| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to state and local governments requirements to report |
|
|
security incidents to the Department of Information Resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
Sec. 2054.1125. SECURITY INCIDENTBREACH NOTIFICATION BY |
|
|
STATE AGENCY OR LOCAL GOVERNMENT. (a) In this section: |
|
|
(1) "Security incidentBreach of system security" |
|
|
means the actual or suspected unauthorized disclosure, exposure, or |
|
|
modification of sensitive personal information, confidential |
|
|
information, or other regulated information including a breach or |
|
|
suspected breach of system security as definedhas the meaning |
|
|
assigned by Section 521.053, Business & Commerce Code, including |
|
|
ransomware as defined by Section 33.023 Penal Code. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A state agency or local government that owns, licenses, |
|
|
or maintains computerized data that includes sensitive personal |
|
|
information, confidential information, or information the |
|
|
disclosure of which is regulated by law shall, in the event of a |
|
|
security incidentbreach or suspected breach of system security or |
|
|
an unauthorized exposure of that information: |
|
|
(1) comply with the notification requirements of |
|
|
Section 521.053, Business & Commerce Code, to the same extent as a |
|
|
person who conducts business in this state; and |
|
|
(2) not later than 48 hours after the discovery of the |
|
|
breach, suspected breach, or unauthorized exposure, notify: |
|
|
(A) the department, including the chief |
|
|
information security officer; or |
|
|
(B) if the security incidentbreach, suspected |
|
|
breach, or unauthorized exposure involves election data, the |
|
|
secretary of state; and |
|
|
(3) comply with all rules relating to security |
|
|
incidents adopted by the department. |
|
|
(c) Not later than the 10th business day after the date of |
|
|
the eradication, closure, and recovery from a security incident |
|
|
breach, suspected breach, or unauthorized exposure, a state agency |
|
|
or local government shall notify the department, including the |
|
|
chief information security officer, of the details of the event and |
|
|
include in the notification an analysis of the cause of the event. |
|
|
SECTION 2. This Act takes effect immediately if it receives |
|
|
a vote of two-thirds of all the members elected to each house, as |
|
|
provided by Section 39, Article III, Texas Constitution. If this |
|
|
Act does not receive the vote necessary for immediate effect, this |
|
|
Act takes effect September 1, 2021. |