2023S0195-1 02/22/23
 
  By: Paxton S.B. No. 1204
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to state and local government information technology
  infrastructure, information security, and data breach and exposure
  reporting.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  The heading to Section 2054.0594, Government
  Code, is amended to read as follows:
         Sec. 2054.0594.  INFORMATION SHARING AND ANALYSIS
  ORGANIZATIONS [ORGANIZATION].
         SECTION 2.  Section 2054.0594, Government Code, is amended
  by amending Subsections (a), (b), and (c) and adding Subsection
  (a-1) to read as follows:
         (a)  The department shall establish an intrastate
  information sharing and analysis organization to provide a forum
  for state agencies, local governments, public and private
  institutions of higher education, and [the] private sector entities
  in this state to share information regarding cybersecurity threats,
  best practices, and remediation strategies.
         (a-1)  The department may establish an interstate
  information sharing and analysis organization to provide a forum
  for states to share information regarding cybersecurity threats,
  best practices, and remediation strategies.
         (b)  The department shall provide administrative support to
  each [the] information sharing and analysis organization
  established under this section.
         (c)  A participant in an [the] information sharing and
  analysis organization established under this section shall assert
  any exception available under state or federal law, including
  Section 552.139, in response to a request for public disclosure of
  information shared through the organization. Section 552.007 does
  not apply to information described by this subsection.
         SECTION 3.  The heading to Section 2054.068, Government
  Code, is amended to read as follows:
         Sec. 2054.068.  STATE AGENCY INFORMATION TECHNOLOGY
  INFRASTRUCTURE: INFORMATION SECURITY RATING; AUDIT; REPORT.
         SECTION 4.  Section 2054.068, Government Code, is amended by
  amending Subsections (b), (c), and (d) and adding Subsections
  (c-1), (c-2), (c-3), (c-4), (e-1), (e-2), and (e-3) to read as
  follows:
         (b)  The department shall collect from each state agency
  information on the status and condition of the agency's information
  technology infrastructure, including [information regarding]:
               (1)  information on the agency's information security
  program;
               (2)  an inventory of the agency's servers, mainframes,
  cloud services, and other information technology equipment;
               (3)  identification information for [of] vendors that
  operate and manage the agency's information technology
  infrastructure; [and]
               (4)  the results of the information security assessment
  required by Section 2054.515; and
               (5)  any additional related information requested by
  the department.
         (c)  A state agency shall provide the information required by
  Subsection (b) to the department not later than June 1 of each
  even-numbered year [according to a schedule determined by the
  department].
         (c-1)  The department shall assign to each state agency that
  is not an institution of higher education one of the following
  information security ratings based on the agency's information
  security risk profile:
               (1)  above average;
               (2)  average; or
               (3)  below average.
         (c-2)  In assigning an information security rating to a state
  agency under Subsection (c-1), the department shall consider:
               (1)  the information the agency provides under
  Subsection (b);
               (2)  the agency's comprehensive information security
  risk position relative to the agency's risk environment; and
               (3)  any additional document or information the
  department requests from the agency.
         (c-3)  The department:
               (1)  shall develop options and make recommendations for
  improvements in the information security maturity of any state
  agency assigned an information security rating of below average
  under Subsection (c-1); and
               (2)  may assist any state agency in determining whether
  additional security measures would increase the agency's
  information security maturity.
         (c-4)  The department may audit the information security and
  technology of any state agency assigned an information security
  rating under Subsection (c-1) or contract with a vendor to perform
  the audit. The department shall make available on request by any
  person listed in Subsection (d) the results of an audit conducted
  under this subsection.
         (d)  Not later than November 15 of each even-numbered year,
  the department shall submit to the governor, chair of the house
  appropriations committee, chair of the senate finance committee,
  speaker of the house of representatives, lieutenant governor, and
  staff of the Legislative Budget Board:
               (1)  a consolidated report of the information submitted
  by state agencies under Subsection (b); and
               (2)  any department recommendations relevant to and
  necessary for improving this state's information technology
  infrastructure and information security.
         (e-1)  The department shall compile a summary of the
  consolidated report required under Subsection (d) and make the
  summary available to the public. The summary may not disclose any
  confidential information.
         (e-2)  The consolidated report required under Subsection (d)
  and all information a state agency submits to substantiate or
  otherwise related to the report are confidential and not subject to
  disclosure under Chapter 552. The state agency or the department
  may redact or withhold information as confidential under Chapter
  552 without requesting a decision from the attorney general under
  Subchapter G, Chapter 552.
         (e-3)  Following its review of the consolidated report, the
  Legislative Budget Board may direct the department to select for
  participation in a statewide technology center established under
  Subchapter L any state agency assigned an information security
  rating under Subsection (c-1). The department shall notify each
  selected state agency of the agency's selection as required by
  Section 2054.385. The department is not required to conduct the
  cost and requirements analysis under Section 2054.384 for a state
  agency selected for participation under this subsection. This
  subsection expires September 1, 2027.
         SECTION 5.  Section 2054.136, Government Code, is amended to
  read as follows:
         Sec. 2054.136.  DESIGNATED INFORMATION SECURITY OFFICER.
  (a) Each state agency shall designate an information security
  officer who:
               (1)  reports to the agency's executive-level
  management;
               (2)  has authority over information security for the
  entire agency;
               (3)  possesses the training and experience required to
  perform the duties required by department rules; and
               (4)  to the extent feasible, has information security
  duties as the officer's primary duties.
         (b)  An employee designated under Subsection (a) may be
  designated to serve as a joint information security officer by two
  or more state agencies. The department must approve the joint
  designation.
         SECTION 6.  The heading to Section 2054.515, Government
  Code, is amended to read as follows:
         Sec. 2054.515.  STATE AGENCY INFORMATION SECURITY
  ASSESSMENT [AND REPORT].
         SECTION 7.  Sections 2054.515(a), (c), and (d), Government
  Code, are amended to read as follows:
         (a)  At least once every two years, each state agency shall
  conduct an information security assessment of the agency's[:
               [(1)]  information resources systems, network systems,
  digital data storage systems, digital data security measures, and
  information resources vulnerabilities[; and
               [(2)  data governance program with participation from
  the agency's data management officer, if applicable, and in
  accordance with requirements established by department rule].
         (c)  Each state agency shall complete the information
  security assessment in consultation with the department or the
  vendor the department selects and submit the results of the
  assessment to the department in accordance with Section 2054.068(b)
  [The department by rule shall establish the requirements for the
  information security assessment and report required by this
  section].
         (d)  All [The report and all] documentation related to the
  information security assessment is [and report are] confidential
  and not subject to disclosure under Chapter 552. The state agency
  or department may redact or withhold the information as
  confidential under Chapter 552 without requesting a decision from
  the attorney general under Subchapter G, Chapter 552.
         SECTION 8.  Section 2054.577(c), Government Code, is amended
  to read as follows:
         (c)  Money in the fund:
               (1)  may be used to improve and modernize state agency
  information resources, including legacy system projects and
  cybersecurity projects; [and]
               (2)  may be used to mitigate a security incident at a
  state agency;
               (3)  may not be used to replace money appropriated to a
  state agency for the purposes of operating and maintaining state
  agency information resources or reduce the amount of money
  appropriated to a state agency for those purposes; and
               (4)  may not be used to pay an entity that commits the
  crime of electronic data tampering.
         SECTION 9.  Section 2054.1125, Government Code, is
  transferred to Subchapter R, Chapter 2054, Government Code,
  redesignated as Section 2054.603, Government Code, and amended to
  read as follows:
         Sec. 2054.603  [2054.1125].  SECURITY INCIDENT [BREACH]
  NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this
  section:
               (1)  "Security incident" means:
                     (A)  the actual or suspected deliberate and
  unauthorized access, disclosure, exposure, modification, or
  destruction of sensitive personal information, confidential
  information, or other information the disclosure of which is
  regulated by law through a computer, computer network, or computer
  system, including:
                           (i)  a breach or suspected breach ["Breach]
  of system security as defined [security" has the meaning assigned]
  by Section 521.053, Business & Commerce Code; and
                           (ii)  the introduction of ransomware, as
  defined by Section 33.023, Penal Code, into a computer, computer
  network, or computer system; or
                     (B)  a deliberate and unauthorized modification,
  disruption, destruction, or defacement that makes unavailable or
  inaccessible:
                           (i)  state agency information or information
  resources; or 
                           (ii)  a state agency website.
               (2)  "Sensitive personal information" has the meaning
  assigned by Section 521.002, Business & Commerce Code.
         (b)  A state agency or local government that owns, licenses,
  or maintains computerized data that includes sensitive personal
  information, confidential information, or information the
  disclosure of which is regulated by law shall, in the event of a
  security incident [breach or suspected breach of system security or
  an unauthorized exposure of that information]:
               (1)  comply with the notification requirements of
  Section 521.053, Business & Commerce Code, to the same extent as a
  person who conducts business in this state; [and]
               (2)  not later than 24 [48] hours after the discovery of
  the security incident [breach, suspected breach, or unauthorized
  exposure], notify:
                     (A)  the department, including the chief
  information security officer; or
                     (B)  if the security incident [breach, suspected
  breach, or unauthorized exposure] involves election data, the
  secretary of state; and
               (3)  comply with all department rules relating to
  security incidents.
         (c)  Not later than the 10th business day after the date of
  the eradication, closure, and recovery from a security incident 
  [breach, suspected breach, or unauthorized exposure], a state
  agency or local government shall notify the department, including
  the chief information security officer, of the details of the
  security incident [event] and include in the notification an
  analysis of the cause of the security incident [event].
         SECTION 10.  The following provisions are repealed:
               (1)  Section 2054.068(f), Government Code; and
               (2)  Section 2054.515(b), Government Code, as amended
  by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the 87th
  Legislature, Regular Session, 2021.
         SECTION 11.  This Act takes effect September 1, 2023.