| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to homeland security, including the creation of the Texas |
|
|
Homeland Security Division in the Department of Public Safety, the |
|
|
operations of the Homeland Security Council, the creation of a |
|
|
homeland security fusion center, and the duties of state agencies |
|
|
and local governments in preparing for, reporting, and responding |
|
|
to cybersecurity breaches; providing administrative penalties; |
|
|
creating criminal offenses. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. (a) The legislature finds that the federal |
|
|
government's inadequate border security measures, the trafficking |
|
|
of fentanyl across the borders of this state, Central America's |
|
|
turn towards authoritarian regimes, China's hostile rhetoric |
|
|
regarding Taiwan, and Russia's invasion of Ukraine create an |
|
|
ever-changing threat landscape to the security of this state. |
|
|
(b) Due to these continuous threats, this state must |
|
|
continue taking serious measures to secure its critical |
|
|
infrastructure, cyber networks, and border and monitor security |
|
|
threats from hostile nations and non-state actors. |
|
|
(c) These present and future threats require this state to |
|
|
create a unified security organization under the Department of |
|
|
Public Safety of the State of Texas whose sole mission is to |
|
|
safeguard the people and infrastructure that make this state great. |
|
|
(d) The Texas Homeland Security Division, as established by |
|
|
this Act, will unify this state's security responsibilities into |
|
|
one entity that reports directly to the governor and the public |
|
|
safety director of the Department of Public Safety of the State of |
|
|
Texas. |
|
|
SECTION 2. Chapter 411, Government Code, is amended by |
|
|
adding Subchapter S to read as follows: |
|
|
SUBCHAPTER S. TEXAS HOMELAND SECURITY DIVISION |
|
|
Sec. 411.551. DEFINITIONS. In this subchapter: |
|
|
(1) "Division" means the Texas Homeland Security |
|
|
Division established in the department under this subchapter. |
|
|
(2) "Division director" means the director of the |
|
|
Texas Homeland Security Division appointed under this subchapter. |
|
|
Sec. 411.552. ESTABLISHMENT; DIRECTOR; EMPLOYEES. (a) The |
|
|
Texas Homeland Security Division is established in the department. |
|
|
(b) Notwithstanding Section 411.006(a)(6), the public |
|
|
safety director shall appoint, with the advice and consent of the |
|
|
governor, a homeland security director to manage the division. |
|
|
(c) The division director may hire employees as necessary to |
|
|
carry out the duties of the division. |
|
|
Sec. 411.553. GENERAL DUTIES. The division shall, in |
|
|
consultation with the governor: |
|
|
(1) develop and implement strategic homeland security |
|
|
operations; and |
|
|
(2) unify governmental activities and |
|
|
responsibilities related to homeland security under the direction |
|
|
of the division. |
|
|
Sec. 411.554. BORDER SECURITY: INTELLIGENCE. (a) The |
|
|
division shall coordinate with the Texas Military Department, state |
|
|
and local law enforcement agencies, federal agencies, and any other |
|
|
entity the division determines appropriate to secure the |
|
|
international border. |
|
|
(b) In coordinating with the entities described by |
|
|
Subsection (a), the division shall: |
|
|
(1) collect, analyze, and provide intelligence for |
|
|
each major operation to secure the international border, including |
|
|
consulting with the Texas Military Department and other appropriate |
|
|
agencies that collect, analyze, or provide intelligence to the |
|
|
governor, the department, and other entities deployed on major |
|
|
operations; |
|
|
(2) make recommendations on essential tasks and |
|
|
desired results for each element of a major operation; |
|
|
(3) provide augmented equipment and personnel for a |
|
|
major operation; and |
|
|
(4) conduct periodic internal reviews of |
|
|
interoperability among agencies deployed on a major operation and |
|
|
make available reports on subsequent efforts to improve |
|
|
interoperability. |
|
|
(c) Each month, the division shall provide a report to the |
|
|
governor on the major operations conducted by this state to secure |
|
|
the international border. |
|
|
Sec. 411.555. BORDER SECURITY: GRANT RECOMMENDATIONS. The |
|
|
division shall advise the criminal justice division of the |
|
|
governor's office on the allocation of grants under the prosecution |
|
|
of border crime grant program established under Section 772.0071. |
|
|
Sec. 411.556. CRITICAL INFRASTRUCTURE AND POWER GRID. (a) |
|
|
The division shall coordinate with federal, state, and local |
|
|
agencies, and any other entity the division determines appropriate, |
|
|
to protect the critical infrastructure of this state and the ERCOT |
|
|
power grid from remote and physical attacks, including: |
|
|
(1) oil and gas infrastructure, including: |
|
|
(A) oil, gas, and chemical pipelines; |
|
|
(B) oil and gas drilling sites; and |
|
|
(C) oil, gas, and chemical production |
|
|
facilities; |
|
|
(2) electrical power generating facilities, |
|
|
substations, switching stations, and electrical control centers; |
|
|
(3) petroleum and alumina refineries and chemical, |
|
|
polymer, and rubber manufacturing facilities; and |
|
|
(4) water intake structures, water treatment |
|
|
facilities, wastewater treatment plants, and pump stations. |
|
|
(b) In coordinating the efforts of this state to secure |
|
|
critical infrastructure and the ERCOT power grid, the division |
|
|
shall cooperate with the Cybersecurity and Infrastructure Security |
|
|
Agency, the United States Department of Energy, and the Homeland |
|
|
Security Fusion Center. |
|
|
Sec. 411.557. CRITICAL INFRASTRUCTURE: INVESTIGATION OF |
|
|
CERTAIN PURCHASES. The division shall investigate any purchases of |
|
|
substantial portions of land or infrastructure in this state by a |
|
|
designated country, as that term is defined by Section 2274.0101, |
|
|
as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, |
|
|
Regular Session, 2021. |
|
|
Sec. 411.558. PROHIBITED EQUIPMENT REPORTS. At least |
|
|
annually, the division shall issue a report to the governor, |
|
|
lieutenant governor, members of the legislature, and all state |
|
|
agencies identifying equipment that the United States Department of |
|
|
Defense has prohibited entities that contract with the department |
|
|
of defense from using. |
|
|
Sec. 411.559. CYBERSECURITY: WEBSITE FOR REPORTING THREATS |
|
|
AND ATTACKS. The division shall develop a secure Internet website |
|
|
that is accessible by state agencies and local governments and |
|
|
permits those entities to report to the division suspected |
|
|
cybersecurity threats and attacks against those entities. |
|
|
Sec. 411.560. BUDGET REQUESTS. (a) Not later than April 1 |
|
|
of each even-numbered year, the division director shall submit to |
|
|
the public safety director a request for appropriations that |
|
|
estimates the cost of the division's operations. |
|
|
(b) A request for appropriations described by Subsection |
|
|
(a) may not be aggregated with any other appropriation request made |
|
|
by the department when the request is submitted to a legislative |
|
|
committee with jurisdiction over appropriations. |
|
|
SECTION 3. Section 421.021, Government Code, is amended by |
|
|
adding Subsection (a-1) to read as follows: |
|
|
(a-1) The Homeland Security Council is composed of: |
|
|
(1) the governor or the governor's designee; |
|
|
(2) the lieutenant governor or the lieutenant |
|
|
governor's designee; |
|
|
(3) the director of the Texas Homeland Security |
|
|
Division of the Department of Public Safety; and |
|
|
(4) other persons appointed by the governor or |
|
|
lieutenant governor. |
|
|
SECTION 4. Section 421.023, Government Code, is amended by |
|
|
amending Subsections (c) and (d) and adding Subsection (f) to read |
|
|
as follows: |
|
|
(c) The governor shall designate the director of the Texas |
|
|
Homeland Security Division of the Department of Public Safety as |
|
|
the presiding officer of the council. |
|
|
(d) The council shall meet at the call of the presiding |
|
|
officer [governor] and shall meet at least once each quarter in a |
|
|
calendar year. |
|
|
(f) The presiding officer shall appoint a secretary, who may |
|
|
be a member of the council, to record meeting minutes and |
|
|
attendance. |
|
|
SECTION 5. Section 421.024, Government Code, is amended to |
|
|
read as follows: |
|
|
Sec. 421.024. DUTIES. The council shall advise the |
|
|
governor on: |
|
|
(1) the implementation of the governor's homeland |
|
|
security strategy by state and local agencies and provide specific |
|
|
suggestions for helping those agencies implement the strategy; |
|
|
[and] |
|
|
(2) recommendations from the Texas Homeland Security |
|
|
Division of the Department of Public Safety on improving the |
|
|
security of this state; and |
|
|
(3) other matters related to the planning, |
|
|
development, coordination, and implementation of initiatives to |
|
|
promote the governor's homeland security strategy. |
|
|
SECTION 6. Chapter 421, Government Code, is amended by |
|
|
adding Subchapter E-1 to read as follows: |
|
|
SUBCHAPTER E-1. HOMELAND SECURITY FUSION CENTER |
|
|
Sec. 421.0901. DEFINITIONS. In this subchapter: |
|
|
(1) "Board" means the oversight board of the homeland |
|
|
security fusion center. |
|
|
(2) "Director" means the director of the Texas |
|
|
Homeland Security Division of the Department of Public Safety. |
|
|
Sec. 421.0902. HOMELAND SECURITY FUSION CENTER. (a) From |
|
|
funds available for this purpose, the director may: |
|
|
(1) establish the homeland security fusion center; and |
|
|
(2) hire employees to operate the homeland security |
|
|
fusion center. |
|
|
(b) The homeland security fusion center shall: |
|
|
(1) collect, receive, generate, and disseminate |
|
|
intelligence critical for homeland security policy and homeland |
|
|
security activities in this state, including the issuance of |
|
|
relevant threat warnings; |
|
|
(2) promote and improve intelligence sharing: |
|
|
(A) among public safety and public service |
|
|
agencies at the federal, state, local, and tribal levels; and |
|
|
(B) with entities in the private sector operating |
|
|
critical infrastructure and other key resources; |
|
|
(3) otherwise support federal, state, local, and |
|
|
tribal agencies and private organizations in preventing, preparing |
|
|
for, responding to, and recovering from homeland security threats |
|
|
and attacks; and |
|
|
(4) maintain intelligence collected, received, or |
|
|
generated in compliance with applicable state and federal law and |
|
|
in a secure manner, including: |
|
|
(A) providing appropriate security for a |
|
|
facility that contains sensitive information; |
|
|
(B) compartmentalizing sensitive information; |
|
|
and |
|
|
(C) adopting appropriate internal procedures for |
|
|
the security of the facility and the information. |
|
|
Sec. 421.0903. OVERSIGHT BOARD; QUALIFICATIONS; RULES. (a) |
|
|
If the homeland security fusion center is established under Section |
|
|
421.0902, there is also established an oversight board that shall |
|
|
govern the operations of the homeland security fusion center. |
|
|
(b) The board is composed of: |
|
|
(1) the director; |
|
|
(2) the adjutant general; and |
|
|
(3) other persons appointed by the director. |
|
|
(c) The director serves as the chair of the board and the |
|
|
adjutant general serves as the vice chair. |
|
|
(d) A member of the board must have and maintain a secret |
|
|
security clearance granted by the United States government. A |
|
|
person who has applied for a secret security clearance and has been |
|
|
granted an interim secret security clearance may serve as a member |
|
|
of the board but may not be given access to classified information, |
|
|
participate in a briefing involving classified information, or vote |
|
|
on an issue involving classified information before the person is |
|
|
granted a secret security clearance. |
|
|
(e) The board may adopt rules, policies, and procedures for |
|
|
the operation of the homeland security fusion center. |
|
|
Sec. 421.0904. GIFTS, GRANTS, AND DONATIONS; DEDICATED |
|
|
ACCOUNT. (a) The homeland security fusion center may accept gifts, |
|
|
grants, and donations of any kind from any public or private source, |
|
|
including services or property, for the purpose of paying the costs |
|
|
to establish, maintain, or operate the homeland security fusion |
|
|
center. |
|
|
(b) The homeland security fusion center shall remit all |
|
|
amounts received under this section to the comptroller. The |
|
|
comptroller shall deposit the amounts to the credit of an account in |
|
|
the general revenue fund that may be appropriated only to the |
|
|
Department of Public Safety to provide funding for establishing, |
|
|
maintaining, or operating the homeland security fusion center. |
|
|
(c) The board must approve expenditures made for the |
|
|
purposes described by Subsection (b). |
|
|
Sec. 421.0905. ADMINISTRATIVE SUPPORT. The Texas Homeland |
|
|
Security Division of the Department of Public Safety shall provide |
|
|
administrative support for the homeland security fusion center and |
|
|
the board, including securely maintaining the records of the board. |
|
|
SECTION 7. Section 2054.077(d), Government Code, is amended |
|
|
to read as follows: |
|
|
(d) The information security officer shall provide an |
|
|
electronic copy of the vulnerability report on its completion to: |
|
|
(1) the Texas Homeland Security Division of the |
|
|
Department of Public Safety; |
|
|
(2) the department; |
|
|
(3) [(2)] the state auditor; |
|
|
(4) [(3)] the agency's executive director; |
|
|
(5) [(4)] the agency's designated information |
|
|
resources manager; and |
|
|
(6) [(5)] any other information technology security |
|
|
oversight group specifically authorized by the legislature to |
|
|
receive the report. |
|
|
SECTION 8. Section 2054.1125, Government Code, is amended |
|
|
by amending Subsection (b) and adding Subsections (d) and (e) to |
|
|
read as follows: |
|
|
(b) A state agency that owns, licenses, or maintains |
|
|
computerized data that includes sensitive personal information, |
|
|
confidential information, or information the disclosure of which is |
|
|
regulated by law shall, in the event of a breach or suspected breach |
|
|
of system security or an unauthorized exposure of that information: |
|
|
(1) comply with the notification requirements of |
|
|
Section 521.053, Business & Commerce Code, to the same extent as a |
|
|
person who conducts business in this state; and |
|
|
(2) not later than 48 hours after the discovery of the |
|
|
breach, suspected breach, or unauthorized exposure, notify: |
|
|
(A) the Texas Homeland Security Division of the |
|
|
Department of Public Safety; |
|
|
(B) the department, including the chief |
|
|
information security officer; and |
|
|
(C) [or (B)] if the breach, suspected breach, or |
|
|
unauthorized exposure involves election data, the secretary of |
|
|
state. |
|
|
(d) The Texas Homeland Security Division of the Department |
|
|
of Public Safety shall notify the governor of any breach or |
|
|
suspected breach reported to the division under this section. |
|
|
(e) The administrative head of a state agency commits an |
|
|
offense if the person intentionally or knowingly fails to notify |
|
|
the Texas Homeland Security Division of the Department of Public |
|
|
Safety of a breach, suspected breach, or unauthorized exposure, as |
|
|
required by Subsection (b)(2)(A). An offense under this subsection |
|
|
is a Class C misdemeanor. |
|
|
SECTION 9. Section 2054.133(f), Government Code, is amended |
|
|
to read as follows: |
|
|
(f) Not later than November 15 of each even-numbered year, |
|
|
the department shall submit a written report to the governor, the |
|
|
lieutenant governor, and each standing committee of the legislature |
|
|
with primary jurisdiction over matters related to the department |
|
|
evaluating information security for this state's information |
|
|
resources. In preparing the report, the department shall consider |
|
|
the information security plans submitted by state agencies under |
|
|
this section, any vulnerability reports submitted under Section |
|
|
2054.077, any relevant information provided by the Texas Homeland |
|
|
Security Division of the Department of Public Safety, and other |
|
|
available information regarding the security of this state's |
|
|
information resources. The department shall omit from any written |
|
|
copies of the report information that could expose specific |
|
|
vulnerabilities in the security of this state's information |
|
|
resources. |
|
|
SECTION 10. Section 2054.511, Government Code, is amended |
|
|
to read as follows: |
|
|
Sec. 2054.511. CYBERSECURITY COORDINATOR. (a) The |
|
|
executive director shall designate an employee of the department as |
|
|
the state cybersecurity coordinator to oversee cybersecurity |
|
|
matters for this state. |
|
|
(b) The director of the Texas Homeland Security Division of |
|
|
the Department of Public Safety and the cybersecurity coordinator |
|
|
shall jointly improve the efficacy and efficiency of this state's |
|
|
response to and investigations of cyber attacks occurring in this |
|
|
state. |
|
|
SECTION 11. Section 2054.512(b), Government Code, is |
|
|
amended to read as follows: |
|
|
(b) The cybersecurity council must include: |
|
|
(1) one member who is an employee of the office of the |
|
|
governor; |
|
|
(2) one member of the senate appointed by the |
|
|
lieutenant governor; |
|
|
(3) one member of the house of representatives |
|
|
appointed by the speaker of the house of representatives; |
|
|
(4) the director of the Texas Homeland Security |
|
|
Division of the Department of Public Safety; |
|
|
(5) one member who is an employee of the Elections |
|
|
Division of the Office of the Secretary of State; and |
|
|
(6) [(5)] additional members appointed by the state |
|
|
cybersecurity coordinator, including representatives of |
|
|
institutions of higher education and private sector leaders. |
|
|
SECTION 12. Section 2054.515(b), Government Code, as |
|
|
amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the |
|
|
87th Legislature, Regular Session, 2021, is reenacted and amended |
|
|
to read as follows: |
|
|
(b) Not later than December 1 of the year [November 15 of |
|
|
each even-numbered year] in which a state agency conducts the |
|
|
assessment under Subsection (a) or the 60th day after the date the |
|
|
agency completes the assessment, whichever occurs first, the agency |
|
|
shall report the results of the assessment to: |
|
|
(1) the Texas Homeland Security Division of the |
|
|
Department of Public Safety; |
|
|
(2) the department; and |
|
|
(3) [(2)] on request, the governor, the lieutenant |
|
|
governor, and the speaker of the house of representatives. |
|
|
SECTION 13. Section 2054.518(a), Government Code, is |
|
|
amended to read as follows: |
|
|
(a) In consultation with the Texas Homeland Security |
|
|
Division of the Department of Public Safety, the [The] department |
|
|
shall develop a plan to address cybersecurity risks and incidents |
|
|
in this state. The department may enter into an agreement with a |
|
|
national organization, including the National Cybersecurity |
|
|
Preparedness Consortium, to support the department's efforts in |
|
|
implementing the components of the plan for which the department |
|
|
lacks resources to address internally. The agreement may include |
|
|
provisions for: |
|
|
(1) providing technical assistance services to |
|
|
support preparedness for and response to cybersecurity risks and |
|
|
incidents; |
|
|
(2) conducting cybersecurity simulation exercises for |
|
|
state agencies to encourage coordination in defending against and |
|
|
responding to cybersecurity risks and incidents; |
|
|
(3) assisting state agencies in developing |
|
|
cybersecurity information-sharing programs to disseminate |
|
|
information related to cybersecurity risks and incidents; and |
|
|
(4) incorporating cybersecurity risk and incident |
|
|
prevention and response methods into existing state emergency |
|
|
plans, including continuity of operation plans and incident |
|
|
response plans. |
|
|
SECTION 14. Subchapter F, Chapter 2270, Government Code, is |
|
|
amended by adding Section 2270.0254 to read as follows: |
|
|
Sec. 2270.0254. ADMINISTRATIVE PENALTY. The Department of |
|
|
Public Safety may impose an administrative penalty in the same |
|
|
manner and using the same procedures as Subchapter R, Chapter 411, |
|
|
against a person who violates this chapter. |
|
|
SECTION 15. Chapter 2274, Government Code, as added by |
|
|
Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular |
|
|
Session, 2021, is amended by adding Section 2274.0104 to read as |
|
|
follows: |
|
|
Sec. 2274.0104. ADMINISTRATIVE PENALTY. The Department of |
|
|
Public Safety may impose an administrative penalty in the same |
|
|
manner and using the same procedures as Subchapter R, Chapter 411, |
|
|
against a person who violates this chapter. |
|
|
SECTION 16. Section 205.010(a), Local Government Code, is |
|
|
amended by adding Subdivision (1-a) to read as follows: |
|
|
(1-a) "Local government" means a municipality, |
|
|
county, special district or authority, or any other political |
|
|
subdivision of this state. |
|
|
SECTION 17. Section 205.010, Local Government Code, is |
|
|
amended by adding Subsections (c), (d), and (e) to read as follows: |
|
|
(c) In addition to notifying the attorney general under |
|
|
Section 521.053, Business & Commerce Code, of a breach of system |
|
|
security, the local government shall report the breach to the Texas |
|
|
Homeland Security Division of the Department of Public Safety. The |
|
|
division shall notify the governor of a breach of system security |
|
|
reported to the division under this section. |
|
|
(d) Not later than the 10th business day after the date of |
|
|
the eradication, closure, and recovery from a breach, a local |
|
|
government shall notify the Department of Information Resources, |
|
|
including the chief information security officer, of the details of |
|
|
the event and include in the notification an analysis of the cause |
|
|
of the event. |
|
|
(e) The administrative head of a local government commits an |
|
|
offense if the person intentionally or knowingly fails to notify |
|
|
the Texas Homeland Security Division of the Department of Public |
|
|
Safety of a breach of system security as required by Subsection (c). |
|
|
An offense under this subsection is a Class C misdemeanor. |
|
|
SECTION 18. (a) Section 421.021(a), Government Code, as |
|
|
amended by Chapters 93 (S.B. 686), 616 (S.B. 1393), and 1217 (S.B. |
|
|
1536), Acts of the 83rd Legislature, Regular Session, 2013, is |
|
|
repealed. |
|
|
(b) Section 421.021(c), Government Code, is repealed. |
|
|
SECTION 19. As soon as practicable after the Texas Homeland |
|
|
Security Division of the Department of Public Safety of the State of |
|
|
Texas is established, the division shall notify each state agency |
|
|
and local government of the requirements to notify the division of a |
|
|
breach of system security under Section 2054.1125, Government Code, |
|
|
as amended by this Act, and Section 205.010, Local Government Code, |
|
|
as amended by this Act, including the criminal penalties that may be |
|
|
imposed for failure to comply with those requirements. |
|
|
SECTION 20. It is the intent of the 88th Legislature, |
|
|
Regular Session, 2023, that the amendments made by this Act be |
|
|
harmonized with another Act of the 88th Legislature, Regular |
|
|
Session, 2023, relating to nonsubstantive additions to and |
|
|
corrections in enacted codes. |
|
|
SECTION 21. This Act takes effect September 1, 2023. |