87R18535 MWC-F
By: Shaheen, Lucio III, Capriglione, H.B. No. 4395
Schofield, Hull
Substitute the following for H.B. No. 4395:
By: Paddie C.S.H.B. No. 4395
A BILL TO BE ENTITLED
AN ACT
relating to state agency and local government security incident
procedures.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 2054.1125, Government Code, is
transferred to Subchapter R, Chapter 2054, Government Code,
redesignated as Section 2054.603, Government Code, and amended to
read as follows:
Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH]
NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this
section:
(1) "Security incident" means the actual or suspected
unauthorized access, disclosure, exposure, modification, or
destruction of sensitive personal information, confidential
information, or other information the disclosure of which is
regulated by law, including:
(A) a breach or suspected breach ["Breach] of
system security as defined [security" has the meaning assigned] by
Section 521.053, Business & Commerce Code; and
(B) ransomware as defined by Section 33.023,
Penal Code.
(2) "Sensitive personal information" has the meaning
assigned by Section 521.002, Business & Commerce Code.
(b) A state agency or local government that owns, licenses,
or maintains computerized data that includes sensitive personal
information, confidential information, or information the
disclosure of which is regulated by law shall, in the event of a
security incident [breach or suspected breach of system security or
an unauthorized exposure of that information]:
(1) comply with the notification requirements of
Section 521.053, Business & Commerce Code, to the same extent as a
person who conducts business in this state; [and]
(2) not later than 48 hours after the discovery of the
security incident [breach, suspected breach, or unauthorized
exposure], notify:
(A) the department, including the chief
information security officer; or
(B) if the security incident [breach, suspected
breach, or unauthorized exposure] involves election data, the
secretary of state; and
(3) comply with all department rules relating to
security incidents.
(c) Not later than the 10th business day after the date of
the eradication, closure, and recovery from a security incident
[breach, suspected breach, or unauthorized exposure], a state
agency or local government shall notify the department, including
the chief information security officer, of the details of the
security incident [event] and include in the notification an
analysis of the cause of the security incident [event].
SECTION 2. This Act takes effect September 1, 2021.