S.B. No. 271
 
 
 
 
AN ACT
  relating to state agency and local government security incident
  procedures.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 2054.1125, Government Code, is
  transferred to Subchapter R, Chapter 2054, Government Code,
  redesignated as Section 2054.603, Government Code, and amended to
  read as follows:
         Sec. 2054.603 [2054.1125].  SECURITY INCIDENT [BREACH]
  NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this
  section:
               (1)  "Security incident" means:
                     (A)  a breach or suspected breach ["Breach] of
  system security as defined [security" has the meaning assigned] by
  Section 521.053, Business & Commerce Code; and
                     (B)  the introduction of ransomware, as defined by
  Section 33.023, Penal Code, into a computer, computer network, or
  computer system.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A state agency or local government that owns, licenses,
  or maintains computerized data that includes sensitive personal
  information, confidential information, or information the
  disclosure of which is regulated by law shall, in the event of a
  security incident [breach or suspected breach of system security or
  an unauthorized exposure of that information]:
               (1)  comply with the notification requirements of
  Section 521.053, Business & Commerce Code, to the same extent as a
  person who conducts business in this state; [and]
               (2)  not later than 48 hours after the discovery of the
  security incident [breach, suspected breach, or unauthorized
  exposure], notify:
                     (A)  the department, including the chief
  information security officer; or
                     (B)  if the security incident [breach, suspected
  breach, or unauthorized exposure] involves election data, the
  secretary of state; and
               (3)  comply with all department rules relating to
  reporting security incidents as required by this section.
         (c)  Not later than the 10th business day after the date of
  the eradication, closure, and recovery from a security incident
  [breach, suspected breach, or unauthorized exposure], a state
  agency or local government shall notify the department, including
  the chief information security officer, of the details of the
  security incident [event] and include in the notification an
  analysis of the cause of the security incident [event].
         (d)  This section does not apply to a security incident that
  a local government is required to report to an independent
  organization certified by the Public Utility Commission of Texas
  under Section 39.151, Utilities Code.
         SECTION 2.  This Act takes effect September 1, 2023.
 
 
 
 
 
  ______________________________ ______________________________
     President of the Senate Speaker of the House     
 
         I hereby certify that S.B. No. 271 passed the Senate on
  March 21, 2023, by the following vote:  Yeas 31, Nays 0.
 
 
  ______________________________
  Secretary of the Senate    
 
         I hereby certify that S.B. No. 271 passed the House on
  May 6, 2023, by the following vote:  Yeas 134, Nays 2, one present
  not voting.
 
 
  ______________________________
  Chief Clerk of the House   
 
 
 
  Approved:
 
  ______________________________ 
              Date
 
 
  ______________________________ 
            Governor