Senate amendment to the 3rd edition makes a technical change in GS 143-805(d).
Bill Summaries: S83 (2023-2024 Session)
Summary date: Mar 21 2023 - View summary
Summary date: Mar 7 2023 - View summary
Senate committee substitute to the 2nd edition makes the following changes. Adds officials or employees conducting or participating in an externally funding research project at one of the UNC constituent institutions to the list of individuals exempt from the bar on high-risk platforms on government devices under GS 143-805. Makes technical and clarifying changes.
Summary date: Feb 21 2023 - View summary
Senate committee substitute to the 1st edition deletes the content of the 1st edition and replaces it with the following text. Makes conforming changes to the act's titles.
Enacts new GS 143-805 to Article 84 of GS Chapter 143 (various technology regulations) governing high-risk platforms on government networks and devices. Defines network and device. Also defines high risk platform as the following applications, websites, and other products that pose an unacceptable level of cybersecurity threat to data: (1) TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited, (2) WeChat or any successor application or service developed or provided by Tencent Holdings Limited or an entity owned by Tencent Holdings Limited, (3) Telegram or any successor application or service developed or provided by Telegram FZ LLC or an entity owned by Telegram FZ LLC.
Defines public agency as any of the following: (1) all agencies and constitutional officers of the state, including all boards, departments, divisions, constituent institutions of The University of North Carolina, community colleges, and other units of government in the executive branch; (2) units of local government as defined in GS 159-7 (a municipal corporation that is not subject to the State Budget Act and that has the power to levy taxes, including a consolidated city-county, and all boards, agencies, commissions, authorities, and institutions thereof that are not municipal corporations); (3) public authorities as defined in GS 159-7 (a municipal corporation (other than a unit of local government) that is not subject to the State Budget Act or a local governmental authority, board, commission, council, or agency that (i) is not a municipal corporation; (ii) is not subject to the State Budget Act; and (iii) operates on an area, regional, or multi-unit basis, and the budgeting and accounting systems of which are not fully a part of the budgeting and accounting systems of a unit of local government); and (4) public school units as defined in GS 115C-5 (local school administrative units, charter schools, and regional schools).
Bars public agencies, the judicial branch, and the legislative branch from using any high risk platform on the entity's network. Bars public agencies, the judicial branch, and the legislative branch from permitting their employees, elected officials, or appointees to install, use, or otherwise access a high risk platform on a device owned, leased, maintained, or otherwise controlled by any of these entities. Bars public agencies from permitting their students to access a high risk platform as described above on a device owned, leased, maintained, or otherwise controlled by the public agency.
Exempts officials or employees engaged in certain activities as part of their official duties (investigating or prosecuting crimes; identifying security or cybersecurity threats; protecting human life; establishing, testing, and maintaining firewalls, protocols, and otherwise implementing the statute; and participating in judicial or quasi-judicial proceedings) from the ban on installing, using, or otherwise accessing high risk platforms. Specifies that the new statute does not apply to users of an authorized account paying for use of communications services (cable, video programming, telecommunications, broadband, or high-speed Internet access service to the public, or any sector of the public, for a fee) under Article 16A of Chapter 160A of the General Statutes, including those communications services exempted under GS 160A-340.2(b) (communication services to an unserved area) or (c) (a city or joint agency providing communications services under certain conditions).
Specifies annual reporting requirements for public agencies to be submitted to the Chief Information Officer (CIO) by August 1 on the number of incidences of unauthorized uses and attempted uses of a high risk platform on that public agency's network; whether those unauthorized uses were by an employee, elected official, appointee, or student of that public agency; and whether any of those unauthorized uses were on a device owned, leased, maintained, or otherwise controlled by that public agency. Requires CIO to submit a compilation of that information to the specified NCGA committee.
Requires public agencies and the judicial and legislative branches to each adopt a policy governing the use of its network and the use of high risk platforms on devices owned, leased, maintained, or otherwise controlled by these entities by July 1, 2023.
Requires employees, elected officials, or appointees of a public agency, the judicial branch, and the legislative branch who have a high risk platform on a device owned, leased, maintained, or otherwise controlled by these entities to remove, delete, or uninstall the high risk device no later than April 15, 2023. Requires students of public agencies to do the same.
Amends GS 14-456 (making it criminal offense to deny computer services to authorized users) and GS 14-456.1 (making it a criminal offense to deny government computer services to authorized users) to exempt the denial of high-risk platforms as set forth in new GS 143-805 from these laws.
Requires CIO to publish recommendations for appropriate access to high risk platforms for the purposes authorized by the new GS 143-805 by no later than April 15, 2023.
Effective April 1, 2023.
Summary date: Feb 8 2023 - View summary
Enacts new GS 143-162.10 which provides as follows. Defines covered application as (1) TikTok or any successor application or service developed or provided by ByteDance Limited or an entity owned by ByteDance Limited or (2) WeChat or any successor application or service developed or provided by Tencent Holdings Limited or an entity owned by Tencent Holdings Limited. Prohibits State employees and employees of a local political subdivision of the State from downloading or using a covered application or accessing the website of a covered application on or using any government-issued device (cellular phone, desktop computer, laptop, or other electronic device capable of connecting to the Internet issued by the State or by a local political subdivision of the State) or information technology. Prohibits a person contracting with the State, or with a local political subdivision of the State, from accessing, downloading or using a covered application on equipment owned or leased by the State or by a local political subdivision of the State. Prohibits a person from accessing, downloading, or using a covered application on any government-issued device or during participation in any State-funded program. Requires state agencies and local political subdivisions of the State to restrict access to the websites of covered applications on government-issued devices and information technology. Defines information technology as defined by GS 143B-1320(a)(11) (set of tools, processes, and methodologies, including, but not limited to, coding and programming; data communications, data conversion, and data analysis; architecture; planning; storage and retrieval; systems analysis and design; systems control; mobile applications; and equipment and services employed to collect, process, and present information to support the operation of an organization. Also includes office automation, multimedia, telecommunications, and any personnel and support personnel required for planning and operations). The term also includes (1) any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by a State-funded program, whether the equipment is used by the State-funded program directly or is used by a contractor under a contract with the State-funded program that requires the use of that equipment in the performance of a service or the furnishing of a product and (2) computers, mobile devices, and virtual machines as well as ancillary equipment, peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including support services), and related resources.
Requires the removal, deletion, and uninstallation of these applications no later than 30 days after the act is enacted.
Specifies that the act does not prevent prosecutorial and law enforcement agencies from accessing the applications covered by this act for prosecutorial, law enforcement, and investigative purposes. Requires the Departments of Information Technology and Public Safety, by March 1, 2023, to develop jointly the guidelines necessary for prosecutorial and law enforcement agency access to covered applications along with the risk mitigation actions necessary for such use.