Bill Text: TX SB271 | 2023-2024 | 88th Legislature | Introduced
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Bipartisan Bill
Status: (Passed) 2023-05-19 - Effective on 9/1/23 [SB271 Detail]
Download: Texas-2023-SB271-Introduced.html
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Bipartisan Bill
Status: (Passed) 2023-05-19 - Effective on 9/1/23 [SB271 Detail]
Download: Texas-2023-SB271-Introduced.html
| 88R2442 SCP-F | ||
| By: Johnson | S.B. No. 271 | |
|
|
||
|
|
||
| relating to state agency and local government security incident | ||
| procedures. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 2054.1125, Government Code, is | ||
| transferred to Subchapter R, Chapter 2054, Government Code, | ||
| redesignated as Section 2054.603, Government Code, and amended to | ||
| read as follows: | ||
| Sec. 2054.603 [ |
||
| NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this | ||
| section: | ||
| (1) "Security incident" means the actual or suspected | ||
| unauthorized access, disclosure, exposure, modification, or | ||
| destruction of sensitive personal information, confidential | ||
| information, or other information the disclosure of which is | ||
| regulated by law, including: | ||
| (A) a breach or suspected breach [ |
||
| system security as defined [ |
||
| Section 521.053, Business & Commerce Code; and | ||
| (B) the introduction of ransomware, as defined by | ||
| Section 33.023, Penal Code, into a computer, computer network, or | ||
| computer system. | ||
| (2) "Sensitive personal information" has the meaning | ||
| assigned by Section 521.002, Business & Commerce Code. | ||
| (b) A state agency or local government that owns, licenses, | ||
| or maintains computerized data that includes sensitive personal | ||
| information, confidential information, or information the | ||
| disclosure of which is regulated by law shall, in the event of a | ||
| security incident [ |
||
| (1) comply with the notification requirements of | ||
| Section 521.053, Business & Commerce Code, to the same extent as a | ||
| person who conducts business in this state; [ |
||
| (2) not later than 48 hours after the discovery of the | ||
| security incident [ |
||
| (A) the department, including the chief | ||
| information security officer; or | ||
| (B) if the security incident [ |
||
| secretary of state; and | ||
| (3) comply with all department rules relating to | ||
| security incidents. | ||
| (c) Not later than the 10th business day after the date of | ||
| the eradication, closure, and recovery from a security incident | ||
| [ |
||
| agency or local government shall notify the department, including | ||
| the chief information security officer, of the details of the | ||
| security incident [ |
||
| analysis of the cause of the security incident [ |
||
| SECTION 2. This Act takes effect September 1, 2023. | ||
