TX
Texas Senate Bill SB271

Texas 2023 - 88th Regular

Texas Senate Bill SB271 Compare Versions

OldNewDifferences
11 S.B. No. 271
22
33
44 AN ACT
55 relating to state agency and local government security incident
66 procedures.
77 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
88 SECTION 1. Section 2054.1125, Government Code, is
99 transferred to Subchapter R, Chapter 2054, Government Code,
1010 redesignated as Section 2054.603, Government Code, and amended to
1111 read as follows:
1212 Sec. 2054.603 [2054.1125]. SECURITY INCIDENT [BREACH]
1313 NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this
1414 section:
1515 (1) "Security incident" means:
1616 (A) a breach or suspected breach ["Breach] of
1717 system security as defined [security" has the meaning assigned] by
1818 Section 521.053, Business & Commerce Code; and
1919 (B) the introduction of ransomware, as defined by
2020 Section 33.023, Penal Code, into a computer, computer network, or
2121 computer system.
2222 (2) "Sensitive personal information" has the meaning
2323 assigned by Section 521.002, Business & Commerce Code.
2424 (b) A state agency or local government that owns, licenses,
2525 or maintains computerized data that includes sensitive personal
2626 information, confidential information, or information the
2727 disclosure of which is regulated by law shall, in the event of a
2828 security incident [breach or suspected breach of system security or
2929 an unauthorized exposure of that information]:
3030 (1) comply with the notification requirements of
3131 Section 521.053, Business & Commerce Code, to the same extent as a
3232 person who conducts business in this state; [and]
3333 (2) not later than 48 hours after the discovery of the
3434 security incident [breach, suspected breach, or unauthorized
3535 exposure], notify:
3636 (A) the department, including the chief
3737 information security officer; or
3838 (B) if the security incident [breach, suspected
3939 breach, or unauthorized exposure] involves election data, the
4040 secretary of state; and
4141 (3) comply with all department rules relating to
4242 reporting security incidents as required by this section.
4343 (c) Not later than the 10th business day after the date of
4444 the eradication, closure, and recovery from a security incident
4545 [breach, suspected breach, or unauthorized exposure], a state
4646 agency or local government shall notify the department, including
4747 the chief information security officer, of the details of the
4848 security incident [event] and include in the notification an
4949 analysis of the cause of the security incident [event].
5050 (d) This section does not apply to a security incident that
5151 a local government is required to report to an independent
5252 organization certified by the Public Utility Commission of Texas
5353 under Section 39.151, Utilities Code.
5454 SECTION 2. This Act takes effect September 1, 2023.
5555 ______________________________ ______________________________
5656 President of the Senate Speaker of the House
5757 I hereby certify that S.B. No. 271 passed the Senate on
5858 March 21, 2023, by the following vote: Yeas 31, Nays 0.
5959 ______________________________
6060 Secretary of the Senate
6161 I hereby certify that S.B. No. 271 passed the House on
6262 May 6, 2023, by the following vote: Yeas 134, Nays 2, one present
6363 not voting.
6464 ______________________________
6565 Chief Clerk of the House
6666 Approved:
6767 ______________________________
6868 Date
6969 ______________________________
7070 Governor