By: Johnson, Campbell S.B. No. 1625
A BILL TO BE ENTITLED
AN ACT
relating to the reporting of certain security incidents by public
water systems to the Texas Commission on Environmental Quality and
the Department of Information Resources.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Section 341.033, Health and Safety Code, is
amended by amending Subsections (i) and (i-1) and adding Subsection
(i-2) to read as follows:
(i) An owner, agent, manager, operator, or other person in
charge of a public water supply system that furnishes water for
public or private use or a wastewater system that provides
wastewater services for public or private use shall maintain
internal procedures to notify the commission immediately of the
following events:
(1) [,] if the event may negatively impact the
production or delivery of safe and adequate drinking water:
(A) [(1)] an unusual or unexplained unauthorized
entry at property of the public water supply or wastewater system;
(B) [(2)] an act of terrorism against the public
water supply or wastewater system;
(C) [(3) an unauthorized attempt to probe for or
gain access to proprietary information that supports the key
activities of the public water supply or wastewater system;
[(4)] a theft of property that supports the key
activities of the public water supply or wastewater system;
(D) [(5)] a natural disaster, accident, or act
that results in damage to the public water supply or wastewater
system; or
(E) [(6)] for a nonindustrial public water
supply system, an unplanned condition that has caused a public
water supply outage or the public water supply system to issue a
do-not-use advisory, do-not-consume advisory, or boil water
notice; or
(2) a security incident during which:
(A) an unauthorized disclosure of sensitive
personal information, as defined by Section 521.002(a)(2)(A),
Business & Commerce Code, held by the public water supply or
wastewater system occurred;
(B) ransomware, as defined by Section 33.023,
Penal Code, was introduced into a computer, computer network, or
computer system of the public water supply or wastewater system;
(C) the public water supply or wastewater system
experienced an unauthorized attempt to probe for or gain access to
proprietary information that supports the key activities of the
system; or
(D) a computer, computer network, or computer
system problem disrupted the operation of the public water supply
or wastewater system.
(i-1) The commission may collaborate with the Texas
Division of Emergency Management in administering the notification
requirement in Subsection (i)(1)(E) [(i)(6)], including
determining the method by which the notifications are
provided. Subsection (i)(1)(E) [(i)(6)] does not require an
owner, agent, manager, operator, or other person in charge of a
nonindustrial public water supply system to provide notice of a
weather or emergency alert, warning, or watch issued by the
National Weather Service, the National Oceanic and Atmospheric
Administration, or the Texas Division of Emergency Management or a
successor federal or state agency.
(i-2) The commission shall establish and maintain
procedures to report each security incident described by Subsection
(i)(2) to the Department of Information Resources.
SECTION 2. This Act takes effect September 1, 2025.