Bill Text: TX SB271 | 2023-2024 | 88th Legislature | Enrolled
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Bipartisan Bill
Status: (Passed) 2023-05-19 - Effective on 9/1/23 [SB271 Detail]
Download: Texas-2023-SB271-Enrolled.html
S.B. No. 271 |
|
||
relating to state agency and local government security incident | ||
procedures. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Section 2054.1125, Government Code, is | ||
transferred to Subchapter R, Chapter 2054, Government Code, | ||
redesignated as Section 2054.603, Government Code, and amended to | ||
read as follows: | ||
Sec. 2054.603 [ |
||
NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this | ||
section: | ||
(1) "Security incident" means: | ||
(A) a breach or suspected breach [ |
||
system security as defined [ |
||
Section 521.053, Business & Commerce Code; and | ||
(B) the introduction of ransomware, as defined by | ||
Section 33.023, Penal Code, into a computer, computer network, or | ||
computer system. | ||
(2) "Sensitive personal information" has the meaning | ||
assigned by Section 521.002, Business & Commerce Code. | ||
(b) A state agency or local government that owns, licenses, | ||
or maintains computerized data that includes sensitive personal | ||
information, confidential information, or information the | ||
disclosure of which is regulated by law shall, in the event of a | ||
security incident [ |
||
(1) comply with the notification requirements of | ||
Section 521.053, Business & Commerce Code, to the same extent as a | ||
person who conducts business in this state; [ |
||
(2) not later than 48 hours after the discovery of the | ||
security incident [ |
||
(A) the department, including the chief | ||
information security officer; or | ||
(B) if the security incident [ |
||
secretary of state; and | ||
(3) comply with all department rules relating to | ||
reporting security incidents as required by this section. | ||
(c) Not later than the 10th business day after the date of | ||
the eradication, closure, and recovery from a security incident | ||
[ |
||
agency or local government shall notify the department, including | ||
the chief information security officer, of the details of the | ||
security incident [ |
||
analysis of the cause of the security incident [ |
||
(d) This section does not apply to a security incident that | ||
a local government is required to report to an independent | ||
organization certified by the Public Utility Commission of Texas | ||
under Section 39.151, Utilities Code. | ||
SECTION 2. This Act takes effect September 1, 2023. | ||
______________________________ | ______________________________ | |
President of the Senate | Speaker of the House | |
I hereby certify that S.B. No. 271 passed the Senate on | ||
March 21, 2023, by the following vote: Yeas 31, Nays 0. | ||
______________________________ | ||
Secretary of the Senate | ||
I hereby certify that S.B. No. 271 passed the House on | ||
May 6, 2023, by the following vote: Yeas 134, Nays 2, one present | ||
not voting. | ||
______________________________ | ||
Chief Clerk of the House | ||
Approved: | ||
______________________________ | ||
Date | ||
______________________________ | ||
Governor |