Bill Text: TX SB271 | 2023-2024 | 88th Legislature | Comm Sub
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Bipartisan Bill
Status: (Passed) 2023-05-19 - Effective on 9/1/23 [SB271 Detail]
Download: Texas-2023-SB271-Comm_Sub.html
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Bipartisan Bill
Status: (Passed) 2023-05-19 - Effective on 9/1/23 [SB271 Detail]
Download: Texas-2023-SB271-Comm_Sub.html
| By: Johnson | S.B. No. 271 | |
| (In the Senate - Filed December 8, 2022; February 15, 2023, | ||
| read first time and referred to Committee on Business & Commerce; | ||
| March 16, 2023, reported adversely, with favorable Committee | ||
| Substitute by the following vote: Yeas 11, Nays 0; March 16, 2023, | ||
| sent to printer.) | ||
| COMMITTEE SUBSTITUTE FOR S.B. No. 271 | By: Johnson | |
|
|
||
|
|
||
| relating to state agency and local government security incident | ||
| procedures. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 2054.1125, Government Code, is | ||
| transferred to Subchapter R, Chapter 2054, Government Code, | ||
| redesignated as Section 2054.603, Government Code, and amended to | ||
| read as follows: | ||
| Sec. 2054.603 [ |
||
| NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this | ||
| section: | ||
| (1) "Security incident" means: | ||
| (A) a breach or suspected breach [ |
||
| system security as defined [ |
||
| Section 521.053, Business & Commerce Code; and | ||
| (B) the introduction of ransomware, as defined by | ||
| Section 33.023, Penal Code, into a computer, computer network, or | ||
| computer system. | ||
| (2) "Sensitive personal information" has the meaning | ||
| assigned by Section 521.002, Business & Commerce Code. | ||
| (b) A state agency or local government that owns, licenses, | ||
| or maintains computerized data that includes sensitive personal | ||
| information, confidential information, or information the | ||
| disclosure of which is regulated by law shall, in the event of a | ||
| security incident [ |
||
| (1) comply with the notification requirements of | ||
| Section 521.053, Business & Commerce Code, to the same extent as a | ||
| person who conducts business in this state; [ |
||
| (2) not later than 48 hours after the discovery of the | ||
| security incident [ |
||
| (A) the department, including the chief | ||
| information security officer; or | ||
| (B) if the security incident [ |
||
| secretary of state; and | ||
| (3) comply with all department rules relating to | ||
| reporting security incidents as required by this section. | ||
| (c) Not later than the 10th business day after the date of | ||
| the eradication, closure, and recovery from a security incident | ||
| [ |
||
| agency or local government shall notify the department, including | ||
| the chief information security officer, of the details of the | ||
| security incident [ |
||
| analysis of the cause of the security incident [ |
||
| (d) This section does not apply to a security incident that | ||
| a local government is required to report to an independent | ||
| organization certified by the Public Utility Commission of Texas | ||
| under Section 39.151, Utilities Code. | ||
| SECTION 2. This Act takes effect September 1, 2023. | ||
| * * * * * | ||
