. Penal
Code §32.51.
(11) Personal or Business Financial Information--For
purposes of Tex. Gov't Code §2306.039 (Open Meetings and Open
Records), any personal or business financial information including,
but not limited to, Social Security numbers, tax payer identification
numbers, or bank account numbers submitted to the Department to receive
a loan, grant, or other housing assistance by a housing sponsor, individual
or family.
(12) Protected Health Information--For purposes of
Tex. Health & Safety Code Chap. 181 (adopting definitions in 45
CFR §160.103), any information that relates to the past, present,
or future physical or mental health or condition of an individual;
the provision of health care to an individual; or the past, present,
or future payment for the provision of health care to an individual,
and that identifies the individual, or can be used to identify the
individual.
(13) Protected Information--Protected Health Information,
Personal Identifying Information, Sensitive Personal Information,
Personal or Business Financial Information, Non-Public Personal Information,
Financial Statement of a Tax Credit Applicant, WAP Applications and
Participation Information, Criminal History Records Information, and
Victims of Violence Information.
(14) Representative--Any officer, employee, contractor,
subcontractor, member, director, advisor, partner, or agent of Vendor/Subrecipient,
or any person serving in such a role, however titled or designated.
(15) Sensitive Personal Information--For purposes of
Tex. Bus. & Com. Code Chapter 521 (Unauthorized Use of Identifying
Information), an individual's first name or first initial and last
name in combination with any one or more of the following items if
the name and items are not encrypted:
(A) Social Security number;
(B) Driver's license or government-issued identification
number;
(C) Account or credit/debit card number in combination
with any required security code, access code, or password that would
permit access; or
(D) Information that identifies or reveals an individual
and the physical or mental health or condition of the individual,
the provision of health care to the individual, or payment for the
provision of health care to the individual.
(E) The term does not include publicly available information
that is lawfully made publicly available.
(16) Subrecipient--An organization with whom the Department
contracts, and entrusts to administer federal or state programs or
funds, including but not limited to, units of local government, non-profit
and for-profit corporations, administrators, community action agencies,
collaborative applications, sub-grantees, developers, owners, land
banks, participating mortgage lenders, and non-profit owner-builder
housing providers. This also includes an Affiliate of a Subrecipient.
(17) Vendor--A person or organization that supplies
goods or services, properly procured under relevant laws, to the Department.
(18) Victims of Violence Information--Any information
submitted to a covered housing provider, including the Department
and its Contractors pursuant to 24 CFR §5.2007, including the
fact that an individual is a victim of domestic violence, dating violence,
sexual assault, or stalking. Also included pursuant to Tex. Gov't
Code §552.138 is information regarding the location or physical
layout, an employee, volunteer, former or current client, or the provision
of services to a former or current client, a private donor, or a member
of a board of directors or board of trustees of a family violence
shelter center, victims of trafficking shelter center, or sexual assault
program.
(19) WAP Applications and Participation Information--For
purposes of Weatherization Program Notice 10-08, U.S. Department of
Energy, issued February 1, 2010, regarding the Department of Energy
Weatherization Assistance Program (WAP), any specifically identifying
information related to an individual's eligibility application for
WAP or the individual's participation in WAP, such as name, address,
or income information.
(c) Applicability and Implementation.
(1) This rule applies to Contractors as defined in
subsection (b)(3) of this section. This rule is not applicable to
third parties that contract with the Department but have no access
to Department Protected Information.
(2) Contractors with Department contracts that are
active on the effective date of this rule shall have 180 calendar
days from the effective date of this rule to enter into an ISPA with
the Department. Contractors that execute new Department contracts
or contract renewals on or after the effective date of this rule shall
enter into an ISPA with the Department no later than the date of contract
execution, if an ISPA with the Department is not already in place.
The ISPA shall be in a form provided by the Department on its website.
A Contractor must download, execute and return the contract according
to instructions on the website. A Contractor need only execute one
ISPA, even if they participate with the Department in multiple programs
or activities.
(3) The ISPA shall be effective with respect to all
current and future contracts that Contractor has or will have with
the Department for as long as the Contractor has access to Protected
Information. Contractors receiving awards or contracts after the effective
date of this rule must have an executed ISP Agreement on file with
the Department or enter into an ISP Agreement before work can begin
on the new award or contract.
(4) Contractor and Department may agree to eliminate
or reduce access to, or the generation of, any class of Protected
Information related to Contractor's obligations to the Department,
provided it does not impair Contractor's ability to fulfill its obligations
to the Department.
(5) Contractor shall accept responsibility for all
Representatives and ensure the safeguarding of Protected Information
in accordance with applicable federal and state laws, and the terms
and conditions set forth in the ISPA.
(6) The Department may, in its sole discretion, require
Contractor to amend an ISPA in order to conform to state and/or federal
law.
(d) ISPA Security Measures. The ISPA shall include,
among other requirements:
(1) Security measures for devices that connect to the
Department network, and
(2) Security measures for maintenance of Department
information external to the Department network, including, but not
limited to:
(A) Maintaining an inventory of all information technology
(IT) assets;
(B) Implementing and maintaining a risk management
program;
(C) Ensuring information is recoverable in accordance
with risk management decisions;
(D) Adhering to monitoring techniques for detecting,
reporting, and investigating security incidents;
(E) Providing IT security training to employees;
(F) Conducting criminal background checks on employees
with access to department information;
(G) Separating development and production environments;
(H) Following a software change control process;
(I) Maintaining and following an IT security policy
that has been approved by the department; and
(J) Implementing other requirements reasonably necessary
to ensure the security and privacy of Protected Information in the
Contractor's possession or control.
(e) Breach. In the event of an actual or suspected
breach involving Department Private Information stored by the Contractor,
Contractor shall promptly notify the Department no later than twenty-four
hours after discovery of the incident. The Contractor will coordinate
and cooperate fully with the Department in making all breach notifications
and taking all actions required by law to effect the required notifications.
(f) Texas Public Information Act. If Contractor receives
a request pursuant to the Texas Public Information Act for Information
maintained by Contractor on account of a contract with TDHCA, Contractor
shall notify the Department within three calendar days of the receipt
of the request by forwarding the request to open.records@tdhca.state.tx.us
(g) Department Review. Contractor and Representatives
shall permit Department to conduct periodic IT general controls audits,
Internet security scans, and internal network vulnerability assessments,
and contract monitoring audits at reasonable times, and upon reasonable
notice. Such reviews may be conducted by the Department, the Texas
State Auditor's Office, the Texas Department of Information Resources,
an applicable federal oversight agency, or any third parties under
contract with one of these agencies.
|
