| 1 | 1 | | 87S10701 MWC-F |
|---|
| 2 | 2 | | By: Shaheen H.B. No. 307 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to state agency and local government security incident |
|---|
| 8 | 8 | | procedures. |
|---|
| 9 | 9 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 10 | 10 | | SECTION 1. Section 2054.1125, Government Code, is |
|---|
| 11 | 11 | | transferred to Subchapter R, Chapter 2054, Government Code, |
|---|
| 12 | 12 | | redesignated as Section 2054.603, Government Code, and amended to |
|---|
| 13 | 13 | | read as follows: |
|---|
| 14 | 14 | | Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH] |
|---|
| 15 | 15 | | NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this |
|---|
| 16 | 16 | | section: |
|---|
| 17 | 17 | | (1) "Security incident" means the unauthorized |
|---|
| 18 | 18 | | access, disclosure, exposure, modification, or destruction of |
|---|
| 19 | 19 | | sensitive personal information, confidential information, or other |
|---|
| 20 | 20 | | information the disclosure of which is regulated by law, including: |
|---|
| 21 | 21 | | (A) a breach ["Breach] of system security as |
|---|
| 22 | 22 | | defined [security" has the meaning assigned] by Section 521.053, |
|---|
| 23 | 23 | | Business & Commerce Code; and |
|---|
| 24 | 24 | | (B) ransomware as defined by Section 33.023, |
|---|
| 25 | 25 | | Penal Code. |
|---|
| 26 | 26 | | (2) "Sensitive personal information" has the meaning |
|---|
| 27 | 27 | | assigned by Section 521.002, Business & Commerce Code. |
|---|
| 28 | 28 | | (b) A state agency or local government that owns, licenses, |
|---|
| 29 | 29 | | or maintains computerized data that includes sensitive personal |
|---|
| 30 | 30 | | information, confidential information, or information the |
|---|
| 31 | 31 | | disclosure of which is regulated by law shall, in the event of a |
|---|
| 32 | 32 | | security incident [breach or suspected breach of system security or |
|---|
| 33 | 33 | | an unauthorized exposure of that information]: |
|---|
| 34 | 34 | | (1) comply with the notification requirements of |
|---|
| 35 | 35 | | Section 521.053, Business & Commerce Code, to the same extent as a |
|---|
| 36 | 36 | | person who conducts business in this state; [and] |
|---|
| 37 | 37 | | (2) not later than 72 [48] hours after the discovery of |
|---|
| 38 | 38 | | the security incident [breach, suspected breach, or unauthorized |
|---|
| 39 | 39 | | exposure], notify: |
|---|
| 40 | 40 | | (A) the department, including the chief |
|---|
| 41 | 41 | | information security officer, and the Texas Division of Emergency |
|---|
| 42 | 42 | | Management; or |
|---|
| 43 | 43 | | (B) if the security incident [breach, suspected |
|---|
| 44 | 44 | | breach, or unauthorized exposure] involves election data, the |
|---|
| 45 | 45 | | secretary of state; and |
|---|
| 46 | 46 | | (3) comply with all department rules relating to |
|---|
| 47 | 47 | | security incidents. |
|---|
| 48 | 48 | | (c) Not later than the 10th business day after the date of |
|---|
| 49 | 49 | | the eradication, closure, and recovery from a security incident |
|---|
| 50 | 50 | | [breach, suspected breach, or unauthorized exposure], a state |
|---|
| 51 | 51 | | agency or local government shall notify the department, including |
|---|
| 52 | 52 | | the chief information security officer, and the Texas Division of |
|---|
| 53 | 53 | | Emergency Management of the details of the security incident |
|---|
| 54 | 54 | | [event] and include in the notification an analysis of the cause of |
|---|
| 55 | 55 | | the security incident [event]. |
|---|
| 56 | 56 | | (d) The department shall make available to state agencies |
|---|
| 57 | 57 | | and local governments a secure method for submitting the security |
|---|
| 58 | 58 | | incident information required by this section. All information |
|---|
| 59 | 59 | | provided under this section is confidential and is not subject to |
|---|
| 60 | 60 | | disclosure under Chapter 552. |
|---|
| 61 | 61 | | SECTION 2. This Act takes effect December 1, 2021. |
|---|