BILL ANALYSIS |
|
S.B. 271 |
|
By: Johnson |
|
State Affairs |
|
Committee Report (Unamended) |
|
BACKGROUND AND PURPOSE
Cybersecurity attacks are increasing, particularly among local governments. While state agencies are required to report these incidents to the Department of Information Resources (DIR), which oversees cybersecurity for the State of Texas, local governments are not. As such, DIR only learns of incidents at the local level when local governments choose to report them. This is concerning because the state cannot respond or track accurate data when incidents are not reported to DIR. S.B. 271 seeks to ensure that cybersecurity incidents at all levels of government in Texas are reported to DIR so that the state has the ability to track patterns, collect accurate data, and help mitigate damage to governmental entities experiencing such a security incident.
|
|
CRIMINAL JUSTICE IMPACT
It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.
|
|
RULEMAKING AUTHORITY
It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.
|
|
ANALYSIS
S.B. 271 amends the Government Code to revise the scope of provisions governing security breach notification procedures for applicable state agencies as follows: · expands the incidents that require notification to include all security incidents, defined by the bill as a breach or suspected breach of system security and the introduction of ransomware into a computer, computer network, or computer system; · makes the provisions applicable also to local governments that own, license, or maintain computerized data that includes sensitive personal information, confidential information, or information the disclosure of which is regulated by law; · requires a state agency or local government subject to the notification procedures to comply with all Department of Information Resources rules relating to reporting security incidents in the event of such an incident; and · makes the provisions inapplicable to a security incident that a local government is required to report to ERCOT.
|
|
EFFECTIVE DATE
September 1, 2023.
|