Bill Text: TX SB271 | 2023-2024 | 88th Legislature | Enrolled
Bill Title: Relating to state agency and local government security incident procedures.
Sponsorship: Bipartisan Bill
Status: (Passed) 2023-05-19 - Effective on 9/1/23 [SB271 Detail]
Download: Texas-2023-SB271-Enrolled.html
| S.B. No. 271 | ||
|
|
||
| relating to state agency and local government security incident | ||
| procedures. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 2054.1125, Government Code, is | ||
| transferred to Subchapter R, Chapter 2054, Government Code, | ||
| redesignated as Section 2054.603, Government Code, and amended to | ||
| read as follows: | ||
| Sec. 2054.603 [ |
||
| NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this | ||
| section: | ||
| (1) "Security incident" means: | ||
| (A) a breach or suspected breach [ |
||
| system security as defined [ |
||
| Section 521.053, Business & Commerce Code; and | ||
| (B) the introduction of ransomware, as defined by | ||
| Section 33.023, Penal Code, into a computer, computer network, or | ||
| computer system. | ||
| (2) "Sensitive personal information" has the meaning | ||
| assigned by Section 521.002, Business & Commerce Code. | ||
| (b) A state agency or local government that owns, licenses, | ||
| or maintains computerized data that includes sensitive personal | ||
| information, confidential information, or information the | ||
| disclosure of which is regulated by law shall, in the event of a | ||
| security incident [ |
||
| (1) comply with the notification requirements of | ||
| Section 521.053, Business & Commerce Code, to the same extent as a | ||
| person who conducts business in this state; [ |
||
| (2) not later than 48 hours after the discovery of the | ||
| security incident [ |
||
| (A) the department, including the chief | ||
| information security officer; or | ||
| (B) if the security incident [ |
||
| secretary of state; and | ||
| (3) comply with all department rules relating to | ||
| reporting security incidents as required by this section. | ||
| (c) Not later than the 10th business day after the date of | ||
| the eradication, closure, and recovery from a security incident | ||
| [ |
||
| agency or local government shall notify the department, including | ||
| the chief information security officer, of the details of the | ||
| security incident [ |
||
| analysis of the cause of the security incident [ |
||
| (d) This section does not apply to a security incident that | ||
| a local government is required to report to an independent | ||
| organization certified by the Public Utility Commission of Texas | ||
| under Section 39.151, Utilities Code. | ||
| SECTION 2. This Act takes effect September 1, 2023. | ||
| ______________________________ | ______________________________ | |
| President of the Senate | Speaker of the House | |
| I hereby certify that S.B. No. 271 passed the Senate on | ||
| March 21, 2023, by the following vote: Yeas 31, Nays 0. | ||
| ______________________________ | ||
| Secretary of the Senate | ||
| I hereby certify that S.B. No. 271 passed the House on | ||
| May 6, 2023, by the following vote: Yeas 134, Nays 2, one present | ||
| not voting. | ||
| ______________________________ | ||
| Chief Clerk of the House | ||
| Approved: | ||
| ______________________________ | ||
| Date | ||
| ______________________________ | ||
| Governor | ||
