Texas 2021 - 87th Regular

Texas House Bill HB4395 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1		-	87R18535 MWC-F
2		-	By: Shaheen, Lucio III, Capriglione, H.B. No. 4395
3		-	Schofield, Hull
4		-	Substitute the following for H.B. No. 4395:
5		-	By: Paddie C.S.H.B. No. 4395
	1	+	By: Shaheen H.B. No. 4395
6	2
7	3
8	4		A BILL TO BE ENTITLED
9	5		AN ACT
10		-	relating to state ~~agency~~ and local ~~government security incident~~
11		-	~~procedures~~.
	6	+	relating to state and local governments requirements to report
	7	+	security incidents to the Department of Information Resources.
12	8		BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
13		-	SECTION 1. Section 2054.1125, Government Code, is
14		-	transferred to Subchapter R, Chapter 2054, Government Code,
15		-	redesignated as Section 2054.603, Government Code, and amended to
16		-	read as follows:
17		-	Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH]
18		-	NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this
19		-	section:
20		-	(1) "Security incident" means the actual or suspected
21		-	unauthorized access, disclosure, exposure, modification, or
22		-	destruction of sensitive personal information, confidential
23		-	information, or other information the disclosure of which is
24		-	regulated by law, including:
25		-	(A) a breach or suspected breach ["Breach] of
26		-	system security as defined [security" has the meaning assigned] by
27		-	Section 521.053, Business & Commerce Code; and
28		-	(B) ransomware as defined by Section 33.023,
29		-	Penal Code.
	9	+	Sec. 2054.1125. SECURITY INCIDENTBREACH NOTIFICATION BY
	10	+	STATE AGENCY OR LOCAL GOVERNMENT. (a) In this section:
	11	+	(1) "Security incidentBreach of system security"
	12	+	means the actual or suspected unauthorized disclosure, exposure, or
	13	+	modification of sensitive personal information, confidential
	14	+	information, or other regulated information including a breach or
	15	+	suspected breach of system security as definedhas the meaning
	16	+	assigned by Section 521.053, Business & Commerce Code, including
	17	+	ransomware as defined by Section 33.023 Penal Code.
30	18		(2) "Sensitive personal information" has the meaning
31	19		assigned by Section 521.002, Business & Commerce Code.
32	20		(b) A state agency or local government that owns, licenses,
33	21		or maintains computerized data that includes sensitive personal
34	22		information, confidential information, or information the
35	23		disclosure of which is regulated by law shall, in the event of a
36		-	security ~~incident [breach~~ or suspected breach of system security or
37		-	an unauthorized exposure of that information]:
	24	+	security incidentbreach or suspected breach of system security or
	25	+	an unauthorized exposure of that information:
38	26		(1) comply with the notification requirements of
39	27		Section 521.053, Business & Commerce Code, to the same extent as a
40		-	person who conducts business in this state; [and]
	28	+	person who conducts business in this state; and
41	29		(2) not later than 48 hours after the discovery of the
42		-	security incident [breach, suspected breach, or unauthorized
43		-	exposure], notify:
	30	+	breach, suspected breach, or unauthorized exposure, notify:
44	31		(A) the department, including the chief
45	32		information security officer; or
46		-	(B) if the security ~~incident [breach~~, suspected
47		-	breach, or unauthorized exposure] involves election data, the
	33	+	(B) if the security incidentbreach, suspected
	34	+	breach, or unauthorized exposure involves election data, the
48	35		secretary of state; and
49		-	(3) comply with all ~~department~~ rules relating to
50		-	~~security~~ incidents.
	36	+	(3) comply with all rules relating to security
	37	+	incidents adopted by the department.
51	38		(c) Not later than the 10th business day after the date of
52	39		the eradication, closure, and recovery from a security incident
53		-	[breach, suspected breach, or unauthorized exposure], a state
54		-	agency or local government shall notify the department, including
55		-	the chief information security officer, of the details of the
56		-	security incident [event] and include in the notification an
57		-	analysis of the cause of the security incident [event].
58		-	SECTION 2. This Act takes effect September 1, 2021.
	40	+	breach, suspected breach, or unauthorized exposure, a state agency
	41	+	or local government shall notify the department, including the
	42	+	chief information security officer, of the details of the event and
	43	+	include in the notification an analysis of the cause of the event.
	44	+	SECTION 2. This Act takes effect immediately if it receives
	45	+	a vote of two-thirds of all the members elected to each house, as
	46	+	provided by Section 39, Article III, Texas Constitution. If this
	47	+	Act does not receive the vote necessary for immediate effect, this
	48	+	Act takes effect September 1, 2021.