Bill Text: TX HB307 | 2021 | 87th Legislature 1st Special Session | Introduced

Texas House Bill 307 (Prior Session Legislation)

Introduced

Bill Title: Relating to state agency and local government security incident procedures.

Spectrum: Partisan Bill (Republican 1-0)

Status: (Introduced - Dead) 2021-08-03 - Filed [HB307 Detail]

Download: Texas-2021-HB307-Introduced.html

	87S10701 MWC-F

	By: Shaheen	H.B. No. 307



	A BILL TO BE ENTITLED
	AN ACT
	relating to state agency and local government security incident
	procedures.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1. Section 2054.1125, Government Code, is
	transferred to Subchapter R, Chapter 2054, Government Code,
	redesignated as Section 2054.603, Government Code, and amended to
	read as follows:
	Sec. 2054.603 [~~2054.1125~~]. SECURITY INCIDENT [~~BREACH~~]
	NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this
	section:
	(1) "Security incident" means the unauthorized
	access, disclosure, exposure, modification, or destruction of
	sensitive personal information, confidential information, or other
	information the disclosure of which is regulated by law, including:
	(A) a breach [~~"Breach~~] of system security as
	defined [~~security" has the meaning assigned~~] by Section 521.053,
	Business & Commerce Code; and
	(B) ransomware as defined by Section 33.023,
	Penal Code.
	(2) "Sensitive personal information" has the meaning
	assigned by Section 521.002, Business & Commerce Code.
	(b) A state agency or local government that owns, licenses,
	or maintains computerized data that includes sensitive personal
	information, confidential information, or information the
	disclosure of which is regulated by law shall, in the event of a
	security incident [~~breach or suspected breach of system security or~~
	~~an unauthorized exposure of that information~~]:
	(1) comply with the notification requirements of
	Section 521.053, Business & Commerce Code, to the same extent as a
	person who conducts business in this state; [~~and~~]
	(2) not later than 72 [48] hours after the discovery of
	the security incident [~~breach, suspected breach, or unauthorized~~
	~~exposure~~], notify:
	(A) the department, including the chief
	information security officer, and the Texas Division of Emergency
	Management; or
	(B) if the security incident [~~breach, suspected~~
	~~breach, or unauthorized exposure~~] involves election data, the
	secretary of state; and
	(3) comply with all department rules relating to
	security incidents.
	(c) Not later than the 10th business day after the date of
	the eradication, closure, and recovery from a security incident
	[~~breach, suspected breach, or unauthorized exposure~~], a state
	agency or local government shall notify the department, including
	the chief information security officer, and the Texas Division of
	Emergency Management of the details of the security incident
	[~~event~~] and include in the notification an analysis of the cause of
	the security incident [~~event~~].
	(d) The department shall make available to state agencies
	and local governments a secure method for submitting the security
	incident information required by this section. All information
	provided under this section is confidential and is not subject to
	disclosure under Chapter 552.
	SECTION 2. This Act takes effect December 1, 2021.