BILL ANALYSIS

 

 

 

S.B. 1625

By: Johnson

Natural Resources

Committee Report (Unamended)

 

 

 

BACKGROUND AND PURPOSE

 

Currently, state law requires a person in charge of a public water supply system to notify the Texas Commission on Environmental Quality of certain security incidents regarding the public water supply, including any unauthorized attempts to probe for or gain access to proprietary information about the water supply. S.B. 1625 seeks to expand these notification requirements to include specific cybersecurity threats to the public water supply, such as unauthorized information disclosure and ransomware attacks.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

S.B. 1625 amends the Health and Safety Code, with respect to the requirement for an owner, agent, manager, operator, or other person in charge of a public water supply system that furnishes water for public or private use or a wastewater system that provides wastewater services for public or private use to maintain internal procedures to notify the Texas Commission on Environmental Quality (TCEQ) immediately of specified events, to do the following:

·       replace the event that may negatively impact the production or delivery of safe and adequate drinking water that is an unauthorized attempt to probe for or gain access to proprietary information that supports the key activities of the public water supply or wastewater system with an event that is a security incident during which the public water supply or wastewater system experienced such an unauthorized attempt; and

·       include as an event a security incident during which:

o   an unauthorized disclosure of sensitive personal information, as defined by the Identity Theft Enforcement and Protection Act, held by the public water supply or wastewater system occurred;

o   ransomware, as defined by Penal Code provisions relating to electronic data tampering, was introduced into a computer, computer network, or computer system of the public water supply or wastewater system; or

o   a computer, computer network, or computer system problem disrupted the operation of the public water supply or wastewater system.

The bill requires the TCEQ to establish and maintain procedures to report each security incident to the Department of Information Resources.

 

EFFECTIVE DATE

 

September 1, 2025.