| |
| |
|
|
A BILL TO BE ENTITLED
|
|
|
AN ACT
|
|
|
relating to the reporting of certain security incidents by public |
|
|
water systems to the Texas Commission on Environmental Quality and |
|
|
the Department of Information Resources. |
|
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
|
SECTION 1. Section 341.033, Health and Safety Code, is |
|
|
amended by amending Subsections (i) and (i-1) and adding Subsection |
|
|
(i-2) to read as follows: |
|
|
(i) An owner, agent, manager, operator, or other person in |
|
|
charge of a public water supply system that furnishes water for |
|
|
public or private use or a wastewater system that provides |
|
|
wastewater services for public or private use shall maintain |
|
|
internal procedures to notify the commission immediately of the |
|
|
following events: |
|
|
(1) [,] if the event may negatively impact the |
|
|
production or delivery of safe and adequate drinking water: |
|
|
(A) [(1)] an unusual or unexplained unauthorized |
|
|
entry at property of the public water supply or wastewater system; |
|
|
(B) [(2)] an act of terrorism against the public |
|
|
water supply or wastewater system; |
|
|
(C) [(3) an unauthorized attempt to probe for or |
|
|
gain access to proprietary information that supports the key |
|
|
activities of the public water supply or wastewater system; |
|
|
[(4)] a theft of property that supports the key |
|
|
activities of the public water supply or wastewater system; |
|
|
(D) [(5)] a natural disaster, accident, or act |
|
|
that results in damage to the public water supply or wastewater |
|
|
system; or |
|
|
(E) [(6)] for a nonindustrial public water |
|
|
supply system, an unplanned condition that has caused a public |
|
|
water supply outage or the public water supply system to issue a |
|
|
do-not-use advisory, do-not-consume advisory, or boil water |
|
|
notice; or |
|
|
(2) a security incident during which: |
|
|
(A) an unauthorized disclosure of sensitive |
|
|
personal information, as defined by Section 521.002(a)(2)(A), |
|
|
Business & Commerce Code, held by the public water supply or |
|
|
wastewater system occurred; |
|
|
(B) ransomware, as defined by Section 33.023, |
|
|
Penal Code, was introduced into a computer, computer network, or |
|
|
computer system of the public water supply or wastewater system; |
|
|
(C) the public water supply or wastewater system |
|
|
experienced an unauthorized attempt to probe for or gain access to |
|
|
proprietary information that supports the key activities of the |
|
|
system; or |
|
|
(D) a computer, computer network, or computer |
|
|
system problem disrupted the operation of the public water supply |
|
|
or wastewater system. |
|
|
(i-1) The commission may collaborate with the Texas |
|
|
Division of Emergency Management in administering the notification |
|
|
requirement in Subsection (i)(1)(E) [(i)(6)], including |
|
|
determining the method by which the notifications are |
|
|
provided. Subsection (i)(1)(E) [(i)(6)] does not require an |
|
|
owner, agent, manager, operator, or other person in charge of a |
|
|
nonindustrial public water supply system to provide notice of a |
|
|
weather or emergency alert, warning, or watch issued by the |
|
|
National Weather Service, the National Oceanic and Atmospheric |
|
|
Administration, or the Texas Division of Emergency Management or a |
|
|
successor federal or state agency. |
|
|
(i-2) The commission shall establish and maintain |
|
|
procedures to report each security incident described by Subsection |
|
|
(i)(2) to the Department of Information Resources. |
|
|
SECTION 2. This Act takes effect September 1, 2025. |