| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to state agency and local government security incident |
|
|
procedures. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 2054.1125, Government Code, is |
|
|
transferred to Subchapter R, Chapter 2054, Government Code, |
|
|
redesignated as Section 2054.603, Government Code, and amended to |
|
|
read as follows: |
|
|
Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH] |
|
|
NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this |
|
|
section: |
|
|
(1) "Security incident" means the unauthorized |
|
|
access, disclosure, exposure, modification, or destruction of |
|
|
sensitive personal information, confidential information, or other |
|
|
information the disclosure of which is regulated by law, including: |
|
|
(A) a breach ["Breach] of system security as |
|
|
defined [security" has the meaning assigned] by Section 521.053, |
|
|
Business & Commerce Code; and |
|
|
(B) ransomware as defined by Section 33.023, |
|
|
Penal Code. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A state agency or local government that owns, licenses, |
|
|
or maintains computerized data that includes sensitive personal |
|
|
information, confidential information, or information the |
|
|
disclosure of which is regulated by law shall, in the event of a |
|
|
security incident [breach or suspected breach of system security or |
|
|
an unauthorized exposure of that information]: |
|
|
(1) comply with the notification requirements of |
|
|
Section 521.053, Business & Commerce Code, to the same extent as a |
|
|
person who conducts business in this state; [and] |
|
|
(2) not later than 72 [48] hours after the discovery of |
|
|
the security incident [breach, suspected breach, or unauthorized |
|
|
exposure], notify: |
|
|
(A) the department, including the chief |
|
|
information security officer, and the Texas Division of Emergency |
|
|
Management; or |
|
|
(B) if the security incident [breach, suspected |
|
|
breach, or unauthorized exposure] involves election data, the |
|
|
secretary of state; and |
|
|
(3) comply with all department rules relating to |
|
|
security incidents. |
|
|
(c) Not later than the 10th business day after the date of |
|
|
the eradication, closure, and recovery from a security incident |
|
|
[breach, suspected breach, or unauthorized exposure], a state |
|
|
agency or local government shall notify the department, including |
|
|
the chief information security officer, and the Texas Division of |
|
|
Emergency Management of the details of the security incident |
|
|
[event] and include in the notification an analysis of the cause of |
|
|
the security incident [event]. |
|
|
(d) The department shall make available to state agencies |
|
|
and local governments a secure method for submitting the security |
|
|
incident information required by this section. All information |
|
|
provided under this section is confidential and is not subject to |
|
|
disclosure under Chapter 552. |
|
|
SECTION 2. This Act takes effect December 1, 2021. |