| 1 | 1 | | 89R9459 ANG-F |
|---|
| 2 | 2 | | By: Sparks, Perry S.B. No. 1034 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | A BILL TO BE ENTITLED |
|---|
| 8 | 8 | | AN ACT |
|---|
| 9 | 9 | | relating to cybersecurity for retail public utilities that provide |
|---|
| 10 | 10 | | water or sewer service. |
|---|
| 11 | 11 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 12 | 12 | | SECTION 1. Section 2054.0525, Government Code, is amended |
|---|
| 13 | 13 | | to read as follows: |
|---|
| 14 | 14 | | Sec. 2054.0525. CUSTOMERS ELIGIBLE FOR DEPARTMENT |
|---|
| 15 | 15 | | SERVICES. If the executive director determines that participation |
|---|
| 16 | 16 | | is in the best interest of this state, the following entities are |
|---|
| 17 | 17 | | eligible customers for services the department provides: |
|---|
| 18 | 18 | | (1) a state agency; |
|---|
| 19 | 19 | | (2) a local government; |
|---|
| 20 | 20 | | (3) the legislature or a legislative agency; |
|---|
| 21 | 21 | | (4) the supreme court, the court of criminal appeals, |
|---|
| 22 | 22 | | or a court of appeals; |
|---|
| 23 | 23 | | (5) a public hospital owned or operated by this state |
|---|
| 24 | 24 | | or a political subdivision or municipal corporation of this state, |
|---|
| 25 | 25 | | including a hospital district or hospital authority; |
|---|
| 26 | 26 | | (6) an independent organization certified under |
|---|
| 27 | 27 | | Section 39.151, Utilities Code, for the ERCOT power region; |
|---|
| 28 | 28 | | (7) the Texas Permanent School Fund Corporation; |
|---|
| 29 | 29 | | (8) an assistance organization, as defined by Section |
|---|
| 30 | 30 | | 2175.001; |
|---|
| 31 | 31 | | (9) an open-enrollment charter school, as defined by |
|---|
| 32 | 32 | | Section 5.001, Education Code; |
|---|
| 33 | 33 | | (10) a private school, as defined by Section 5.001, |
|---|
| 34 | 34 | | Education Code; |
|---|
| 35 | 35 | | (11) a private or independent institution of higher |
|---|
| 36 | 36 | | education, as defined by Section 61.003, Education Code; |
|---|
| 37 | 37 | | (12) a public safety entity, as defined by 47 U.S.C. |
|---|
| 38 | 38 | | Section 1401; |
|---|
| 39 | 39 | | (13) a volunteer fire department, as defined by |
|---|
| 40 | 40 | | Section 152.001, Tax Code; [and] |
|---|
| 41 | 41 | | (14) a governmental entity of another state; and |
|---|
| 42 | 42 | | (15) a retail public utility, as defined by Section |
|---|
| 43 | 43 | | 13.002, Water Code. |
|---|
| 44 | 44 | | SECTION 2. Section 2059.058, Government Code, is amended to |
|---|
| 45 | 45 | | read as follows: |
|---|
| 46 | 46 | | Sec. 2059.058. AGREEMENT TO PROVIDE NETWORK SECURITY |
|---|
| 47 | 47 | | SERVICES TO ENTITIES OTHER THAN STATE AGENCIES. In addition to the |
|---|
| 48 | 48 | | department's duty to provide network security services to state |
|---|
| 49 | 49 | | agencies under this chapter, the department by agreement may |
|---|
| 50 | 50 | | provide network security services to: |
|---|
| 51 | 51 | | (1) each house of the legislature and a legislative |
|---|
| 52 | 52 | | agency; |
|---|
| 53 | 53 | | (2) a local government; |
|---|
| 54 | 54 | | (3) the supreme court, the court of criminal appeals, |
|---|
| 55 | 55 | | or a court of appeals; |
|---|
| 56 | 56 | | (4) a public hospital owned or operated by this state |
|---|
| 57 | 57 | | or a political subdivision or municipal corporation of this state, |
|---|
| 58 | 58 | | including a hospital district or hospital authority; |
|---|
| 59 | 59 | | (5) the Texas Permanent School Fund Corporation; |
|---|
| 60 | 60 | | (6) an open-enrollment charter school, as defined by |
|---|
| 61 | 61 | | Section 5.001, Education Code; |
|---|
| 62 | 62 | | (7) a private school, as defined by Section 5.001, |
|---|
| 63 | 63 | | Education Code; |
|---|
| 64 | 64 | | (8) a private or independent institution of higher |
|---|
| 65 | 65 | | education, as defined by Section 61.003, Education Code; |
|---|
| 66 | 66 | | (9) a volunteer fire department, as defined by Section |
|---|
| 67 | 67 | | 152.001, Tax Code; [and] |
|---|
| 68 | 68 | | (10) an independent organization certified under |
|---|
| 69 | 69 | | Section 39.151, Utilities Code, for the ERCOT power region; and |
|---|
| 70 | 70 | | (11) a retail public utility, as defined by Section |
|---|
| 71 | 71 | | 13.002, Water Code. |
|---|
| 72 | 72 | | SECTION 3. Chapter 13, Water Code, is amended by adding |
|---|
| 73 | 73 | | Subchapter O to read as follows: |
|---|
| 74 | 74 | | SUBCHAPTER O. CYBERSECURITY REQUIREMENTS |
|---|
| 75 | 75 | | Sec. 13.601. DEFINITIONS. In this subchapter: |
|---|
| 76 | 76 | | (1) "Center" means the Cyber Center for Security and |
|---|
| 77 | 77 | | Analytics at The University of Texas at San Antonio. |
|---|
| 78 | 78 | | (2) "Department" means the Department of Information |
|---|
| 79 | 79 | | Resources. |
|---|
| 80 | 80 | | Sec. 13.602. CONNECTION BETWEEN SUPERVISORY CONTROL AND |
|---|
| 81 | 81 | | DATA ACQUISITION SYSTEM AND INTERNET PROHIBITED. (a) A retail |
|---|
| 82 | 82 | | public utility may not connect the retail public utility's |
|---|
| 83 | 83 | | supervisory control and data acquisition system, or another |
|---|
| 84 | 84 | | equivalent operational information technology infrastructure, to |
|---|
| 85 | 85 | | the Internet. |
|---|
| 86 | 86 | | (b) Notwithstanding Subsection (a), a supervisory control |
|---|
| 87 | 87 | | and data acquisition system or other equivalent operational |
|---|
| 88 | 88 | | information technology infrastructure may be operated by an |
|---|
| 89 | 89 | | intranet, site-to-site virtual private network. |
|---|
| 90 | 90 | | (c) The commission, in consultation with the department, |
|---|
| 91 | 91 | | shall adopt rules as necessary to implement this section. |
|---|
| 92 | 92 | | Sec. 13.603. REQUIREMENTS AND CONTROLS. (a) The |
|---|
| 93 | 93 | | commission, in consultation with and as recommended by the |
|---|
| 94 | 94 | | department and the center, by rule shall adopt cybersecurity |
|---|
| 95 | 95 | | requirements for retail public utilities to require the |
|---|
| 96 | 96 | | authentication of a retail public utility employee's |
|---|
| 97 | 97 | | identification before granting the employee access to a retail |
|---|
| 98 | 98 | | public utility's network or information systems. |
|---|
| 99 | 99 | | (b) Not later than September 1 of each even-numbered year, |
|---|
| 100 | 100 | | the commission, in consultation with the department and the center, |
|---|
| 101 | 101 | | shall review and amend as necessary rules adopted under this |
|---|
| 102 | 102 | | section to ensure that the cybersecurity requirements continue to |
|---|
| 103 | 103 | | provide effective cybersecurity protection for retail public |
|---|
| 104 | 104 | | utilities. |
|---|
| 105 | 105 | | Sec. 13.604. TRAINING. At least annually, a retail public |
|---|
| 106 | 106 | | utility shall: |
|---|
| 107 | 107 | | (1) identify any employees and officials who: |
|---|
| 108 | 108 | | (A) have access to the retail public utility's |
|---|
| 109 | 109 | | computer system or databases; or |
|---|
| 110 | 110 | | (B) use a computer to perform any of the |
|---|
| 111 | 111 | | employee's or official's required duties; and |
|---|
| 112 | 112 | | (2) require the employees and officials identified |
|---|
| 113 | 113 | | under Subdivision (1) to complete a cybersecurity training program |
|---|
| 114 | 114 | | certified under Section 2054.519, Government Code. |
|---|
| 115 | 115 | | Sec. 13.605. SECURITY ASSESSMENT AND COMPLIANCE AUDIT. (a) |
|---|
| 116 | 116 | | The commission, the utility commission, or the department may |
|---|
| 117 | 117 | | require a retail public utility to conduct, in accordance with |
|---|
| 118 | 118 | | commission and department rules: |
|---|
| 119 | 119 | | (1) a security assessment of the retail public |
|---|
| 120 | 120 | | utility's: |
|---|
| 121 | 121 | | (A) information resource systems; |
|---|
| 122 | 122 | | (B) network systems; |
|---|
| 123 | 123 | | (C) digital data storage systems; |
|---|
| 124 | 124 | | (D) digital data security measures; or |
|---|
| 125 | 125 | | (E) information resources vulnerabilities; or |
|---|
| 126 | 126 | | (2) an audit of the retail public utility's compliance |
|---|
| 127 | 127 | | with this subchapter. |
|---|
| 128 | 128 | | (b) Not later than the 90th day after the date a retail |
|---|
| 129 | 129 | | public utility completes a security assessment or audit under |
|---|
| 130 | 130 | | Subsection (a), the retail public utility shall report the results |
|---|
| 131 | 131 | | of the assessment or audit to: |
|---|
| 132 | 132 | | (1) the commission; |
|---|
| 133 | 133 | | (2) the utility commission; and |
|---|
| 134 | 134 | | (3) the department. |
|---|
| 135 | 135 | | (c) A standing committee of the legislature with |
|---|
| 136 | 136 | | jurisdiction over cybersecurity or water service may request that |
|---|
| 137 | 137 | | the commission, the utility commission, or the department require |
|---|
| 138 | 138 | | an assessment or audit under Subsection (a) from a retail public |
|---|
| 139 | 139 | | utility. |
|---|
| 140 | 140 | | (d) The department shall provide to the center, and if |
|---|
| 141 | 141 | | applicable the standing committee of the legislature that requested |
|---|
| 142 | 142 | | the assessment or audit, access to each assessment or audit |
|---|
| 143 | 143 | | conducted under Subsection (a). |
|---|
| 144 | 144 | | (e) The department or the center may conduct a security |
|---|
| 145 | 145 | | assessment or audit required by this section on behalf of a retail |
|---|
| 146 | 146 | | public utility. |
|---|
| 147 | 147 | | (f) A retail public utility may contract with a person who |
|---|
| 148 | 148 | | is not the department or the center to conduct a security assessment |
|---|
| 149 | 149 | | or audit under this section. |
|---|
| 150 | 150 | | (g) Information contained in a report prepared under this |
|---|
| 151 | 151 | | section is confidential and not subject to disclosure under Chapter |
|---|
| 152 | 152 | | 552, Government Code. |
|---|
| 153 | 153 | | (h) The commission, in consultation with the department and |
|---|
| 154 | 154 | | the center, shall adopt rules as necessary to implement this |
|---|
| 155 | 155 | | section. |
|---|
| 156 | 156 | | Sec. 13.606. SECURITY INCIDENT NOTIFICATION. (a) In this |
|---|
| 157 | 157 | | section: |
|---|
| 158 | 158 | | (1) "Confidential information" means information the |
|---|
| 159 | 159 | | disclosure of which is regulated by law. |
|---|
| 160 | 160 | | (2) "Sensitive personal information" has the meaning |
|---|
| 161 | 161 | | assigned by Section 521.002(a)(2)(A), Business & Commerce Code. |
|---|
| 162 | 162 | | (b) A retail public utility that owns, licenses, or |
|---|
| 163 | 163 | | maintains computerized data that includes sensitive personal |
|---|
| 164 | 164 | | information or other confidential information shall notify the |
|---|
| 165 | 165 | | commission, the utility commission, the department, and the center |
|---|
| 166 | 166 | | of a security incident, not later than 48 hours after the discovery |
|---|
| 167 | 167 | | of the incident, during which: |
|---|
| 168 | 168 | | (1) a person other than the retail public utility made |
|---|
| 169 | 169 | | an unauthorized acquisition of computerized data that compromises |
|---|
| 170 | 170 | | the security, confidentiality, or integrity of sensitive personal |
|---|
| 171 | 171 | | information or other confidential information maintained by the |
|---|
| 172 | 172 | | retail public utility, including data that is encrypted if the |
|---|
| 173 | 173 | | person who acquired the data has the key required to decrypt the |
|---|
| 174 | 174 | | data; |
|---|
| 175 | 175 | | (2) ransomware, as defined by Section 33.023, Penal |
|---|
| 176 | 176 | | Code, was introduced into a computer, computer network, or computer |
|---|
| 177 | 177 | | system; or |
|---|
| 178 | 178 | | (3) unauthorized access of a computer information |
|---|
| 179 | 179 | | system or network led to a substantial loss of availability of the |
|---|
| 180 | 180 | | system or network or otherwise disrupted a retail public utility's |
|---|
| 181 | 181 | | ability to engage in business or deliver services. |
|---|
| 182 | 182 | | (c) Subsection (b)(1) does not apply to a good faith |
|---|
| 183 | 183 | | acquisition of data by an employee or agent of the retail public |
|---|
| 184 | 184 | | utility for the purposes of the retail public utility if the |
|---|
| 185 | 185 | | employee or agent does not use or disclose the data in an |
|---|
| 186 | 186 | | unauthorized manner. |
|---|
| 187 | 187 | | SECTION 4. Not later than September 1, 2026, the Texas |
|---|
| 188 | 188 | | Commission on Environmental Quality and the Department of |
|---|
| 189 | 189 | | Information Resources shall adopt the rules necessary to implement |
|---|
| 190 | 190 | | the changes in law made by this Act. |
|---|
| 191 | 191 | | SECTION 5. A retail public utility shall comply with |
|---|
| 192 | 192 | | Section 13.602, Water Code, as added by this Act, not later than |
|---|
| 193 | 193 | | September 1, 2027. |
|---|
| 194 | 194 | | SECTION 6. This Act takes effect September 1, 2025. |
|---|