| 1 | 1 | | 89R9729 SCR-D |
|---|
| 2 | 2 | | By: Blanco S.B. No. 2610 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | |
|---|
| 6 | 6 | | |
|---|
| 7 | 7 | | A BILL TO BE ENTITLED |
|---|
| 8 | 8 | | AN ACT |
|---|
| 9 | 9 | | relating to civil liability of business entities in connection with |
|---|
| 10 | 10 | | a breach of system security. |
|---|
| 11 | 11 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 12 | 12 | | SECTION 1. Subtitle C, Title 11, Business & Commerce Code, |
|---|
| 13 | 13 | | is amended by adding Chapter 542 to read as follows: |
|---|
| 14 | 14 | | CHAPTER 542. CYBERSECURITY PROGRAM |
|---|
| 15 | 15 | | Sec. 542.001. DEFINITIONS. In this chapter: |
|---|
| 16 | 16 | | (1) "Breach of system security" has the meaning |
|---|
| 17 | 17 | | assigned by Section 521.053. |
|---|
| 18 | 18 | | (2) "Personal identifying information" and "sensitive |
|---|
| 19 | 19 | | personal information" have the meanings assigned by Section |
|---|
| 20 | 20 | | 521.002. |
|---|
| 21 | 21 | | Sec. 542.002. APPLICABILITY OF CHAPTER. This chapter |
|---|
| 22 | 22 | | applies to a business entity in this state that owns or licenses |
|---|
| 23 | 23 | | computerized data that includes sensitive personal information. |
|---|
| 24 | 24 | | Sec. 542.003. LIABILITY FOR DATA BREACH. If a business |
|---|
| 25 | 25 | | entity fails to implement reasonable cybersecurity controls and |
|---|
| 26 | 26 | | that failure results in a breach of system security, the business |
|---|
| 27 | 27 | | entity is liable to a person whose sensitive personal information |
|---|
| 28 | 28 | | was stolen in the breach and who suffered economic harm as a result |
|---|
| 29 | 29 | | of the theft of the information. |
|---|
| 30 | 30 | | Sec. 542.004. INDUSTRY STANDARD CYBERSECURITY PROGRAM. (a) |
|---|
| 31 | 31 | | For purposes of Section 542.003, a business entity has implemented |
|---|
| 32 | 32 | | reasonable cybersecurity controls if the entity has created and |
|---|
| 33 | 33 | | maintained a cybersecurity program: |
|---|
| 34 | 34 | | (1) that contains administrative, technical, and |
|---|
| 35 | 35 | | physical safeguards for the protection of personal identifying |
|---|
| 36 | 36 | | information and sensitive personal information; |
|---|
| 37 | 37 | | (2) that conforms to an industry recognized |
|---|
| 38 | 38 | | cybersecurity framework as described by Subsection (b); |
|---|
| 39 | 39 | | (3) that is designed to: |
|---|
| 40 | 40 | | (A) protect the security of personal identifying |
|---|
| 41 | 41 | | information and sensitive personal information; |
|---|
| 42 | 42 | | (B) protect against any threat or hazard to the |
|---|
| 43 | 43 | | integrity of personal identifying information and sensitive |
|---|
| 44 | 44 | | personal information; and |
|---|
| 45 | 45 | | (C) protect against unauthorized access to or |
|---|
| 46 | 46 | | acquisition of personal identifying information and sensitive |
|---|
| 47 | 47 | | personal information that would result in a material risk of |
|---|
| 48 | 48 | | identity theft or other fraud to the individual to whom the |
|---|
| 49 | 49 | | information relates; and |
|---|
| 50 | 50 | | (4) the scale and scope of which meets the |
|---|
| 51 | 51 | | requirements of Subsection (d). |
|---|
| 52 | 52 | | (b) A cybersecurity program under this section conforms to |
|---|
| 53 | 53 | | an industry recognized cybersecurity framework for purposes of this |
|---|
| 54 | 54 | | section if the program conforms to: |
|---|
| 55 | 55 | | (1) a current version of or any combination of current |
|---|
| 56 | 56 | | versions of the following, as determined by the Department of |
|---|
| 57 | 57 | | Public Safety: |
|---|
| 58 | 58 | | (A) the Framework for Improving Critical |
|---|
| 59 | 59 | | Infrastructure Cybersecurity published by the National Institute |
|---|
| 60 | 60 | | of Standards and Technology (NIST); |
|---|
| 61 | 61 | | (B) the NIST's special publication 800-171; |
|---|
| 62 | 62 | | (C) the NIST's special publications 800-53 and |
|---|
| 63 | 63 | | 800-53a; |
|---|
| 64 | 64 | | (D) the Federal Risk and Authorization |
|---|
| 65 | 65 | | Management Program's FedRAMP Security Assessment Framework; |
|---|
| 66 | 66 | | (E) the Center for Internet Security Critical |
|---|
| 67 | 67 | | Security Controls for Effective Cyber Defense; |
|---|
| 68 | 68 | | (F) the ISO/IEC 27000-series information |
|---|
| 69 | 69 | | security standards published by the International Organization for |
|---|
| 70 | 70 | | Standardization and the International Electrotechnical Commission; |
|---|
| 71 | 71 | | (G) the Health Information Trust Alliance's |
|---|
| 72 | 72 | | Common Security Framework; |
|---|
| 73 | 73 | | (H) the Secure Controls Framework; |
|---|
| 74 | 74 | | (I) the Service Organization Control Type 2 |
|---|
| 75 | 75 | | Framework; or |
|---|
| 76 | 76 | | (J) other similar frameworks or standards of the |
|---|
| 77 | 77 | | cybersecurity industry; |
|---|
| 78 | 78 | | (2) if the business entity is subject to its |
|---|
| 79 | 79 | | requirements, the current version of the following, as determined |
|---|
| 80 | 80 | | by the Department of Public Safety: |
|---|
| 81 | 81 | | (A) the Health Insurance Portability and |
|---|
| 82 | 82 | | Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.); |
|---|
| 83 | 83 | | (B) Title V, Gramm-Leach-Bliley Act (15 U.S.C. |
|---|
| 84 | 84 | | Section 6801 et seq.); |
|---|
| 85 | 85 | | (C) the Federal Information Security |
|---|
| 86 | 86 | | Modernization Act of 2014 (Pub. L. No. 113-283); or |
|---|
| 87 | 87 | | (D) the Health Information Technology for |
|---|
| 88 | 88 | | Economic and Clinical Health Act (Division A, Title XIII, and |
|---|
| 89 | 89 | | Division B, Title IV, Pub. L. No. 111-5); and |
|---|
| 90 | 90 | | (3) if applicable to the business entity, a current |
|---|
| 91 | 91 | | version of the Payment Card Industry Data Security Standard, as |
|---|
| 92 | 92 | | determined by the Department of Public Safety. |
|---|
| 93 | 93 | | (c) If any standard described by Subsection (b)(1) is |
|---|
| 94 | 94 | | published and updated, a business entity's cybersecurity program |
|---|
| 95 | 95 | | continues to meet the requirements of a program under this section |
|---|
| 96 | 96 | | if the entity updates the program to meet the updated standard not |
|---|
| 97 | 97 | | later than the 180th day after the date on which the standard is |
|---|
| 98 | 98 | | published. |
|---|
| 99 | 99 | | (d) The scale and scope of a cybersecurity program under |
|---|
| 100 | 100 | | this section must be based on: |
|---|
| 101 | 101 | | (1) the size and complexity of the business entity; |
|---|
| 102 | 102 | | (2) the nature and scope of the activities of the |
|---|
| 103 | 103 | | business entity; |
|---|
| 104 | 104 | | (3) the sensitivity of the personal identifying |
|---|
| 105 | 105 | | information or sensitive personal information; and |
|---|
| 106 | 106 | | (4) the cost and availability of tools to improve |
|---|
| 107 | 107 | | information security and reduce vulnerabilities. |
|---|
| 108 | 108 | | Sec. 542.005. AUTHORITY OF ATTORNEY GENERAL NOT AFFECTED. |
|---|
| 109 | 109 | | This chapter may not be construed to limit the authority of the |
|---|
| 110 | 110 | | attorney general to seek any legal or equitable remedy under the |
|---|
| 111 | 111 | | laws of this state. |
|---|
| 112 | 112 | | Sec. 542.006. CLASS ACTION CERTIFICATION NOT AFFECTED. |
|---|
| 113 | 113 | | This chapter does not affect the certification of an action as a |
|---|
| 114 | 114 | | class action. |
|---|
| 115 | 115 | | SECTION 2. Section 542.003, Business & Commerce Code, as |
|---|
| 116 | 116 | | added by this Act, applies only to a cause of action that accrues on |
|---|
| 117 | 117 | | or after the effective date of this Act. |
|---|
| 118 | 118 | | SECTION 3. This Act takes effect September 1, 2025. |
|---|