89R9459 ANG-F
By: Sparks, Perry S.B. No. 1034
A BILL TO BE ENTITLED
AN ACT
relating to cybersecurity for retail public utilities that provide
water or sewer service.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 2054.0525, Government Code, is amended
to read as follows:
Sec. 2054.0525. CUSTOMERS ELIGIBLE FOR DEPARTMENT
SERVICES. If the executive director determines that participation
is in the best interest of this state, the following entities are
eligible customers for services the department provides:
(1) a state agency;
(2) a local government;
(3) the legislature or a legislative agency;
(4) the supreme court, the court of criminal appeals,
or a court of appeals;
(5) a public hospital owned or operated by this state
or a political subdivision or municipal corporation of this state,
including a hospital district or hospital authority;
(6) an independent organization certified under
Section 39.151, Utilities Code, for the ERCOT power region;
(7) the Texas Permanent School Fund Corporation;
(8) an assistance organization, as defined by Section
2175.001;
(9) an open-enrollment charter school, as defined by
Section 5.001, Education Code;
(10) a private school, as defined by Section 5.001,
Education Code;
(11) a private or independent institution of higher
education, as defined by Section 61.003, Education Code;
(12) a public safety entity, as defined by 47 U.S.C.
Section 1401;
(13) a volunteer fire department, as defined by
Section 152.001, Tax Code; [and]
(14) a governmental entity of another state; and
(15) a retail public utility, as defined by Section
13.002, Water Code.
SECTION 2. Section 2059.058, Government Code, is amended to
read as follows:
Sec. 2059.058. AGREEMENT TO PROVIDE NETWORK SECURITY
SERVICES TO ENTITIES OTHER THAN STATE AGENCIES. In addition to the
department's duty to provide network security services to state
agencies under this chapter, the department by agreement may
provide network security services to:
(1) each house of the legislature and a legislative
agency;
(2) a local government;
(3) the supreme court, the court of criminal appeals,
or a court of appeals;
(4) a public hospital owned or operated by this state
or a political subdivision or municipal corporation of this state,
including a hospital district or hospital authority;
(5) the Texas Permanent School Fund Corporation;
(6) an open-enrollment charter school, as defined by
Section 5.001, Education Code;
(7) a private school, as defined by Section 5.001,
Education Code;
(8) a private or independent institution of higher
education, as defined by Section 61.003, Education Code;
(9) a volunteer fire department, as defined by Section
152.001, Tax Code; [and]
(10) an independent organization certified under
Section 39.151, Utilities Code, for the ERCOT power region; and
(11) a retail public utility, as defined by Section
13.002, Water Code.
SECTION 3. Chapter 13, Water Code, is amended by adding
Subchapter O to read as follows:
SUBCHAPTER O. CYBERSECURITY REQUIREMENTS
Sec. 13.601. DEFINITIONS. In this subchapter:
(1) "Center" means the Cyber Center for Security and
Analytics at The University of Texas at San Antonio.
(2) "Department" means the Department of Information
Resources.
Sec. 13.602. CONNECTION BETWEEN SUPERVISORY CONTROL AND
DATA ACQUISITION SYSTEM AND INTERNET PROHIBITED. (a) A retail
public utility may not connect the retail public utility's
supervisory control and data acquisition system, or another
equivalent operational information technology infrastructure, to
the Internet.
(b) Notwithstanding Subsection (a), a supervisory control
and data acquisition system or other equivalent operational
information technology infrastructure may be operated by an
intranet, site-to-site virtual private network.
(c) The commission, in consultation with the department,
shall adopt rules as necessary to implement this section.
Sec. 13.603. REQUIREMENTS AND CONTROLS. (a) The
commission, in consultation with and as recommended by the
department and the center, by rule shall adopt cybersecurity
requirements for retail public utilities to require the
authentication of a retail public utility employee's
identification before granting the employee access to a retail
public utility's network or information systems.
(b) Not later than September 1 of each even-numbered year,
the commission, in consultation with the department and the center,
shall review and amend as necessary rules adopted under this
section to ensure that the cybersecurity requirements continue to
provide effective cybersecurity protection for retail public
utilities.
Sec. 13.604. TRAINING. At least annually, a retail public
utility shall:
(1) identify any employees and officials who:
(A) have access to the retail public utility's
computer system or databases; or
(B) use a computer to perform any of the
employee's or official's required duties; and
(2) require the employees and officials identified
under Subdivision (1) to complete a cybersecurity training program
certified under Section 2054.519, Government Code.
Sec. 13.605. SECURITY ASSESSMENT AND COMPLIANCE AUDIT. (a)
The commission, the utility commission, or the department may
require a retail public utility to conduct, in accordance with
commission and department rules:
(1) a security assessment of the retail public
utility's:
(A) information resource systems;
(B) network systems;
(C) digital data storage systems;
(D) digital data security measures; or
(E) information resources vulnerabilities; or
(2) an audit of the retail public utility's compliance
with this subchapter.
(b) Not later than the 90th day after the date a retail
public utility completes a security assessment or audit under
Subsection (a), the retail public utility shall report the results
of the assessment or audit to:
(1) the commission;
(2) the utility commission; and
(3) the department.
(c) A standing committee of the legislature with
jurisdiction over cybersecurity or water service may request that
the commission, the utility commission, or the department require
an assessment or audit under Subsection (a) from a retail public
utility.
(d) The department shall provide to the center, and if
applicable the standing committee of the legislature that requested
the assessment or audit, access to each assessment or audit
conducted under Subsection (a).
(e) The department or the center may conduct a security
assessment or audit required by this section on behalf of a retail
public utility.
(f) A retail public utility may contract with a person who
is not the department or the center to conduct a security assessment
or audit under this section.
(g) Information contained in a report prepared under this
section is confidential and not subject to disclosure under Chapter
552, Government Code.
(h) The commission, in consultation with the department and
the center, shall adopt rules as necessary to implement this
section.
Sec. 13.606. SECURITY INCIDENT NOTIFICATION. (a) In this
section:
(1) "Confidential information" means information the
disclosure of which is regulated by law.
(2) "Sensitive personal information" has the meaning
assigned by Section 521.002(a)(2)(A), Business & Commerce Code.
(b) A retail public utility that owns, licenses, or
maintains computerized data that includes sensitive personal
information or other confidential information shall notify the
commission, the utility commission, the department, and the center
of a security incident, not later than 48 hours after the discovery
of the incident, during which:
(1) a person other than the retail public utility made
an unauthorized acquisition of computerized data that compromises
the security, confidentiality, or integrity of sensitive personal
information or other confidential information maintained by the
retail public utility, including data that is encrypted if the
person who acquired the data has the key required to decrypt the
data;
(2) ransomware, as defined by Section 33.023, Penal
Code, was introduced into a computer, computer network, or computer
system; or
(3) unauthorized access of a computer information
system or network led to a substantial loss of availability of the
system or network or otherwise disrupted a retail public utility's
ability to engage in business or deliver services.
(c) Subsection (b)(1) does not apply to a good faith
acquisition of data by an employee or agent of the retail public
utility for the purposes of the retail public utility if the
employee or agent does not use or disclose the data in an
unauthorized manner.
SECTION 4. Not later than September 1, 2026, the Texas
Commission on Environmental Quality and the Department of
Information Resources shall adopt the rules necessary to implement
the changes in law made by this Act.
SECTION 5. A retail public utility shall comply with
Section 13.602, Water Code, as added by this Act, not later than
September 1, 2027.
SECTION 6. This Act takes effect September 1, 2025.