| 1 | 1 | | 88R2127 JCG-D |
|---|
| 2 | 2 | | By: Campbell S.B. No. 2377 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to homeland security, including the creation of the Texas |
|---|
| 8 | 8 | | Homeland Security Division in the Department of Public Safety, the |
|---|
| 9 | 9 | | operations of the Homeland Security Council, the creation of a |
|---|
| 10 | 10 | | homeland security fusion center, and the duties of state agencies |
|---|
| 11 | 11 | | and local governments in preparing for, reporting, and responding |
|---|
| 12 | 12 | | to cybersecurity breaches; providing administrative penalties; |
|---|
| 13 | 13 | | creating criminal offenses. |
|---|
| 14 | 14 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 15 | 15 | | SECTION 1. (a) The legislature finds that the federal |
|---|
| 16 | 16 | | government's inadequate border security measures, the trafficking |
|---|
| 17 | 17 | | of fentanyl across the borders of this state, Central America's |
|---|
| 18 | 18 | | turn towards authoritarian regimes, China's hostile rhetoric |
|---|
| 19 | 19 | | regarding Taiwan, and Russia's invasion of Ukraine create an |
|---|
| 20 | 20 | | ever-changing threat landscape to the security of this state. |
|---|
| 21 | 21 | | (b) Due to these continuous threats, this state must |
|---|
| 22 | 22 | | continue taking serious measures to secure its critical |
|---|
| 23 | 23 | | infrastructure, cyber networks, and border and monitor security |
|---|
| 24 | 24 | | threats from hostile nations and non-state actors. |
|---|
| 25 | 25 | | (c) These present and future threats require this state to |
|---|
| 26 | 26 | | create a unified security organization under the Department of |
|---|
| 27 | 27 | | Public Safety of the State of Texas whose sole mission is to |
|---|
| 28 | 28 | | safeguard the people and infrastructure that make this state great. |
|---|
| 29 | 29 | | (d) The Texas Homeland Security Division, as established by |
|---|
| 30 | 30 | | this Act, will unify this state's security responsibilities into |
|---|
| 31 | 31 | | one entity that reports directly to the governor and the public |
|---|
| 32 | 32 | | safety director of the Department of Public Safety of the State of |
|---|
| 33 | 33 | | Texas. |
|---|
| 34 | 34 | | SECTION 2. Chapter 411, Government Code, is amended by |
|---|
| 35 | 35 | | adding Subchapter S to read as follows: |
|---|
| 36 | 36 | | SUBCHAPTER S. TEXAS HOMELAND SECURITY DIVISION |
|---|
| 37 | 37 | | Sec. 411.551. DEFINITIONS. In this subchapter: |
|---|
| 38 | 38 | | (1) "Division" means the Texas Homeland Security |
|---|
| 39 | 39 | | Division established in the department under this subchapter. |
|---|
| 40 | 40 | | (2) "Division director" means the director of the |
|---|
| 41 | 41 | | Texas Homeland Security Division appointed under this subchapter. |
|---|
| 42 | 42 | | Sec. 411.552. ESTABLISHMENT; DIRECTOR; EMPLOYEES. (a) The |
|---|
| 43 | 43 | | Texas Homeland Security Division is established in the department. |
|---|
| 44 | 44 | | (b) Notwithstanding Section 411.006(a)(6), the public |
|---|
| 45 | 45 | | safety director shall appoint, with the advice and consent of the |
|---|
| 46 | 46 | | governor, a homeland security director to manage the division. |
|---|
| 47 | 47 | | (c) The division director may hire employees as necessary to |
|---|
| 48 | 48 | | carry out the duties of the division. |
|---|
| 49 | 49 | | Sec. 411.553. GENERAL DUTIES. The division shall, in |
|---|
| 50 | 50 | | consultation with the governor: |
|---|
| 51 | 51 | | (1) develop and implement strategic homeland security |
|---|
| 52 | 52 | | operations; and |
|---|
| 53 | 53 | | (2) unify governmental activities and |
|---|
| 54 | 54 | | responsibilities related to homeland security under the direction |
|---|
| 55 | 55 | | of the division. |
|---|
| 56 | 56 | | Sec. 411.554. BORDER SECURITY: INTELLIGENCE. (a) The |
|---|
| 57 | 57 | | division shall coordinate with the Texas Military Department, state |
|---|
| 58 | 58 | | and local law enforcement agencies, federal agencies, and any other |
|---|
| 59 | 59 | | entity the division determines appropriate to secure the |
|---|
| 60 | 60 | | international border. |
|---|
| 61 | 61 | | (b) In coordinating with the entities described by |
|---|
| 62 | 62 | | Subsection (a), the division shall: |
|---|
| 63 | 63 | | (1) collect, analyze, and provide intelligence for |
|---|
| 64 | 64 | | each major operation to secure the international border, including |
|---|
| 65 | 65 | | consulting with the Texas Military Department and other appropriate |
|---|
| 66 | 66 | | agencies that collect, analyze, or provide intelligence to the |
|---|
| 67 | 67 | | governor, the department, and other entities deployed on major |
|---|
| 68 | 68 | | operations; |
|---|
| 69 | 69 | | (2) make recommendations on essential tasks and |
|---|
| 70 | 70 | | desired results for each element of a major operation; |
|---|
| 71 | 71 | | (3) provide augmented equipment and personnel for a |
|---|
| 72 | 72 | | major operation; and |
|---|
| 73 | 73 | | (4) conduct periodic internal reviews of |
|---|
| 74 | 74 | | interoperability among agencies deployed on a major operation and |
|---|
| 75 | 75 | | make available reports on subsequent efforts to improve |
|---|
| 76 | 76 | | interoperability. |
|---|
| 77 | 77 | | (c) Each month, the division shall provide a report to the |
|---|
| 78 | 78 | | governor on the major operations conducted by this state to secure |
|---|
| 79 | 79 | | the international border. |
|---|
| 80 | 80 | | Sec. 411.555. BORDER SECURITY: GRANT RECOMMENDATIONS. The |
|---|
| 81 | 81 | | division shall advise the criminal justice division of the |
|---|
| 82 | 82 | | governor's office on the allocation of grants under the prosecution |
|---|
| 83 | 83 | | of border crime grant program established under Section 772.0071. |
|---|
| 84 | 84 | | Sec. 411.556. CRITICAL INFRASTRUCTURE AND POWER GRID. (a) |
|---|
| 85 | 85 | | The division shall coordinate with federal, state, and local |
|---|
| 86 | 86 | | agencies, and any other entity the division determines appropriate, |
|---|
| 87 | 87 | | to protect the critical infrastructure of this state and the ERCOT |
|---|
| 88 | 88 | | power grid from remote and physical attacks, including: |
|---|
| 89 | 89 | | (1) oil and gas infrastructure, including: |
|---|
| 90 | 90 | | (A) oil, gas, and chemical pipelines; |
|---|
| 91 | 91 | | (B) oil and gas drilling sites; and |
|---|
| 92 | 92 | | (C) oil, gas, and chemical production |
|---|
| 93 | 93 | | facilities; |
|---|
| 94 | 94 | | (2) electrical power generating facilities, |
|---|
| 95 | 95 | | substations, switching stations, and electrical control centers; |
|---|
| 96 | 96 | | (3) petroleum and alumina refineries and chemical, |
|---|
| 97 | 97 | | polymer, and rubber manufacturing facilities; and |
|---|
| 98 | 98 | | (4) water intake structures, water treatment |
|---|
| 99 | 99 | | facilities, wastewater treatment plants, and pump stations. |
|---|
| 100 | 100 | | (b) In coordinating the efforts of this state to secure |
|---|
| 101 | 101 | | critical infrastructure and the ERCOT power grid, the division |
|---|
| 102 | 102 | | shall cooperate with the Cybersecurity and Infrastructure Security |
|---|
| 103 | 103 | | Agency, the United States Department of Energy, and the Homeland |
|---|
| 104 | 104 | | Security Fusion Center. |
|---|
| 105 | 105 | | Sec. 411.557. CRITICAL INFRASTRUCTURE: INVESTIGATION OF |
|---|
| 106 | 106 | | CERTAIN PURCHASES. The division shall investigate any purchases of |
|---|
| 107 | 107 | | substantial portions of land or infrastructure in this state by a |
|---|
| 108 | 108 | | designated country, as that term is defined by Section 2274.0101, |
|---|
| 109 | 109 | | as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, |
|---|
| 110 | 110 | | Regular Session, 2021. |
|---|
| 111 | 111 | | Sec. 411.558. PROHIBITED EQUIPMENT REPORTS. At least |
|---|
| 112 | 112 | | annually, the division shall issue a report to the governor, |
|---|
| 113 | 113 | | lieutenant governor, members of the legislature, and all state |
|---|
| 114 | 114 | | agencies identifying equipment that the United States Department of |
|---|
| 115 | 115 | | Defense has prohibited entities that contract with the department |
|---|
| 116 | 116 | | of defense from using. |
|---|
| 117 | 117 | | Sec. 411.559. CYBERSECURITY: WEBSITE FOR REPORTING THREATS |
|---|
| 118 | 118 | | AND ATTACKS. The division shall develop a secure Internet website |
|---|
| 119 | 119 | | that is accessible by state agencies and local governments and |
|---|
| 120 | 120 | | permits those entities to report to the division suspected |
|---|
| 121 | 121 | | cybersecurity threats and attacks against those entities. |
|---|
| 122 | 122 | | Sec. 411.560. BUDGET REQUESTS. (a) Not later than April 1 |
|---|
| 123 | 123 | | of each even-numbered year, the division director shall submit to |
|---|
| 124 | 124 | | the public safety director a request for appropriations that |
|---|
| 125 | 125 | | estimates the cost of the division's operations. |
|---|
| 126 | 126 | | (b) A request for appropriations described by Subsection |
|---|
| 127 | 127 | | (a) may not be aggregated with any other appropriation request made |
|---|
| 128 | 128 | | by the department when the request is submitted to a legislative |
|---|
| 129 | 129 | | committee with jurisdiction over appropriations. |
|---|
| 130 | 130 | | SECTION 3. Section 421.021, Government Code, is amended by |
|---|
| 131 | 131 | | adding Subsection (a-1) to read as follows: |
|---|
| 132 | 132 | | (a-1) The Homeland Security Council is composed of: |
|---|
| 133 | 133 | | (1) the governor or the governor's designee; |
|---|
| 134 | 134 | | (2) the lieutenant governor or the lieutenant |
|---|
| 135 | 135 | | governor's designee; |
|---|
| 136 | 136 | | (3) the director of the Texas Homeland Security |
|---|
| 137 | 137 | | Division of the Department of Public Safety; and |
|---|
| 138 | 138 | | (4) other persons appointed by the governor or |
|---|
| 139 | 139 | | lieutenant governor. |
|---|
| 140 | 140 | | SECTION 4. Section 421.023, Government Code, is amended by |
|---|
| 141 | 141 | | amending Subsections (c) and (d) and adding Subsection (f) to read |
|---|
| 142 | 142 | | as follows: |
|---|
| 143 | 143 | | (c) The governor shall designate the director of the Texas |
|---|
| 144 | 144 | | Homeland Security Division of the Department of Public Safety as |
|---|
| 145 | 145 | | the presiding officer of the council. |
|---|
| 146 | 146 | | (d) The council shall meet at the call of the presiding |
|---|
| 147 | 147 | | officer [governor] and shall meet at least once each quarter in a |
|---|
| 148 | 148 | | calendar year. |
|---|
| 149 | 149 | | (f) The presiding officer shall appoint a secretary, who may |
|---|
| 150 | 150 | | be a member of the council, to record meeting minutes and |
|---|
| 151 | 151 | | attendance. |
|---|
| 152 | 152 | | SECTION 5. Section 421.024, Government Code, is amended to |
|---|
| 153 | 153 | | read as follows: |
|---|
| 154 | 154 | | Sec. 421.024. DUTIES. The council shall advise the |
|---|
| 155 | 155 | | governor on: |
|---|
| 156 | 156 | | (1) the implementation of the governor's homeland |
|---|
| 157 | 157 | | security strategy by state and local agencies and provide specific |
|---|
| 158 | 158 | | suggestions for helping those agencies implement the strategy; |
|---|
| 159 | 159 | | [and] |
|---|
| 160 | 160 | | (2) recommendations from the Texas Homeland Security |
|---|
| 161 | 161 | | Division of the Department of Public Safety on improving the |
|---|
| 162 | 162 | | security of this state; and |
|---|
| 163 | 163 | | (3) other matters related to the planning, |
|---|
| 164 | 164 | | development, coordination, and implementation of initiatives to |
|---|
| 165 | 165 | | promote the governor's homeland security strategy. |
|---|
| 166 | 166 | | SECTION 6. Chapter 421, Government Code, is amended by |
|---|
| 167 | 167 | | adding Subchapter E-1 to read as follows: |
|---|
| 168 | 168 | | SUBCHAPTER E-1. HOMELAND SECURITY FUSION CENTER |
|---|
| 169 | 169 | | Sec. 421.0901. DEFINITIONS. In this subchapter: |
|---|
| 170 | 170 | | (1) "Board" means the oversight board of the homeland |
|---|
| 171 | 171 | | security fusion center. |
|---|
| 172 | 172 | | (2) "Director" means the director of the Texas |
|---|
| 173 | 173 | | Homeland Security Division of the Department of Public Safety. |
|---|
| 174 | 174 | | Sec. 421.0902. HOMELAND SECURITY FUSION CENTER. (a) From |
|---|
| 175 | 175 | | funds available for this purpose, the director may: |
|---|
| 176 | 176 | | (1) establish the homeland security fusion center; and |
|---|
| 177 | 177 | | (2) hire employees to operate the homeland security |
|---|
| 178 | 178 | | fusion center. |
|---|
| 179 | 179 | | (b) The homeland security fusion center shall: |
|---|
| 180 | 180 | | (1) collect, receive, generate, and disseminate |
|---|
| 181 | 181 | | intelligence critical for homeland security policy and homeland |
|---|
| 182 | 182 | | security activities in this state, including the issuance of |
|---|
| 183 | 183 | | relevant threat warnings; |
|---|
| 184 | 184 | | (2) promote and improve intelligence sharing: |
|---|
| 185 | 185 | | (A) among public safety and public service |
|---|
| 186 | 186 | | agencies at the federal, state, local, and tribal levels; and |
|---|
| 187 | 187 | | (B) with entities in the private sector operating |
|---|
| 188 | 188 | | critical infrastructure and other key resources; |
|---|
| 189 | 189 | | (3) otherwise support federal, state, local, and |
|---|
| 190 | 190 | | tribal agencies and private organizations in preventing, preparing |
|---|
| 191 | 191 | | for, responding to, and recovering from homeland security threats |
|---|
| 192 | 192 | | and attacks; and |
|---|
| 193 | 193 | | (4) maintain intelligence collected, received, or |
|---|
| 194 | 194 | | generated in compliance with applicable state and federal law and |
|---|
| 195 | 195 | | in a secure manner, including: |
|---|
| 196 | 196 | | (A) providing appropriate security for a |
|---|
| 197 | 197 | | facility that contains sensitive information; |
|---|
| 198 | 198 | | (B) compartmentalizing sensitive information; |
|---|
| 199 | 199 | | and |
|---|
| 200 | 200 | | (C) adopting appropriate internal procedures for |
|---|
| 201 | 201 | | the security of the facility and the information. |
|---|
| 202 | 202 | | Sec. 421.0903. OVERSIGHT BOARD; QUALIFICATIONS; RULES. (a) |
|---|
| 203 | 203 | | If the homeland security fusion center is established under Section |
|---|
| 204 | 204 | | 421.0902, there is also established an oversight board that shall |
|---|
| 205 | 205 | | govern the operations of the homeland security fusion center. |
|---|
| 206 | 206 | | (b) The board is composed of: |
|---|
| 207 | 207 | | (1) the director; |
|---|
| 208 | 208 | | (2) the adjutant general; and |
|---|
| 209 | 209 | | (3) other persons appointed by the director. |
|---|
| 210 | 210 | | (c) The director serves as the chair of the board and the |
|---|
| 211 | 211 | | adjutant general serves as the vice chair. |
|---|
| 212 | 212 | | (d) A member of the board must have and maintain a secret |
|---|
| 213 | 213 | | security clearance granted by the United States government. A |
|---|
| 214 | 214 | | person who has applied for a secret security clearance and has been |
|---|
| 215 | 215 | | granted an interim secret security clearance may serve as a member |
|---|
| 216 | 216 | | of the board but may not be given access to classified information, |
|---|
| 217 | 217 | | participate in a briefing involving classified information, or vote |
|---|
| 218 | 218 | | on an issue involving classified information before the person is |
|---|
| 219 | 219 | | granted a secret security clearance. |
|---|
| 220 | 220 | | (e) The board may adopt rules, policies, and procedures for |
|---|
| 221 | 221 | | the operation of the homeland security fusion center. |
|---|
| 222 | 222 | | Sec. 421.0904. GIFTS, GRANTS, AND DONATIONS; DEDICATED |
|---|
| 223 | 223 | | ACCOUNT. (a) The homeland security fusion center may accept gifts, |
|---|
| 224 | 224 | | grants, and donations of any kind from any public or private source, |
|---|
| 225 | 225 | | including services or property, for the purpose of paying the costs |
|---|
| 226 | 226 | | to establish, maintain, or operate the homeland security fusion |
|---|
| 227 | 227 | | center. |
|---|
| 228 | 228 | | (b) The homeland security fusion center shall remit all |
|---|
| 229 | 229 | | amounts received under this section to the comptroller. The |
|---|
| 230 | 230 | | comptroller shall deposit the amounts to the credit of an account in |
|---|
| 231 | 231 | | the general revenue fund that may be appropriated only to the |
|---|
| 232 | 232 | | Department of Public Safety to provide funding for establishing, |
|---|
| 233 | 233 | | maintaining, or operating the homeland security fusion center. |
|---|
| 234 | 234 | | (c) The board must approve expenditures made for the |
|---|
| 235 | 235 | | purposes described by Subsection (b). |
|---|
| 236 | 236 | | Sec. 421.0905. ADMINISTRATIVE SUPPORT. The Texas Homeland |
|---|
| 237 | 237 | | Security Division of the Department of Public Safety shall provide |
|---|
| 238 | 238 | | administrative support for the homeland security fusion center and |
|---|
| 239 | 239 | | the board, including securely maintaining the records of the board. |
|---|
| 240 | 240 | | SECTION 7. Section 2054.077(d), Government Code, is amended |
|---|
| 241 | 241 | | to read as follows: |
|---|
| 242 | 242 | | (d) The information security officer shall provide an |
|---|
| 243 | 243 | | electronic copy of the vulnerability report on its completion to: |
|---|
| 244 | 244 | | (1) the Texas Homeland Security Division of the |
|---|
| 245 | 245 | | Department of Public Safety; |
|---|
| 246 | 246 | | (2) the department; |
|---|
| 247 | 247 | | (3) [(2)] the state auditor; |
|---|
| 248 | 248 | | (4) [(3)] the agency's executive director; |
|---|
| 249 | 249 | | (5) [(4)] the agency's designated information |
|---|
| 250 | 250 | | resources manager; and |
|---|
| 251 | 251 | | (6) [(5)] any other information technology security |
|---|
| 252 | 252 | | oversight group specifically authorized by the legislature to |
|---|
| 253 | 253 | | receive the report. |
|---|
| 254 | 254 | | SECTION 8. Section 2054.1125, Government Code, is amended |
|---|
| 255 | 255 | | by amending Subsection (b) and adding Subsections (d) and (e) to |
|---|
| 256 | 256 | | read as follows: |
|---|
| 257 | 257 | | (b) A state agency that owns, licenses, or maintains |
|---|
| 258 | 258 | | computerized data that includes sensitive personal information, |
|---|
| 259 | 259 | | confidential information, or information the disclosure of which is |
|---|
| 260 | 260 | | regulated by law shall, in the event of a breach or suspected breach |
|---|
| 261 | 261 | | of system security or an unauthorized exposure of that information: |
|---|
| 262 | 262 | | (1) comply with the notification requirements of |
|---|
| 263 | 263 | | Section 521.053, Business & Commerce Code, to the same extent as a |
|---|
| 264 | 264 | | person who conducts business in this state; and |
|---|
| 265 | 265 | | (2) not later than 48 hours after the discovery of the |
|---|
| 266 | 266 | | breach, suspected breach, or unauthorized exposure, notify: |
|---|
| 267 | 267 | | (A) the Texas Homeland Security Division of the |
|---|
| 268 | 268 | | Department of Public Safety; |
|---|
| 269 | 269 | | (B) the department, including the chief |
|---|
| 270 | 270 | | information security officer; and |
|---|
| 271 | 271 | | (C) [or (B)] if the breach, suspected breach, or |
|---|
| 272 | 272 | | unauthorized exposure involves election data, the secretary of |
|---|
| 273 | 273 | | state. |
|---|
| 274 | 274 | | (d) The Texas Homeland Security Division of the Department |
|---|
| 275 | 275 | | of Public Safety shall notify the governor of any breach or |
|---|
| 276 | 276 | | suspected breach reported to the division under this section. |
|---|
| 277 | 277 | | (e) The administrative head of a state agency commits an |
|---|
| 278 | 278 | | offense if the person intentionally or knowingly fails to notify |
|---|
| 279 | 279 | | the Texas Homeland Security Division of the Department of Public |
|---|
| 280 | 280 | | Safety of a breach, suspected breach, or unauthorized exposure, as |
|---|
| 281 | 281 | | required by Subsection (b)(2)(A). An offense under this subsection |
|---|
| 282 | 282 | | is a Class C misdemeanor. |
|---|
| 283 | 283 | | SECTION 9. Section 2054.133(f), Government Code, is amended |
|---|
| 284 | 284 | | to read as follows: |
|---|
| 285 | 285 | | (f) Not later than November 15 of each even-numbered year, |
|---|
| 286 | 286 | | the department shall submit a written report to the governor, the |
|---|
| 287 | 287 | | lieutenant governor, and each standing committee of the legislature |
|---|
| 288 | 288 | | with primary jurisdiction over matters related to the department |
|---|
| 289 | 289 | | evaluating information security for this state's information |
|---|
| 290 | 290 | | resources. In preparing the report, the department shall consider |
|---|
| 291 | 291 | | the information security plans submitted by state agencies under |
|---|
| 292 | 292 | | this section, any vulnerability reports submitted under Section |
|---|
| 293 | 293 | | 2054.077, any relevant information provided by the Texas Homeland |
|---|
| 294 | 294 | | Security Division of the Department of Public Safety, and other |
|---|
| 295 | 295 | | available information regarding the security of this state's |
|---|
| 296 | 296 | | information resources. The department shall omit from any written |
|---|
| 297 | 297 | | copies of the report information that could expose specific |
|---|
| 298 | 298 | | vulnerabilities in the security of this state's information |
|---|
| 299 | 299 | | resources. |
|---|
| 300 | 300 | | SECTION 10. Section 2054.511, Government Code, is amended |
|---|
| 301 | 301 | | to read as follows: |
|---|
| 302 | 302 | | Sec. 2054.511. CYBERSECURITY COORDINATOR. (a) The |
|---|
| 303 | 303 | | executive director shall designate an employee of the department as |
|---|
| 304 | 304 | | the state cybersecurity coordinator to oversee cybersecurity |
|---|
| 305 | 305 | | matters for this state. |
|---|
| 306 | 306 | | (b) The director of the Texas Homeland Security Division of |
|---|
| 307 | 307 | | the Department of Public Safety and the cybersecurity coordinator |
|---|
| 308 | 308 | | shall jointly improve the efficacy and efficiency of this state's |
|---|
| 309 | 309 | | response to and investigations of cyber attacks occurring in this |
|---|
| 310 | 310 | | state. |
|---|
| 311 | 311 | | SECTION 11. Section 2054.512(b), Government Code, is |
|---|
| 312 | 312 | | amended to read as follows: |
|---|
| 313 | 313 | | (b) The cybersecurity council must include: |
|---|
| 314 | 314 | | (1) one member who is an employee of the office of the |
|---|
| 315 | 315 | | governor; |
|---|
| 316 | 316 | | (2) one member of the senate appointed by the |
|---|
| 317 | 317 | | lieutenant governor; |
|---|
| 318 | 318 | | (3) one member of the house of representatives |
|---|
| 319 | 319 | | appointed by the speaker of the house of representatives; |
|---|
| 320 | 320 | | (4) the director of the Texas Homeland Security |
|---|
| 321 | 321 | | Division of the Department of Public Safety; |
|---|
| 322 | 322 | | (5) one member who is an employee of the Elections |
|---|
| 323 | 323 | | Division of the Office of the Secretary of State; and |
|---|
| 324 | 324 | | (6) [(5)] additional members appointed by the state |
|---|
| 325 | 325 | | cybersecurity coordinator, including representatives of |
|---|
| 326 | 326 | | institutions of higher education and private sector leaders. |
|---|
| 327 | 327 | | SECTION 12. Section 2054.515(b), Government Code, as |
|---|
| 328 | 328 | | amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the |
|---|
| 329 | 329 | | 87th Legislature, Regular Session, 2021, is reenacted and amended |
|---|
| 330 | 330 | | to read as follows: |
|---|
| 331 | 331 | | (b) Not later than December 1 of the year [November 15 of |
|---|
| 332 | 332 | | each even-numbered year] in which a state agency conducts the |
|---|
| 333 | 333 | | assessment under Subsection (a) or the 60th day after the date the |
|---|
| 334 | 334 | | agency completes the assessment, whichever occurs first, the agency |
|---|
| 335 | 335 | | shall report the results of the assessment to: |
|---|
| 336 | 336 | | (1) the Texas Homeland Security Division of the |
|---|
| 337 | 337 | | Department of Public Safety; |
|---|
| 338 | 338 | | (2) the department; and |
|---|
| 339 | 339 | | (3) [(2)] on request, the governor, the lieutenant |
|---|
| 340 | 340 | | governor, and the speaker of the house of representatives. |
|---|
| 341 | 341 | | SECTION 13. Section 2054.518(a), Government Code, is |
|---|
| 342 | 342 | | amended to read as follows: |
|---|
| 343 | 343 | | (a) In consultation with the Texas Homeland Security |
|---|
| 344 | 344 | | Division of the Department of Public Safety, the [The] department |
|---|
| 345 | 345 | | shall develop a plan to address cybersecurity risks and incidents |
|---|
| 346 | 346 | | in this state. The department may enter into an agreement with a |
|---|
| 347 | 347 | | national organization, including the National Cybersecurity |
|---|
| 348 | 348 | | Preparedness Consortium, to support the department's efforts in |
|---|
| 349 | 349 | | implementing the components of the plan for which the department |
|---|
| 350 | 350 | | lacks resources to address internally. The agreement may include |
|---|
| 351 | 351 | | provisions for: |
|---|
| 352 | 352 | | (1) providing technical assistance services to |
|---|
| 353 | 353 | | support preparedness for and response to cybersecurity risks and |
|---|
| 354 | 354 | | incidents; |
|---|
| 355 | 355 | | (2) conducting cybersecurity simulation exercises for |
|---|
| 356 | 356 | | state agencies to encourage coordination in defending against and |
|---|
| 357 | 357 | | responding to cybersecurity risks and incidents; |
|---|
| 358 | 358 | | (3) assisting state agencies in developing |
|---|
| 359 | 359 | | cybersecurity information-sharing programs to disseminate |
|---|
| 360 | 360 | | information related to cybersecurity risks and incidents; and |
|---|
| 361 | 361 | | (4) incorporating cybersecurity risk and incident |
|---|
| 362 | 362 | | prevention and response methods into existing state emergency |
|---|
| 363 | 363 | | plans, including continuity of operation plans and incident |
|---|
| 364 | 364 | | response plans. |
|---|
| 365 | 365 | | SECTION 14. Subchapter F, Chapter 2270, Government Code, is |
|---|
| 366 | 366 | | amended by adding Section 2270.0254 to read as follows: |
|---|
| 367 | 367 | | Sec. 2270.0254. ADMINISTRATIVE PENALTY. The Department of |
|---|
| 368 | 368 | | Public Safety may impose an administrative penalty in the same |
|---|
| 369 | 369 | | manner and using the same procedures as Subchapter R, Chapter 411, |
|---|
| 370 | 370 | | against a person who violates this chapter. |
|---|
| 371 | 371 | | SECTION 15. Chapter 2274, Government Code, as added by |
|---|
| 372 | 372 | | Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular |
|---|
| 373 | 373 | | Session, 2021, is amended by adding Section 2274.0104 to read as |
|---|
| 374 | 374 | | follows: |
|---|
| 375 | 375 | | Sec. 2274.0104. ADMINISTRATIVE PENALTY. The Department of |
|---|
| 376 | 376 | | Public Safety may impose an administrative penalty in the same |
|---|
| 377 | 377 | | manner and using the same procedures as Subchapter R, Chapter 411, |
|---|
| 378 | 378 | | against a person who violates this chapter. |
|---|
| 379 | 379 | | SECTION 16. Section 205.010(a), Local Government Code, is |
|---|
| 380 | 380 | | amended by adding Subdivision (1-a) to read as follows: |
|---|
| 381 | 381 | | (1-a) "Local government" means a municipality, |
|---|
| 382 | 382 | | county, special district or authority, or any other political |
|---|
| 383 | 383 | | subdivision of this state. |
|---|
| 384 | 384 | | SECTION 17. Section 205.010, Local Government Code, is |
|---|
| 385 | 385 | | amended by adding Subsections (c), (d), and (e) to read as follows: |
|---|
| 386 | 386 | | (c) In addition to notifying the attorney general under |
|---|
| 387 | 387 | | Section 521.053, Business & Commerce Code, of a breach of system |
|---|
| 388 | 388 | | security, the local government shall report the breach to the Texas |
|---|
| 389 | 389 | | Homeland Security Division of the Department of Public Safety. The |
|---|
| 390 | 390 | | division shall notify the governor of a breach of system security |
|---|
| 391 | 391 | | reported to the division under this section. |
|---|
| 392 | 392 | | (d) Not later than the 10th business day after the date of |
|---|
| 393 | 393 | | the eradication, closure, and recovery from a breach, a local |
|---|
| 394 | 394 | | government shall notify the Department of Information Resources, |
|---|
| 395 | 395 | | including the chief information security officer, of the details of |
|---|
| 396 | 396 | | the event and include in the notification an analysis of the cause |
|---|
| 397 | 397 | | of the event. |
|---|
| 398 | 398 | | (e) The administrative head of a local government commits an |
|---|
| 399 | 399 | | offense if the person intentionally or knowingly fails to notify |
|---|
| 400 | 400 | | the Texas Homeland Security Division of the Department of Public |
|---|
| 401 | 401 | | Safety of a breach of system security as required by Subsection (c). |
|---|
| 402 | 402 | | An offense under this subsection is a Class C misdemeanor. |
|---|
| 403 | 403 | | SECTION 18. (a) Section 421.021(a), Government Code, as |
|---|
| 404 | 404 | | amended by Chapters 93 (S.B. 686), 616 (S.B. 1393), and 1217 (S.B. |
|---|
| 405 | 405 | | 1536), Acts of the 83rd Legislature, Regular Session, 2013, is |
|---|
| 406 | 406 | | repealed. |
|---|
| 407 | 407 | | (b) Section 421.021(c), Government Code, is repealed. |
|---|
| 408 | 408 | | SECTION 19. As soon as practicable after the Texas Homeland |
|---|
| 409 | 409 | | Security Division of the Department of Public Safety of the State of |
|---|
| 410 | 410 | | Texas is established, the division shall notify each state agency |
|---|
| 411 | 411 | | and local government of the requirements to notify the division of a |
|---|
| 412 | 412 | | breach of system security under Section 2054.1125, Government Code, |
|---|
| 413 | 413 | | as amended by this Act, and Section 205.010, Local Government Code, |
|---|
| 414 | 414 | | as amended by this Act, including the criminal penalties that may be |
|---|
| 415 | 415 | | imposed for failure to comply with those requirements. |
|---|
| 416 | 416 | | SECTION 20. It is the intent of the 88th Legislature, |
|---|
| 417 | 417 | | Regular Session, 2023, that the amendments made by this Act be |
|---|
| 418 | 418 | | harmonized with another Act of the 88th Legislature, Regular |
|---|
| 419 | 419 | | Session, 2023, relating to nonsubstantive additions to and |
|---|
| 420 | 420 | | corrections in enacted codes. |
|---|
| 421 | 421 | | SECTION 21. This Act takes effect September 1, 2023. |
|---|