Select Page
 Texas lawmakers allow local governments and state agencies to discuss cybersecurity protections behind closed doors, reports South Texas attorney Omar Ochoa - cybersecurity protections - Titans of the Texas Legislature

FEATURED: The City of McAllen, led by Mayor Javier Villalobos, supported a new state law by the Texas Legislature, which went into effect on Friday, June 20, 2025, intended to provide local governments  and state agencies, boards and commissions more protection against cybersecurity breaches of their critical infrastructure, such as computer systems that make vital public services run effectively, according to South Texas attorney Omar Ochoa. Villalobos is seen here during the 4th annual Mexico-United States Binational Convention held in Mexico City in September 2025. During that event, Villalobos joined other leaders to discuss collaboration and investment between the two nations. 

Photograph Courtesy CITY OF MCALLEN FACEBOOK

••••••

Texas lawmakers allow local governments and state agencies to discuss cybersecurity protections behind closed doors, reports South Texas attorney Omar Ochoa

By DAVID A. DÍAZ 
[email protected]

A new state law approved earlier this year by the Texas Legislature – which was supported by the City of McAllen through its lobbyist, Amber Hausenfluck  – is intended to provide local governments  and state agencies, boards and commissions more protection against cybersecurity breaches of their critical infrastructure, such as computer systems that make vital public services run effectively, according to South Texas attorney Omar Ochoa.

Local governments are political subdivisions of a state, such as a counties, municipalities (cities), and special purpose districts, including independent school districts, that provide services and manage affairs within a specific geographic area. 

Texas has more than 140 state agencies and approximately 200 boards and commissions.

“This new law created by House Bill 3112 specifies that a governmental body does not have to discuss in open session any cybersecurity measures, policies, or contract solely intended to protect a critical infrastructure facility located in the jurisdiction of the governmental body,” Ochoa said. “In addition, in many cases, such government information would not have to be released to the public, unless such release was required by other state laws or federal laws or court orders.”

Cybersecurity is the practice of protecting systems, networks, and data from digital attacks. It uses a combination  of technologies, processes, and policies to safeguard against unauthorized access, damage, or theft of sensitive information. The goal is to ensure the confidentiality, integrity, and availability of digital assets for individuals and organizations.

Born and raised in Edinburg, Ochoa’s roots run deep in the community.

A graduate of Edinburg North High School, he went on to earn a business degree, a master’s in accounting, and a law degree from the University of Texas at Austin.

A champion for government transparency, Ochoa provides regular reports to the public on the Texas Public Information Act, the Texas Open Meetings Act, and existing and proposed state laws that affect the mainstream and social media and the people’s rights to know about the actions of their governments in the Lone Star State.

“This new state law was the result of concerns that the Open Meetings Act and the Public Information Act had loopholes regarding public access to cybersecurity measures that weakened the confidentiality and integrity against the threat of cyberattacks, according to the bill analysis of the measure,” said Ochoa. 

A bill analysis is a document prepared for all bills and joint resolutions reported out of a committee. A bill analysis may include background information on the measure, a statement of purpose or intent, and an analysis of the content of the measure.

A bill is a type of legislative measure that requires passage by both the Texas Senate and the Texas House of Representatives and action by the governor in order to become effective. A bill is the primary means used to create and change the laws of the state. 

The Open Meetings Act is a state law that requires government bodies in Texas to conduct their business in public meetings that are open to the public, with advance notice given to the public about the time, place and subject matter. The Open Meetings Act specifics situations where a closed meeting is permissible, such as for discussion of certain personnel matters or legal consultations.

The Public Information Act is a state law that guarantees public access to government records unless they are specifically not required to be disclosed, such as confidential information as defined by law, personnel and litigation-related information, certain real estate and legislative documents, and records that would hinder criminal investigations.

The law, authored by House Bill 3112 by Rep. Carl Tepper, R-Lubbock, went into effect on Friday, June 20, 2025. 

As author (also called primary author), Tepper was the legislator who filed House Bill 3112 and guided it through the legislative process.  

“Filed” is used to refer to a measure that has been introduced into the legislative process and given a number.

“Cybersecurity threats pose a significant risk for our critical infrastructure, including our electrical grid, water systems, and emergency communication networks,” Tepper testified on his House Bill 3112 during the public hearing on Wednesday, April 2, 2025 before the House Committee on Delivery of Government Efficiency.

“Critical infrastructure facility” means a communication infrastructure system, cybersecurity system, electric grid, electrical power generating facility, substation, switching station, electrical control center, dam, natural gas and natural gas liquids gathering, processing, and storage transmission and distribution system, hazardous waste treatment system, water treatment facility, water intake structure, wastewater treatment plant, pump station, or water pipeline and related support facility, equipment, and property.

Recent cybersecurity breaches in Texas have impacted millions of people, with notable incidents including a 1.4 million-record breach at Texas Tech University Health Sciences Center in September 2024, a cyberattack affecting Dallas County in 2023, and a 2025 breach act the Texas General Land Office that exposed natural disaster relief applicant data. These incidents highlight the significant threat to sensitive information in sectors like healthcare, government, and education, and are prompting the state to invest in improved cybersecurity measures.”

“Currently, our governmental bodies may be required to discuss cybersecurity measures in open meetings and disclose certain cybersecurity-related information under public information laws,” Tepper said of the  existing state law before House Bill 3132 became a new state law. “Disclosing information like coverage limits and deductible amounts for insurance for cybersecurity contracts is dangerous and makes governmental entities more susceptible to cyberattacks.”

Cyberattacks against local governments include ransomware, malware, phishing, data breaches, denial-of-service attacks, and hacking, which can disrupt essential services. These attacks often exploit vulnerabilities in outdated systems, weak authentication, and human error through tactics like social engineering and malicious emails. Local governments are premature targets because they hold valuable citizen data and provide critical public services, making them susceptible to a wide range of threats.

• Ransomware is a type of malicious software — or malware — that prevents an individual from accessing their computer files, systems, or networks and demands that the person pay a ransom for their return. Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data. 

• Malware is a broad term for any software designed to intentionally cause harm, disruption, or gain unauthorized access to a computer, server or network.

• Phishing is the fraudulent practice of sending emails or other messages claiming to be from reputable sources in order to trick people into revealing personal information, such as passwords and credit card numbers.

• A data breach is the unauthorized acquisition of sensitive, protected, or confidential information that compromises the security, integrity, or confidentiality of that data. This can involve the, alteration, or destruction of such data such as personally identifiable information, financial details, or intellectual property that can occur through hacking, malware, phishing, or insider threats from an authorized individual who misses their access to cause harm.

• A denial of service (DOS) attack is a malicious attempt to make the online service, like a website or network, unavailable to its intended users by overwhelming it with traffic or requests. The target system becomes so flooded that it cannot respond to legitimate requests, leading to a crash or slowdown.

• “Hacking” refers to the act of gaining unauthorized access to a computer system or network. It can involve various methods and motivations, ranging from malicious attacks to ethical explorations of vulnerabilities. While often associated with illegal activity and data theft, hacking can also be used for defensive purposes, such as identifying and fixing security flaws.

Also during the Wednesday, April 2, 2025 public hearing before the House Committee on Delivery of Government Efficiency, Lubbock Mayor Mark W. McBrayer said he believed that for “except a few rare instances, no public good is enhanced by the required disclosure of (certain cybersecurity-related) information. 

“Instead, required disclosure only serves to provide unauthorized actors with avenues to maliciously attack government systems. House Bill 3112 would allow a governmental entity to protect itself against such exploitation by keeping certain information relating to insurance coverage and critical infrastructure from required disclosure,” McBrayer contended. “I believe the potential threat to public safety justifies adding these reasonable exceptions to the otherwise laudable transparency rules.”

Highlights of the Lubbock mayor’s testimony also featured his following comments:

• “The state of Texas has a longstanding policy and statutory framework that is in place that favors a transparency to the public of almost all government records and proceedings, but over the years certain exceptions to this policy in the law are being created when it is definitely and clearly in the public interest that certain information not be disclosed in certain instances.

• “A couple of examples: a governing body may discuss certain real estate transactions in closed session, and the obvious need for this exception is that open discussion of such topics might compromise the bargaining position of the governing body against potential opposing parties, and so the ultimate benefit accrues to the public and the taxpayer. 

• “The governing body may also receive advise from its attorneys in closed session, which is very similar to the long-recognized attorney-client privilege of protecting the relationship between a person and his attorney in confidential matters in seeking legal advice. Again, this ultimately benefits the public and the taxpayer.

• “Besides just the public discussion of sensitive matters that can be unnecessarily compromising of a governing body’s position, the releases of certain information on request can do the same thing. For this reason, the Legislature has created a number of exceptions to the Public Information Act as well. Some examples of public entities may withhold graphic crime scene images, a public entity may withhold information regarding an open criminal investigation, and a public entity may withhold certain information, such as the home address of public safety officers.

• “So recently public transparency laws have provided a tactical advantage to bad actors when targeting public entities with cyberattacks, known that those entities have the substantial ability to pay a ransom. 

Specific information such as types and limits of insurance coverage, as well as deductibles, and self-insurance amounts can be easily obtained through open records requests, provided that no other exception is provided. Transparency then creates an easily-exploitable vulnerability in so far as it can inform bad actors where and when to strike hard at a government entity.”

• Moreover, plans, schematics, locations, and other specific information regarding critical infrastructure systems often cannot be protected from disclosure, which leads to such things as public water and utility infrastructure in a very vulnerable state. The public relies on the safety and dependability of its critical physical and informational infrastructure for continuity of operations, and protection of these is very costly to government entities. Incapacitating or destroying these systems and assets would have a debilitating impact on economic and physical security, public health, and safety.

A bill analysis of House Bill 3112 was prepared by the House Research Organization, which is the  nonpartisan research arm of the House of Representatives.

The House Research Organization bill analysis follows:

House Bill 3112 specified that the Open Meetings Act did not require a governmental body to conduct an open meeting to deliberate a cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility, as defined by the bill, in the governmental body’s jurisdiction. 

House Bill 3112 specified that the Open Meetings Act did not require a governmental body to conduct an open meeting to deliberate a cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility, as defined by the bill, in the governmental body’s jurisdiction. 

House Bill 3112 exempted information from provisions of the Public Information Act requiring public information to be available to the public during the normal business hours of a governmental body if the information related to: 

• A cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility in the governmental body’s jurisdiction;

• Coverage limits and deductible amounts for insurance or other risk mitigation coverages acquired for the protection of information technology (IT) systems, critical infrastructure, operational technology systems, governmental data, or money set aside to self-insure against associated risks; 

• Cybersecurity incident information reported pursuant to state law; and 

• Network schematics, hardware and software configurations, or encryption information or information that identified detection, investigation, or response practices for cybersecurity incidents that would facilitate unauthorized access to data, information, or IT resources. 

A governmental body could disclose information made confidential under House Bill 3112 to comply with applicable state or federal law or a court order. A governmental body required to disclose such information would be required to provide notice to the owner of the information and a person who was the subject of the information at least five business days before disclosing the information. The governmental body would have to retain all existing labeling on the information being disclosed.

More information on House Bill 3112 is available at:

That link provides the history, text, actions, amendments, authors, sponsors, witnesses for, against, and on, captions and bill stages of House Bill 3112.

The text of the final version of House Bill 3112 follows:

House Bill No. 3112

AN ACT

relating to the application of the open meetings law and public information law to government information related to certain cybersecurity measures.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:

SECTION 1.  Subchapter D, Chapter 551, Government Code, is amended by adding Section 551.0761 to read as follows:

Sec. 551.0761.  DELIBERATION REGARDING CRITICAL INFRASTRUCTURE FACILITY; CLOSED MEETING.  

(a)  In this section:

(1)  “Critical infrastructure facility” means a communication infrastructure system, cybersecurity system, electric grid, electrical power generating facility, substation, switching station, electrical control center, dam, natural gas and natural gas liquids gathering, processing, and storage transmission and distribution system, hazardous waste treatment system, water treatment facility, water intake structure, wastewater treatment plant, pump station, or water pipeline and related support facility, equipment, and property.

(2)  “Cybersecurity” means the measures taken to protect a computer, a computer network, a computer system, or other technology infrastructure against unauthorized use or access.

(b)  This chapter does not require a governmental body to conduct an open meeting to deliberate a cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility located in the jurisdiction of the governmental body.

SECTION 2.  Subchapter C, Chapter 552, Government Code, is amended by adding Section 552.1391 to read as follows:

Sec. 552.1391.  EXCEPTION:  CONFIDENTIALITY OF CYBERSECURITY MEASURES.  (a)  In this section:

(1)  “Critical infrastructure facility” has the meaning assigned by Section 551.0761.

(2)  “Cybersecurity” has the meaning assigned by Section 551.0761.

(b)  Information is excepted from the requirements of Section 552.021 if it is information that relates to:

(1)  a cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility located in the jurisdiction of the governmental body;

(2)  coverage limits and deductible amounts for insurance or other risk mitigation coverages acquired for the protection of information technology systems, critical infrastructure, operational technology systems, or data of a governmental body or the amount of money set aside by a governmental body to self-insure against those risks;

(3)  cybersecurity incident information reported pursuant to state law; and

(4)  network schematics, hardware and software configurations, or encryption information or information that identifies the detection, investigation, or response practices for suspected or confirmed cybersecurity incidents if the disclosure of such information would facilitate unauthorized access to:

(A)  data or information, whether physical or virtual; or

(B)  information technology resources, including a governmental body's existing or proposed information technology system.

(c)  A governmental body may disclose information made confidential by this section to comply with applicable state or federal law or a court order. A governmental body that is required to disclose information described by Subsection (b) shall:

(1)  not later than the fifth business day before the date the information is required to be disclosed, provide notice of the required disclosure to the person or third party who owns the critical infrastructure facility or, in the event immediate disclosure is required, notify in writing the person or third party as soon as practicable but not later than the fifth business day after the information is disclosed; and

(2)  retain all existing labeling on the information being disclosed describing such information as confidential or privileged.

SECTION 3.  This Act takes effect immediately if it receives a vote of two-thirds of all the members elected to each house, as provided by Section 39, Article III, Texas Constitution.  If this Act does not receive the vote necessary for immediate effect, this Act takes effect September 1, 2025.

••••••

For more on this and other Texas legislative news stories that affect the Rio Grande Valley metropolitan region, please log on to Titans of the Texas Legislature (TitansoftheTexasLegislature.com).

Titans of the Texas Legislature