Bill Text: TX HB307 | 2021 | 87th Legislature 1st Special Session | Introduced
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2021-08-03 - Filed [HB307 Detail]
Download: Texas-2021-HB307-Introduced.html
87S10701 MWC-F | ||
By: Shaheen | H.B. No. 307 |
|
||
|
||
relating to state agency and local government security incident | ||
procedures. | ||
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
SECTION 1. Section 2054.1125, Government Code, is | ||
transferred to Subchapter R, Chapter 2054, Government Code, | ||
redesignated as Section 2054.603, Government Code, and amended to | ||
read as follows: | ||
Sec. 2054.603 [ |
||
NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this | ||
section: | ||
(1) "Security incident" means the unauthorized | ||
access, disclosure, exposure, modification, or destruction of | ||
sensitive personal information, confidential information, or other | ||
information the disclosure of which is regulated by law, including: | ||
(A) a breach [ |
||
defined [ |
||
Business & Commerce Code; and | ||
(B) ransomware as defined by Section 33.023, | ||
Penal Code. | ||
(2) "Sensitive personal information" has the meaning | ||
assigned by Section 521.002, Business & Commerce Code. | ||
(b) A state agency or local government that owns, licenses, | ||
or maintains computerized data that includes sensitive personal | ||
information, confidential information, or information the | ||
disclosure of which is regulated by law shall, in the event of a | ||
security incident [ |
||
(1) comply with the notification requirements of | ||
Section 521.053, Business & Commerce Code, to the same extent as a | ||
person who conducts business in this state; [ |
||
(2) not later than 72 [ |
||
the security incident [ |
||
(A) the department, including the chief | ||
information security officer, and the Texas Division of Emergency | ||
Management; or | ||
(B) if the security incident [ |
||
secretary of state; and | ||
(3) comply with all department rules relating to | ||
security incidents. | ||
(c) Not later than the 10th business day after the date of | ||
the eradication, closure, and recovery from a security incident | ||
[ |
||
agency or local government shall notify the department, including | ||
the chief information security officer, and the Texas Division of | ||
Emergency Management of the details of the security incident | ||
[ |
||
the security incident [ |
||
(d) The department shall make available to state agencies | ||
and local governments a secure method for submitting the security | ||
incident information required by this section. All information | ||
provided under this section is confidential and is not subject to | ||
disclosure under Chapter 552. | ||
SECTION 2. This Act takes effect December 1, 2021. |