By: Shaheen H.B. No. 4395
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to state and local governments requirements to report
  security incidents to the Department of Information Resources.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         Sec. 2054.1125.  SECURITY INCIDENTBREACH NOTIFICATION BY
  STATE AGENCY OR LOCAL GOVERNMENT. (a) In this section:
               (1)  "Security incidentBreach of system security"
  means the actual or suspected unauthorized disclosure, exposure, or
  modification of sensitive personal information, confidential
  information, or other regulated information including a breach or
  suspected breach of system security as definedhas the meaning
  assigned by Section 521.053, Business & Commerce Code, including
  ransomware as defined by Section 33.023 Penal Code.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A state agency or local government that owns, licenses,
  or maintains computerized data that includes sensitive personal
  information, confidential information, or information the
  disclosure of which is regulated by law shall, in the event of a
  security incidentbreach or suspected breach of system security or
  an unauthorized exposure of that information:
               (1)  comply with the notification requirements of
  Section 521.053, Business & Commerce Code, to the same extent as a
  person who conducts business in this state; and
               (2)  not later than 48 hours after the discovery of the
  breach, suspected breach, or unauthorized exposure, notify:
                     (A)  the department, including the chief
  information security officer; or
                     (B)  if the security incidentbreach, suspected
  breach, or unauthorized exposure involves election data, the
  secretary of state; and
               (3)  comply with all rules relating to security
  incidents adopted by the department.
         (c)  Not later than the 10th business day after the date of
  the eradication, closure, and recovery from a security incident
  breach, suspected breach, or unauthorized exposure, a state agency
  or local government shall notify the department, including the
  chief information security officer, of the details of the event and
  include in the notification an analysis of the cause of the event.
         SECTION 2.  This Act takes effect immediately if it receives
  a vote of two-thirds of all the members elected to each house, as
  provided by Section 39, Article III, Texas Constitution. If this
  Act does not receive the vote necessary for immediate effect, this
  Act takes effect September 1, 2021.