| 1 | 1 | | 85R7377 AAF-D |
|---|
| 2 | 2 | | By: Shaheen H.B. No. 3671 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the requirement that state agencies notify the |
|---|
| 8 | 8 | | Department of Information Resources in the event of a breach of |
|---|
| 9 | 9 | | system security or unauthorized exposure of certain information. |
|---|
| 10 | 10 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 11 | 11 | | SECTION 1. Section 2054.1125(b), Government Code, is |
|---|
| 12 | 12 | | amended to read as follows: |
|---|
| 13 | 13 | | (b) A state agency that owns, licenses, or maintains |
|---|
| 14 | 14 | | computerized data that includes sensitive personal information, |
|---|
| 15 | 15 | | confidential information, or information the disclosure of which is |
|---|
| 16 | 16 | | regulated by law shall, in the event of a suspected breach or breach |
|---|
| 17 | 17 | | of system security or an unauthorized exposure of that information: |
|---|
| 18 | 18 | | (1) comply[, in the event of a breach of system |
|---|
| 19 | 19 | | security,] with the notification requirements of Section 521.053, |
|---|
| 20 | 20 | | Business & Commerce Code, to the same extent as a person who |
|---|
| 21 | 21 | | conducts business in this state; and |
|---|
| 22 | 22 | | (2) notify the department, including the chief |
|---|
| 23 | 23 | | information security officer and the state cybersecurity |
|---|
| 24 | 24 | | coordinator, not later than 48 hours after the suspected breach, |
|---|
| 25 | 25 | | breach, or unauthorized exposure. |
|---|
| 26 | 26 | | SECTION 2. This Act takes effect September 1, 2017. |
|---|