Relating to the application of the open meetings law and public information law to government information related to certain cybersecurity measures.
ModeratePlan for compliance
Low Cost
Effective:2025-06-20
01
Compliance Analysis
Key implementation requirements and action items for compliance with this legislation
Implementation Timeline
Effective Date:June 20, 2025 (Law is currently in effect).
Compliance Deadline:Immediate. You must apply these protections to all current bids, active contracts, and pending open records requests immediately.
Agency Rulemaking: No formal rulemaking is mandated; however, the Texas Attorney General’s Open Records Division (ORD) will set binding precedents through individual ruling letters over the next 6-12 months.
Immediate Action Plan
1.Audit Active Bids: Immediately review all pending proposals. If "Critical Infrastructure" is involved, formally request that negotiations regarding security be held in Closed Session.
2.Update Document Templates: Add a watermark/footer to all government deliverables: *"CONFIDENTIAL: Exempt from disclosure per Texas Gov't Code Sec. 552.1391."*
3.Establish Notice Protocol: Create a dedicated email alias for statutory notices and embed this address into all Government Master Services Agreements (MSAs).
4.Challenge Pending Requests: If you have data currently subject to an AG Open Records ruling request, submit a supplemental brief immediately citing HB3112.
Operational Changes Required
Contracts
You must restructure how you draft agreements with government entities to trigger the "solely intended" exemption in Sec. 552.1391(b)(1).
Segregate SOWs: Do not bundle cybersecurity services with general operational maintenance. Create a standalone Statement of Work (SOW) or contract *solely* for cybersecurity/critical infrastructure protection. Bundled contracts risk losing the exemption.
Mandatory Notice Clause: Insert a provision requiring the government client to send the statutory 5-day notice of potential disclosure to a specific, monitored email address (e.g., `legal@yourfirm.com`).
Hiring/Training
Sales Teams: Train sales staff to request Closed Sessions (under Sec. 551.0761) for any portion of a pitch or negotiation involving security specifications or network schematics.
Project Managers: Staff handling government accounts must be trained to watermark all deliverables (maps, configs, reports) as confidential under this specific statute before submission.
Reporting & Record-Keeping
Insurance Disclosures: When providing Certificates of Insurance (COI) or policy documents to government clients, you may now submit full policy details. However, you must explicitly label the coverage limits and deductible amounts as confidential under Sec. 552.1391(b)(2) to prevent them from becoming a "menu" for ransomware actors.
Incident Reporting: Any breach notification or incident report submitted to a government client must be stamped confidential under Sec. 552.1391(b)(3).
Fees & Costs
No New Fees: The state imposes no new filing fees.
Cost Impact: Minimal administrative costs related to contract redrafting and document management system updates.
Strategic Ambiguities & Considerations
"Solely Intended" Standard: The exemption applies to contracts "solely intended" for protection. If a software platform provides both operational efficiency (e.g., water flow management) *and* security, the AG may rule the contract is not "solely" for protection. Strategy: Isolate security components into separate legal agreements.
"Facilitate Unauthorized Access": Sec. 552.1391(b)(4) protects network schematics only if disclosure would "facilitate unauthorized access." This is subjective. Strategy: Attach a memo to sensitive diagrams explaining specifically *how* a bad actor would exploit the information (e.g., "reveals unpatched legacy IP addresses").
Need Help Understanding Implementation?
Our government affairs experts can walk you through this bill's specific impact on your operations.
Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.
The bill author has informed the committee that cyber attacks can compromise the confidentiality, integrity, and availability of public records and meetings, posing a significant threat to transparency and accountability in government operations, and that certain cities have requested legislation that ensures the confidentiality of certain deliberations and records regarding cybersecurity measures. C.S.H.B. 3112 addresses these issues by establishing that a governmental body is not required to conduct an open meeting to deliberate cybersecurity measures, policies, or contracts relating to the protection of critical infrastructure and exempting certain cybersecurity information from the public availability requirement of state public information law. The bill also requires a governmental body that is required to disclose covered information to notify each person who owns and is the subject of the information.
CRIMINAL JUSTICE IMPACT
It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
ANALYSIS
C.S.H.B. 3112 amends the Government Code to establish that state open meetings law does not require a governmental body to conduct an open meeting to deliberate a cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility located in the jurisdiction of the governmental body.
C.S.H.B. 3112 excepts information from the public availability requirement of state public information law if the information relates to the following:
·a cybersecurity measure, policy, or contract solely intended to protect a critical infrastructure facility located in the jurisdiction of the governmental body;
·coverage limits and deductible amounts for insurance or other risk mitigation coverages acquired for the protection of information technology systems, critical infrastructure, operational technology systems, or data of a governmental body or the amount of money set aside by a governmental body to self-insure against those risks;
·cybersecurity incident information reported pursuant to state law; and
·network schematics, hardware and software configurations, or encryption information or information that identifies the detection, investigation, or response practices for suspected or confirmed cybersecurity incidents if the disclosure of such information would facilitate unauthorized access to data or information, whether physical or virtual, or to information technology resources, including a governmental body's existing or proposed information technology system.
The bill authorizes a governmental body to disclose such confidential information to comply with applicable state or federal law or a court order. The bill requires a governmental body that is required to disclose such information to retain all existing labeling on the information being disclosed and to provide notice of the required disclosure, not later than the fifth business day before the date the information is disclosed, to a person who owns the information and to a person who is the subject of the information.
C.S.H.B. 3112 defines the following terms:
·"critical infrastructure facility" as a communication infrastructure system, cybersecurity system, electric grid, electrical power generating facility, substation, switching station, electrical control center, natural gas and natural gas liquids gathering, processing, and storage transmission and distribution system, hazardous waste treatment system, water treatment facility, water intake structure, wastewater treatment plant, pump station, or water pipeline and related support facility, equipment, and property; and
·"cybersecurity" as the measures taken to protect a computer, a computer network, a computer system, or other technology infrastructure against unauthorized use or access.
EFFECTIVE DATE
On passage, or, if the bill does not receive the necessary vote, September 1, 2025.
COMPARISON OF INTRODUCED AND SUBSTITUTE
While C.S.H.B. 3112 may differ from the introduced in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.
The substitute includes a requirement absent from the introduced for a governmental body that is required to disclose certain information to retain all existing labeling on the information being disclosed and to provide notice of that required disclosure to applicable persons not later than the fifth business day before the date the information is disclosed.
Honorable Giovanni Capriglione, Chair, House Committee on Delivery of Government Efficiency
FROM:
Jerry McGinty, Director, Legislative Budget Board
IN RE:
HB3112 by Tepper (Relating to the application of the open meetings law and public information law to government information related to certain cybersecurity measures.), As Introduced
No significant fiscal implication to the State is anticipated.
It is assumed that any costs associated with the bill could be absorbed using existing resources.
Local Government Impact
No significant fiscal implication to units of local government is anticipated.
Source Agencies:
242 State Commission on Judicial Conduct, 304 Comptroller of Public Accounts, 313 Department of Information Resources, 320 Texas Workforce Commission, 352 Bond Review Board, 452 Department of Licensing and Regulation, 503 Texas Medical Board, 529 Health and Human Services Commission, 582 Commission on Environmental Quality, 601 Department of Transportation
LBB Staff:
JMc, RStu, THO, NAz
Related Legislation
Explore more bills from this author and on related topics
HB3112 immediately amends the Texas Open Meetings Act and Public Information Act to shield critical infrastructure and cybersecurity data from public disclosure. This law protects vendors and operators by exempting insurance coverage limits, incident reports, and security-specific contracts from open records requests, provided the information is properly categorized and labeled by the business owner. Implementation Timeline Effective Date: June 20, 2025 (Law is currently in effect).
Q
Who authored HB3112?
HB3112 was authored by Texas Representative Carl Tepper during the Regular Session.
Q
When was HB3112 signed into law?
HB3112 was signed into law by Governor Greg Abbott on June 20, 2025.
Q
How urgent is compliance with HB3112?
The compliance urgency for HB3112 is rated as "moderate". Businesses and organizations should review the requirements and timeline to ensure timely compliance.
Q
What is the cost impact of HB3112?
The cost impact of HB3112 is estimated as "low". This may vary based on industry and implementation requirements.
Q
What topics does HB3112 address?
HB3112 addresses topics including city government, city government--general, county government, county government--general and electronic information systems.
Legislative data provided by LegiScanLast updated: November 25, 2025
Need Strategic Guidance on This Bill?
Need help with Government Relations, Lobbying, or compliance? JD Key Consulting has the expertise you're looking for.
