Texas State Compliance

Texas public records law

The Public Information Act of Texas (TPIA) is a series of laws designed to guarantee that the public has access to public records of government bodies at all levels in Texas. Texas Government Code, Chapter 552, gives citizens the right to access records at various levels of Texas government, without having to declare a purpose in doing so. Until the law was formalized, the ability of a citizen to gain access to public records was at the discretion of the custodian of the records, except in those cases where records custodians were forbidden to allow access.

The TPIA covers nearly all documents that are in the possession of government agencies in the state that are covered by the law.

Section 552.002 says that information is public if it “is collected, assembled, or maintained under a law or ordinance or in connection with the transaction of official business” by a governmental body or for a governmental body, and the governmental body owns the information or has a right of access to it.
• A document that is labeled as being a draft is public, according to the Texas Supreme Court, in the case of City of Garland v. Dallas Morning News(2000). However, drafts of working papers involved in the preparation of proposed legislation by the state legislature are excluded (§ 552.106).
• The form in which the information is contained is not relevant in determining whether the information is public. The statute specifically mentions a book, paper, letter, document, printout, photograph, film, tape, microfiche, microfilm, photostat, sound recording, map, and drawing and a voice, data, or video representation held in computer memory, but does not exempt other ways of storing information not included in that list.
• The TPIA covers any information in the custody of a covered agency, regardless of how the information came to be in the custody of the agency.
• Information held in the custody of a private contractor doing business with the government may be considered public under TPIA if: • It relates to a governmental body’s official duties.
• The private contractor/consultant acted as the agent of a covered governmental agency in gathering the information.
• The governmental body for whom the private contractor is consulting is entitled to the information.
• Personal notes and e-mail may be open under Texas’ public information act, according to an attorney general’s publication.

Tx Code Ann.Secs552.001 to 552.353

Sanctions for Noncompliance

In an action brought under Section 552.321 or 552.3215, the court “shall assess costs of litigation and reasonable attorney fees incurred by a plaintiff who substantially prevails.” Tex. Gov’t Code § 552.323(a). However, a court may not assess costs and fees against a governmental body if the court finds that the governmental body acted in reasonable reliance on a judgment or court order, an appellate court decision, or a written decision of the Attorney General. Tex. Gov’t Code § 552.323. In determining awardable costs and attorney fees under § 552.324 (in a suit brought by a governmental body seeking to withhold information), the court must consider whether the conduct of the governmental body had a reasonable basis in law and whether the litigation was brought in good faith. Tex. Gov’t Code § 552.323(b).

Section 552.351 provides that a person commits a criminal offense if the person willfully destroys, mutilates, removes without permission, or alters public information. Such an offense is a misdemeanor punishable by a fine of not less than $25 or more than $4,000, or confinement in jail for not less than three days or more than three months, or both. Tex. Gov’t Code § 552.351(b).

An officer of public information or the officer’s agent commits a crime if, with criminal negligence, that person fails or refuses to give access to, or to permit or provide copying of, public information to a requestor. Tex. Gov’t Code § 552.353(a). Such a violation is a misdemeanor punishable by a fine of not more than $1,000, or confinement in jail for not more than six months, or both. Tex. Gov’t Code § 552.353(e).

The cost of litigation

Since 2006, FOIA lawsuits have increased 57% and the cost of defending these lawsuits is millions of dollars.

With Evertel, we provide an efficient, proven, and effective manner to share FOIA documents to those requesting. Once your legal experts provide the policy, the executives auditing your agency’s platform can immediately release the approved documents in minutes, avoiding multi-year litigations and expensive legal costs.

Criminal Justice Information Services

CJIS Compliance

The Federal Bureau of Investigation’s CJIS Security Policy sets the minimum security requirements to provide an acceptable level of assurance to protect the full lifecycle of Criminal Justice Information. Agencies using cloud-based services are required to make informed decisions on whether or not the cloud provider can offer services that maintain compliance with the requirements of the CJIS Security Policy.

The CJIS Security Policy integrates presidential and FBI directives, federal laws, and the criminal justice community’s Advisory Policy Board decisions, along with guidance from the National Institute of Standards and Technology (NIST). The Policy is periodically updated to reflect evolving security requirements.

The CJIS Security Policy defines 13 areas that private contractors such as cloud service providers must evaluate to determine if their use of cloud services can be consistent with CJIS requirements. These areas correspond closely to NIST 800-53, which is also the basis for the Federal Risk and Authorization Management Program (FedRAMP) program.

The key agency requirements of CJIS compliance are summarized here:

Evertel and CJIS Policy
Evertel signs the CJIS Security Addendum in states with CJIS Information Agreements. These tell state law enforcement authorities responsible for compliance with CJIS Security Policy how Evertel’s cloud security controls help protect the full lifecycle of data and ensure appropriate background screening of operating personnel with access to CJI. Evertel continues to work with state governments to enter into CJIS Information Agreements.

View Evertel CJIS compliance matrix
Information Exchange Agreements

If you’re sharing CJIS-protect data with another organization, you must have a written agreement between the organizations that you will both comply with CJIS security standards.

Security Awareness Training

Any employees handling CJIS data must have security training within the first six months of being assigned to their role and additional training every other year in the future.

Incident Response

You must have safeguards in place to detect and contain any data breaches. You also need data recovery measures in place. Any data breach must be reported to the appropriate authorities.

Auditing and Accountability

You should implement audit controls to monitor who is accessing data, when they are accessing it, and for what purpose they are accessing it. This information should be logged for any future audits.

Access Control

Under CJIS policy area 5, you must have the ability to control who can access your data. This can include controlling who can access, upload, download, transfer, and delete secure data. It also impacts your login management systems, remote access controls, and more.

Physical Protection

The physical location for stored CJIS data must be secured at all times, preventing access from unauthorized persons.

System and Communications Protection and Information Integrity

Not only should your data be protected, but your organization’s systems and communications should also be protected, as well. This policy section outlines the steps you must take to protect your systems, like encryption, network security, data breach detection measures, and more.

Formal Audits

If you use and manage CJIS data, you are subject to audits a minimum every three years by either the CJIS Audit Unit (CAU) or the CJIS Systems Agency (CSA) for your state.

Personnel Security

Everyone associated with your organization – from employees to contractors and subcontractors – must submit to security screenings and national fingerprint-based record checks.

Mobile Devices

Even your employees’ mobile devices (like smartphones and tablets) are subject to CJIS oversight. You must establish usage restrictions, and authorize, monitor, and control access to your systems via these devices.

Health Insurance Portability and Accountability Act

HIPAA Compliance

It is important to note upfront that HIPAA compliance requirements are primarily focused on health providers. Having said that, government agencies, and in particular 1st Responders, are typically transmitting HIPAA data daily and in non-compliant fashions. In today’s litigious world, it makes sense to comply with HIPAA requirements and remove or minimize the risk.

What's the risk?

HIPAA violations are expensive. The penalties for noncompliance are based on the level of negligence and can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges that can result in jail time.

Fines increase with the number of patients and the amount of neglect. The lowest fines start with a breach where you didn’t know and, by exercising reasonable diligence, would not have known that you violated a provision. At the other end of the spectrum are fines levied where a breach is due to negligence and not corrected in 30 days. In legalese, this is known as mens rea (state of mind). So fines increase in severity from no mens rea (didn’t know) to assumed mens rea (willful neglect).

The fines and charges are broken down into 2 major categories: Reasonable Cause and Willful Neglect. Reasonable Cause ranges from $100 to $50,000 per incident and does not involve any jail time. Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

Unencrypted data

While encryption is an addressable (rather than required) specification, it does not mean optional. The vast majority of data breaches are due to stolen or lost data that was unencrypted. When in doubt, you should implement the addressable implementation specifications of the Security Rule. Most of them are best practices.

Employee error

Breaches can occur when employees lose unencrypted portable devices, mistakenly send PHI to vendors who post that information online and disclose personally identifiable, sensitive information on social networks.

These are all examples from actual cases. Employee training and adherence to security policies and procedures are extremely important.

Data stored on devices

Almost half of all data breaches are the result of theft. When laptops, smartphones, etc. are unencrypted the risk of a breach increases considerably. With Evertel, your data is safely stored off-premise; so that a lost or stolen mobile phone or laptop has no data on it and hence and no PHI is compromised.

Relevant articles & litigation


Ready to protect your agency
from compliance lawsuits?

What’s the cost of not taking the steps necessary to ensure your Department’s communications are complaint?

No obligation 30-day free trial