| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to state agency and local government security incident |
|
|
procedures. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 2054.1125, Government Code, is |
|
|
transferred to Subchapter R, Chapter 2054, Government Code, |
|
|
redesignated as Section 2054.603, Government Code, and amended to |
|
|
read as follows: |
|
|
Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH] |
|
|
NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this |
|
|
section: |
|
|
(1) "Security incident" means: |
|
|
(A) a breach or suspected breach ["Breach] of |
|
|
system security as defined [security" has the meaning assigned] by |
|
|
Section 521.053, Business & Commerce Code; and |
|
|
(B) the introduction of ransomware, as defined by |
|
|
Section 33.023, Penal Code, into a computer, computer network, or |
|
|
computer system. |
|
|
(2) "Sensitive personal information" has the meaning |
|
|
assigned by Section 521.002, Business & Commerce Code. |
|
|
(b) A state agency or local government that owns, licenses, |
|
|
or maintains computerized data that includes sensitive personal |
|
|
information, confidential information, or information the |
|
|
disclosure of which is regulated by law shall, in the event of a |
|
|
security incident [breach or suspected breach of system security or |
|
|
an unauthorized exposure of that information]: |
|
|
(1) comply with the notification requirements of |
|
|
Section 521.053, Business & Commerce Code, to the same extent as a |
|
|
person who conducts business in this state; [and] |
|
|
(2) not later than 48 hours after the discovery of the |
|
|
security incident [breach, suspected breach, or unauthorized |
|
|
exposure], notify: |
|
|
(A) the department, including the chief |
|
|
information security officer; or |
|
|
(B) if the security incident [breach, suspected |
|
|
breach, or unauthorized exposure] involves election data, the |
|
|
secretary of state; and |
|
|
(3) comply with all department rules relating to |
|
|
reporting security incidents as required by this section. |
|
|
(c) Not later than the 10th business day after the date of |
|
|
the eradication, closure, and recovery from a security incident |
|
|
[breach, suspected breach, or unauthorized exposure], a state |
|
|
agency or local government shall notify the department, including |
|
|
the chief information security officer, of the details of the |
|
|
security incident [event] and include in the notification an |
|
|
analysis of the cause of the security incident [event]. |
|
|
(d) This section does not apply to a security incident that |
|
|
a local government is required to report to an independent |
|
|
organization certified by the Public Utility Commission of Texas |
|
|
under Section 39.151, Utilities Code. |
|
|
SECTION 2. This Act takes effect September 1, 2023. |