BILL ANALYSIS Senate Research Center S.B. 1625 89R9072 ANG-D By: Johnson Business & Commerce 4/1/2025 As Filed AUTHOR'S / SPONSOR'S STATEMENT OF INTENT Currently, Texas law requires operators and managers of public water supplies to notify the Texas Commission on Environmental Quality (TCEQ) of certain security incidents regarding the public water supply. One of these incidents describes a situation that involves an unauthorized attempt to probe for or gain access to proprietary information about the water supply. S.B. 1625 would add cybersecurity threats to the list of incidents that require notification to TCEQ. Including these cyber threats in the list of incidents that operators of public water supplies must report to TCEQ helps keep the public aware of threats to the water supply and ultimately helps keep the public safe. S.B. 1625 would expand the notification requirements to include specific cybersecurity threats to the public water supply, such as unauthorized information disclosure and ransomware attacks. As proposed, S.B. 1625 amends current law relating to the reporting of certain security incidents by public water systems to the Texas Commission on Environmental Quality and the Department of Information Resources. RULEMAKING AUTHORITY This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency. SECTION BY SECTION ANALYSIS SECTION 1. Amends Section 341.033, Health and Safety Code, by amending Subsections (i) and (i-1) and adding Subsection (i-2), as follows: (i) Requires an owner, agent, manager, operator, or other person in charge of a public water supply system that furnishes water for public or private use or a wastewater system that provides wastewater services for public or private use to maintain internal procedures to notify the Texas Commission on Environmental Quality (TCEQ) immediately of the following events: (1) creates this subdivision from existing text and deletes existing text requiring the person to notify TCEQ immediately of an unauthorized attempt to probe for or gain access to proprietary information that supports the key activities of the public water supply or wastewater system if the attempt may negatively impact the production or delivery of safe and adequate drinking water; or (2) a security incident during which: (A) an unauthorized disclosure of sensitive personal information, as defined by Section 521.002(a)(2)(A) (relating to defining "sensitive personal information"), Business & Commerce Code, held by the public water supply or wastewater system occurred; (B) ransomware, as defined by Section 33.023 (Electronic Data Tampering), Penal Code, was introduced into a computer, computer network, or computer system of the public water supply or wastewater system; (C) the public water supply or wastewater system experienced an unauthorized attempt to probe for or gain access to proprietary information that supports the key activities of the system; or (D) a computer, computer network, or computer system problem disrupted the operation of the public water supply or wastewater system. Makes nonsubstantive changes to this subsection. (i-1) Makes conforming changes to this subsection. (i-2) Requires TCEQ to establish and maintain procedures to report each security incident described by Subsection (i)(2) to the Department of Information Resources. SECTION 2. Effective date: September 1, 2025.
BILL ANALYSIS
Senate Research Center S.B. 1625
89R9072 ANG-D By: Johnson
Business & Commerce
4/1/2025
As Filed
Senate Research Center
S.B. 1625
89R9072 ANG-D
By: Johnson
Business & Commerce
4/1/2025
As Filed
AUTHOR'S / SPONSOR'S STATEMENT OF INTENT
Currently, Texas law requires operators and managers of public water supplies to notify the Texas Commission on Environmental Quality (TCEQ) of certain security incidents regarding the public water supply. One of these incidents describes a situation that involves an unauthorized attempt to probe for or gain access to proprietary information about the water supply.
S.B. 1625 would add cybersecurity threats to the list of incidents that require notification to TCEQ. Including these cyber threats in the list of incidents that operators of public water supplies must report to TCEQ helps keep the public aware of threats to the water supply and ultimately helps keep the public safe.
S.B. 1625 would expand the notification requirements to include specific cybersecurity threats to the public water supply, such as unauthorized information disclosure and ransomware attacks.
As proposed, S.B. 1625 amends current law relating to the reporting of certain security incidents by public water systems to the Texas Commission on Environmental Quality and the Department of Information Resources.
RULEMAKING AUTHORITY
This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.
SECTION BY SECTION ANALYSIS
SECTION 1. Amends Section 341.033, Health and Safety Code, by amending Subsections (i) and (i-1) and adding Subsection (i-2), as follows:
(i) Requires an owner, agent, manager, operator, or other person in charge of a public water supply system that furnishes water for public or private use or a wastewater system that provides wastewater services for public or private use to maintain internal procedures to notify the Texas Commission on Environmental Quality (TCEQ) immediately of the following events:
(1) creates this subdivision from existing text and deletes existing text requiring the person to notify TCEQ immediately of an unauthorized attempt to probe for or gain access to proprietary information that supports the key activities of the public water supply or wastewater system if the attempt may negatively impact the production or delivery of safe and adequate drinking water; or
(2) a security incident during which:
(A) an unauthorized disclosure of sensitive personal information, as defined by Section 521.002(a)(2)(A) (relating to defining "sensitive personal information"), Business & Commerce Code, held by the public water supply or wastewater system occurred;
(B) ransomware, as defined by Section 33.023 (Electronic Data Tampering), Penal Code, was introduced into a computer, computer network, or computer system of the public water supply or wastewater system;
(C) the public water supply or wastewater system experienced an unauthorized attempt to probe for or gain access to proprietary information that supports the key activities of the system; or
(D) a computer, computer network, or computer system problem disrupted the operation of the public water supply or wastewater system.
Makes nonsubstantive changes to this subsection.
(i-1) Makes conforming changes to this subsection.
(i-2) Requires TCEQ to establish and maintain procedures to report each security incident described by Subsection (i)(2) to the Department of Information Resources.
SECTION 2. Effective date: September 1, 2025.