Bill Text: TX SB2377 | 2023-2024 | 88th Legislature | Introduced
Bill Title: Relating to homeland security, including the creation of the Texas Homeland Security Division in the Department of Public Safety, the operations of the Homeland Security Council, the creation of a homeland security fusion center, and the duties of state agencies and local governments in preparing for, reporting, and responding to cybersecurity breaches; providing administrative penalties; creating criminal offenses.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2023-03-23 - Referred to Border Security [SB2377 Detail]
Download: Texas-2023-SB2377-Introduced.html
| 88R2127 JCG-D | ||
| By: Campbell | S.B. No. 2377 | |
|
|
||
|
|
||
| relating to homeland security, including the creation of the Texas | ||
| Homeland Security Division in the Department of Public Safety, the | ||
| operations of the Homeland Security Council, the creation of a | ||
| homeland security fusion center, and the duties of state agencies | ||
| and local governments in preparing for, reporting, and responding | ||
| to cybersecurity breaches; providing administrative penalties; | ||
| creating criminal offenses. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. (a) The legislature finds that the federal | ||
| government's inadequate border security measures, the trafficking | ||
| of fentanyl across the borders of this state, Central America's | ||
| turn towards authoritarian regimes, China's hostile rhetoric | ||
| regarding Taiwan, and Russia's invasion of Ukraine create an | ||
| ever-changing threat landscape to the security of this state. | ||
| (b) Due to these continuous threats, this state must | ||
| continue taking serious measures to secure its critical | ||
| infrastructure, cyber networks, and border and monitor security | ||
| threats from hostile nations and non-state actors. | ||
| (c) These present and future threats require this state to | ||
| create a unified security organization under the Department of | ||
| Public Safety of the State of Texas whose sole mission is to | ||
| safeguard the people and infrastructure that make this state great. | ||
| (d) The Texas Homeland Security Division, as established by | ||
| this Act, will unify this state's security responsibilities into | ||
| one entity that reports directly to the governor and the public | ||
| safety director of the Department of Public Safety of the State of | ||
| Texas. | ||
| SECTION 2. Chapter 411, Government Code, is amended by | ||
| adding Subchapter S to read as follows: | ||
| SUBCHAPTER S. TEXAS HOMELAND SECURITY DIVISION | ||
| Sec. 411.551. DEFINITIONS. In this subchapter: | ||
| (1) "Division" means the Texas Homeland Security | ||
| Division established in the department under this subchapter. | ||
| (2) "Division director" means the director of the | ||
| Texas Homeland Security Division appointed under this subchapter. | ||
| Sec. 411.552. ESTABLISHMENT; DIRECTOR; EMPLOYEES. (a) The | ||
| Texas Homeland Security Division is established in the department. | ||
| (b) Notwithstanding Section 411.006(a)(6), the public | ||
| safety director shall appoint, with the advice and consent of the | ||
| governor, a homeland security director to manage the division. | ||
| (c) The division director may hire employees as necessary to | ||
| carry out the duties of the division. | ||
| Sec. 411.553. GENERAL DUTIES. The division shall, in | ||
| consultation with the governor: | ||
| (1) develop and implement strategic homeland security | ||
| operations; and | ||
| (2) unify governmental activities and | ||
| responsibilities related to homeland security under the direction | ||
| of the division. | ||
| Sec. 411.554. BORDER SECURITY: INTELLIGENCE. (a) The | ||
| division shall coordinate with the Texas Military Department, state | ||
| and local law enforcement agencies, federal agencies, and any other | ||
| entity the division determines appropriate to secure the | ||
| international border. | ||
| (b) In coordinating with the entities described by | ||
| Subsection (a), the division shall: | ||
| (1) collect, analyze, and provide intelligence for | ||
| each major operation to secure the international border, including | ||
| consulting with the Texas Military Department and other appropriate | ||
| agencies that collect, analyze, or provide intelligence to the | ||
| governor, the department, and other entities deployed on major | ||
| operations; | ||
| (2) make recommendations on essential tasks and | ||
| desired results for each element of a major operation; | ||
| (3) provide augmented equipment and personnel for a | ||
| major operation; and | ||
| (4) conduct periodic internal reviews of | ||
| interoperability among agencies deployed on a major operation and | ||
| make available reports on subsequent efforts to improve | ||
| interoperability. | ||
| (c) Each month, the division shall provide a report to the | ||
| governor on the major operations conducted by this state to secure | ||
| the international border. | ||
| Sec. 411.555. BORDER SECURITY: GRANT RECOMMENDATIONS. The | ||
| division shall advise the criminal justice division of the | ||
| governor's office on the allocation of grants under the prosecution | ||
| of border crime grant program established under Section 772.0071. | ||
| Sec. 411.556. CRITICAL INFRASTRUCTURE AND POWER GRID. (a) | ||
| The division shall coordinate with federal, state, and local | ||
| agencies, and any other entity the division determines appropriate, | ||
| to protect the critical infrastructure of this state and the ERCOT | ||
| power grid from remote and physical attacks, including: | ||
| (1) oil and gas infrastructure, including: | ||
| (A) oil, gas, and chemical pipelines; | ||
| (B) oil and gas drilling sites; and | ||
| (C) oil, gas, and chemical production | ||
| facilities; | ||
| (2) electrical power generating facilities, | ||
| substations, switching stations, and electrical control centers; | ||
| (3) petroleum and alumina refineries and chemical, | ||
| polymer, and rubber manufacturing facilities; and | ||
| (4) water intake structures, water treatment | ||
| facilities, wastewater treatment plants, and pump stations. | ||
| (b) In coordinating the efforts of this state to secure | ||
| critical infrastructure and the ERCOT power grid, the division | ||
| shall cooperate with the Cybersecurity and Infrastructure Security | ||
| Agency, the United States Department of Energy, and the Homeland | ||
| Security Fusion Center. | ||
| Sec. 411.557. CRITICAL INFRASTRUCTURE: INVESTIGATION OF | ||
| CERTAIN PURCHASES. The division shall investigate any purchases of | ||
| substantial portions of land or infrastructure in this state by a | ||
| designated country, as that term is defined by Section 2274.0101, | ||
| as added by Chapter 975 (S.B. 2116), Acts of the 87th Legislature, | ||
| Regular Session, 2021. | ||
| Sec. 411.558. PROHIBITED EQUIPMENT REPORTS. At least | ||
| annually, the division shall issue a report to the governor, | ||
| lieutenant governor, members of the legislature, and all state | ||
| agencies identifying equipment that the United States Department of | ||
| Defense has prohibited entities that contract with the department | ||
| of defense from using. | ||
| Sec. 411.559. CYBERSECURITY: WEBSITE FOR REPORTING THREATS | ||
| AND ATTACKS. The division shall develop a secure Internet website | ||
| that is accessible by state agencies and local governments and | ||
| permits those entities to report to the division suspected | ||
| cybersecurity threats and attacks against those entities. | ||
| Sec. 411.560. BUDGET REQUESTS. (a) Not later than April 1 | ||
| of each even-numbered year, the division director shall submit to | ||
| the public safety director a request for appropriations that | ||
| estimates the cost of the division's operations. | ||
| (b) A request for appropriations described by Subsection | ||
| (a) may not be aggregated with any other appropriation request made | ||
| by the department when the request is submitted to a legislative | ||
| committee with jurisdiction over appropriations. | ||
| SECTION 3. Section 421.021, Government Code, is amended by | ||
| adding Subsection (a-1) to read as follows: | ||
| (a-1) The Homeland Security Council is composed of: | ||
| (1) the governor or the governor's designee; | ||
| (2) the lieutenant governor or the lieutenant | ||
| governor's designee; | ||
| (3) the director of the Texas Homeland Security | ||
| Division of the Department of Public Safety; and | ||
| (4) other persons appointed by the governor or | ||
| lieutenant governor. | ||
| SECTION 4. Section 421.023, Government Code, is amended by | ||
| amending Subsections (c) and (d) and adding Subsection (f) to read | ||
| as follows: | ||
| (c) The governor shall designate the director of the Texas | ||
| Homeland Security Division of the Department of Public Safety as | ||
| the presiding officer of the council. | ||
| (d) The council shall meet at the call of the presiding | ||
| officer [ |
||
| calendar year. | ||
| (f) The presiding officer shall appoint a secretary, who may | ||
| be a member of the council, to record meeting minutes and | ||
| attendance. | ||
| SECTION 5. Section 421.024, Government Code, is amended to | ||
| read as follows: | ||
| Sec. 421.024. DUTIES. The council shall advise the | ||
| governor on: | ||
| (1) the implementation of the governor's homeland | ||
| security strategy by state and local agencies and provide specific | ||
| suggestions for helping those agencies implement the strategy; | ||
| [ |
||
| (2) recommendations from the Texas Homeland Security | ||
| Division of the Department of Public Safety on improving the | ||
| security of this state; and | ||
| (3) other matters related to the planning, | ||
| development, coordination, and implementation of initiatives to | ||
| promote the governor's homeland security strategy. | ||
| SECTION 6. Chapter 421, Government Code, is amended by | ||
| adding Subchapter E-1 to read as follows: | ||
| SUBCHAPTER E-1. HOMELAND SECURITY FUSION CENTER | ||
| Sec. 421.0901. DEFINITIONS. In this subchapter: | ||
| (1) "Board" means the oversight board of the homeland | ||
| security fusion center. | ||
| (2) "Director" means the director of the Texas | ||
| Homeland Security Division of the Department of Public Safety. | ||
| Sec. 421.0902. HOMELAND SECURITY FUSION CENTER. (a) From | ||
| funds available for this purpose, the director may: | ||
| (1) establish the homeland security fusion center; and | ||
| (2) hire employees to operate the homeland security | ||
| fusion center. | ||
| (b) The homeland security fusion center shall: | ||
| (1) collect, receive, generate, and disseminate | ||
| intelligence critical for homeland security policy and homeland | ||
| security activities in this state, including the issuance of | ||
| relevant threat warnings; | ||
| (2) promote and improve intelligence sharing: | ||
| (A) among public safety and public service | ||
| agencies at the federal, state, local, and tribal levels; and | ||
| (B) with entities in the private sector operating | ||
| critical infrastructure and other key resources; | ||
| (3) otherwise support federal, state, local, and | ||
| tribal agencies and private organizations in preventing, preparing | ||
| for, responding to, and recovering from homeland security threats | ||
| and attacks; and | ||
| (4) maintain intelligence collected, received, or | ||
| generated in compliance with applicable state and federal law and | ||
| in a secure manner, including: | ||
| (A) providing appropriate security for a | ||
| facility that contains sensitive information; | ||
| (B) compartmentalizing sensitive information; | ||
| and | ||
| (C) adopting appropriate internal procedures for | ||
| the security of the facility and the information. | ||
| Sec. 421.0903. OVERSIGHT BOARD; QUALIFICATIONS; RULES. (a) | ||
| If the homeland security fusion center is established under Section | ||
| 421.0902, there is also established an oversight board that shall | ||
| govern the operations of the homeland security fusion center. | ||
| (b) The board is composed of: | ||
| (1) the director; | ||
| (2) the adjutant general; and | ||
| (3) other persons appointed by the director. | ||
| (c) The director serves as the chair of the board and the | ||
| adjutant general serves as the vice chair. | ||
| (d) A member of the board must have and maintain a secret | ||
| security clearance granted by the United States government. A | ||
| person who has applied for a secret security clearance and has been | ||
| granted an interim secret security clearance may serve as a member | ||
| of the board but may not be given access to classified information, | ||
| participate in a briefing involving classified information, or vote | ||
| on an issue involving classified information before the person is | ||
| granted a secret security clearance. | ||
| (e) The board may adopt rules, policies, and procedures for | ||
| the operation of the homeland security fusion center. | ||
| Sec. 421.0904. GIFTS, GRANTS, AND DONATIONS; DEDICATED | ||
| ACCOUNT. (a) The homeland security fusion center may accept gifts, | ||
| grants, and donations of any kind from any public or private source, | ||
| including services or property, for the purpose of paying the costs | ||
| to establish, maintain, or operate the homeland security fusion | ||
| center. | ||
| (b) The homeland security fusion center shall remit all | ||
| amounts received under this section to the comptroller. The | ||
| comptroller shall deposit the amounts to the credit of an account in | ||
| the general revenue fund that may be appropriated only to the | ||
| Department of Public Safety to provide funding for establishing, | ||
| maintaining, or operating the homeland security fusion center. | ||
| (c) The board must approve expenditures made for the | ||
| purposes described by Subsection (b). | ||
| Sec. 421.0905. ADMINISTRATIVE SUPPORT. The Texas Homeland | ||
| Security Division of the Department of Public Safety shall provide | ||
| administrative support for the homeland security fusion center and | ||
| the board, including securely maintaining the records of the board. | ||
| SECTION 7. Section 2054.077(d), Government Code, is amended | ||
| to read as follows: | ||
| (d) The information security officer shall provide an | ||
| electronic copy of the vulnerability report on its completion to: | ||
| (1) the Texas Homeland Security Division of the | ||
| Department of Public Safety; | ||
| (2) the department; | ||
| (3) [ |
||
| (4) [ |
||
| (5) [ |
||
| resources manager; and | ||
| (6) [ |
||
| oversight group specifically authorized by the legislature to | ||
| receive the report. | ||
| SECTION 8. Section 2054.1125, Government Code, is amended | ||
| by amending Subsection (b) and adding Subsections (d) and (e) to | ||
| read as follows: | ||
| (b) A state agency that owns, licenses, or maintains | ||
| computerized data that includes sensitive personal information, | ||
| confidential information, or information the disclosure of which is | ||
| regulated by law shall, in the event of a breach or suspected breach | ||
| of system security or an unauthorized exposure of that information: | ||
| (1) comply with the notification requirements of | ||
| Section 521.053, Business & Commerce Code, to the same extent as a | ||
| person who conducts business in this state; and | ||
| (2) not later than 48 hours after the discovery of the | ||
| breach, suspected breach, or unauthorized exposure, notify: | ||
| (A) the Texas Homeland Security Division of the | ||
| Department of Public Safety; | ||
| (B) the department, including the chief | ||
| information security officer; and | ||
| (C) [ |
||
| unauthorized exposure involves election data, the secretary of | ||
| state. | ||
| (d) The Texas Homeland Security Division of the Department | ||
| of Public Safety shall notify the governor of any breach or | ||
| suspected breach reported to the division under this section. | ||
| (e) The administrative head of a state agency commits an | ||
| offense if the person intentionally or knowingly fails to notify | ||
| the Texas Homeland Security Division of the Department of Public | ||
| Safety of a breach, suspected breach, or unauthorized exposure, as | ||
| required by Subsection (b)(2)(A). An offense under this subsection | ||
| is a Class C misdemeanor. | ||
| SECTION 9. Section 2054.133(f), Government Code, is amended | ||
| to read as follows: | ||
| (f) Not later than November 15 of each even-numbered year, | ||
| the department shall submit a written report to the governor, the | ||
| lieutenant governor, and each standing committee of the legislature | ||
| with primary jurisdiction over matters related to the department | ||
| evaluating information security for this state's information | ||
| resources. In preparing the report, the department shall consider | ||
| the information security plans submitted by state agencies under | ||
| this section, any vulnerability reports submitted under Section | ||
| 2054.077, any relevant information provided by the Texas Homeland | ||
| Security Division of the Department of Public Safety, and other | ||
| available information regarding the security of this state's | ||
| information resources. The department shall omit from any written | ||
| copies of the report information that could expose specific | ||
| vulnerabilities in the security of this state's information | ||
| resources. | ||
| SECTION 10. Section 2054.511, Government Code, is amended | ||
| to read as follows: | ||
| Sec. 2054.511. CYBERSECURITY COORDINATOR. (a) The | ||
| executive director shall designate an employee of the department as | ||
| the state cybersecurity coordinator to oversee cybersecurity | ||
| matters for this state. | ||
| (b) The director of the Texas Homeland Security Division of | ||
| the Department of Public Safety and the cybersecurity coordinator | ||
| shall jointly improve the efficacy and efficiency of this state's | ||
| response to and investigations of cyber attacks occurring in this | ||
| state. | ||
| SECTION 11. Section 2054.512(b), Government Code, is | ||
| amended to read as follows: | ||
| (b) The cybersecurity council must include: | ||
| (1) one member who is an employee of the office of the | ||
| governor; | ||
| (2) one member of the senate appointed by the | ||
| lieutenant governor; | ||
| (3) one member of the house of representatives | ||
| appointed by the speaker of the house of representatives; | ||
| (4) the director of the Texas Homeland Security | ||
| Division of the Department of Public Safety; | ||
| (5) one member who is an employee of the Elections | ||
| Division of the Office of the Secretary of State; and | ||
| (6) [ |
||
| cybersecurity coordinator, including representatives of | ||
| institutions of higher education and private sector leaders. | ||
| SECTION 12. Section 2054.515(b), Government Code, as | ||
| amended by Chapters 567 (S.B. 475) and 856 (S.B. 800), Acts of the | ||
| 87th Legislature, Regular Session, 2021, is reenacted and amended | ||
| to read as follows: | ||
| (b) Not later than December 1 of the year [ |
||
| assessment under Subsection (a) or the 60th day after the date the | ||
| agency completes the assessment, whichever occurs first, the agency | ||
| shall report the results of the assessment to: | ||
| (1) the Texas Homeland Security Division of the | ||
| Department of Public Safety; | ||
| (2) the department; and | ||
| (3) [ |
||
| governor, and the speaker of the house of representatives. | ||
| SECTION 13. Section 2054.518(a), Government Code, is | ||
| amended to read as follows: | ||
| (a) In consultation with the Texas Homeland Security | ||
| Division of the Department of Public Safety, the [ |
||
| shall develop a plan to address cybersecurity risks and incidents | ||
| in this state. The department may enter into an agreement with a | ||
| national organization, including the National Cybersecurity | ||
| Preparedness Consortium, to support the department's efforts in | ||
| implementing the components of the plan for which the department | ||
| lacks resources to address internally. The agreement may include | ||
| provisions for: | ||
| (1) providing technical assistance services to | ||
| support preparedness for and response to cybersecurity risks and | ||
| incidents; | ||
| (2) conducting cybersecurity simulation exercises for | ||
| state agencies to encourage coordination in defending against and | ||
| responding to cybersecurity risks and incidents; | ||
| (3) assisting state agencies in developing | ||
| cybersecurity information-sharing programs to disseminate | ||
| information related to cybersecurity risks and incidents; and | ||
| (4) incorporating cybersecurity risk and incident | ||
| prevention and response methods into existing state emergency | ||
| plans, including continuity of operation plans and incident | ||
| response plans. | ||
| SECTION 14. Subchapter F, Chapter 2270, Government Code, is | ||
| amended by adding Section 2270.0254 to read as follows: | ||
| Sec. 2270.0254. ADMINISTRATIVE PENALTY. The Department of | ||
| Public Safety may impose an administrative penalty in the same | ||
| manner and using the same procedures as Subchapter R, Chapter 411, | ||
| against a person who violates this chapter. | ||
| SECTION 15. Chapter 2274, Government Code, as added by | ||
| Chapter 975 (S.B. 2116), Acts of the 87th Legislature, Regular | ||
| Session, 2021, is amended by adding Section 2274.0104 to read as | ||
| follows: | ||
| Sec. 2274.0104. ADMINISTRATIVE PENALTY. The Department of | ||
| Public Safety may impose an administrative penalty in the same | ||
| manner and using the same procedures as Subchapter R, Chapter 411, | ||
| against a person who violates this chapter. | ||
| SECTION 16. Section 205.010(a), Local Government Code, is | ||
| amended by adding Subdivision (1-a) to read as follows: | ||
| (1-a) "Local government" means a municipality, | ||
| county, special district or authority, or any other political | ||
| subdivision of this state. | ||
| SECTION 17. Section 205.010, Local Government Code, is | ||
| amended by adding Subsections (c), (d), and (e) to read as follows: | ||
| (c) In addition to notifying the attorney general under | ||
| Section 521.053, Business & Commerce Code, of a breach of system | ||
| security, the local government shall report the breach to the Texas | ||
| Homeland Security Division of the Department of Public Safety. The | ||
| division shall notify the governor of a breach of system security | ||
| reported to the division under this section. | ||
| (d) Not later than the 10th business day after the date of | ||
| the eradication, closure, and recovery from a breach, a local | ||
| government shall notify the Department of Information Resources, | ||
| including the chief information security officer, of the details of | ||
| the event and include in the notification an analysis of the cause | ||
| of the event. | ||
| (e) The administrative head of a local government commits an | ||
| offense if the person intentionally or knowingly fails to notify | ||
| the Texas Homeland Security Division of the Department of Public | ||
| Safety of a breach of system security as required by Subsection (c). | ||
| An offense under this subsection is a Class C misdemeanor. | ||
| SECTION 18. (a) Section 421.021(a), Government Code, as | ||
| amended by Chapters 93 (S.B. 686), 616 (S.B. 1393), and 1217 (S.B. | ||
| 1536), Acts of the 83rd Legislature, Regular Session, 2013, is | ||
| repealed. | ||
| (b) Section 421.021(c), Government Code, is repealed. | ||
| SECTION 19. As soon as practicable after the Texas Homeland | ||
| Security Division of the Department of Public Safety of the State of | ||
| Texas is established, the division shall notify each state agency | ||
| and local government of the requirements to notify the division of a | ||
| breach of system security under Section 2054.1125, Government Code, | ||
| as amended by this Act, and Section 205.010, Local Government Code, | ||
| as amended by this Act, including the criminal penalties that may be | ||
| imposed for failure to comply with those requirements. | ||
| SECTION 20. It is the intent of the 88th Legislature, | ||
| Regular Session, 2023, that the amendments made by this Act be | ||
| harmonized with another Act of the 88th Legislature, Regular | ||
| Session, 2023, relating to nonsubstantive additions to and | ||
| corrections in enacted codes. | ||
| SECTION 21. This Act takes effect September 1, 2023. | ||
