Bill Text: TX HB712 | 2023-2024 | 88th Legislature | Comm Sub
Bill Title: Relating to state agency and local government security incident procedures.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2023-05-05 - Laid on the table subject to call [HB712 Detail]
Download: Texas-2023-HB712-Comm_Sub.html
| 88R18343 SCP-F | |||
| By: Shaheen | H.B. No. 712 | ||
| Substitute the following for H.B. No. 712: | |||
| By: Guillen | C.S.H.B. No. 712 | ||
|
|
||
|
|
||
| relating to state agency and local government security incident | ||
| procedures. | ||
| BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: | ||
| SECTION 1. Section 2054.1125, Government Code, is | ||
| transferred to Subchapter R, Chapter 2054, Government Code, | ||
| redesignated as Section 2054.603, Government Code, and amended to | ||
| read as follows: | ||
| Sec. 2054.603 [ |
||
| NOTIFICATION BY STATE AGENCY OR LOCAL GOVERNMENT. (a) In this | ||
| section: | ||
| (1) "Security incident" means: | ||
| (A) a breach or suspected breach [ |
||
| system security as defined [ |
||
| Section 521.053, Business & Commerce Code; and | ||
| (B) the introduction of ransomware, as defined by | ||
| Section 33.023, Penal Code, into a computer, computer network, or | ||
| computer system. | ||
| (2) "Sensitive personal information" has the meaning | ||
| assigned by Section 521.002, Business & Commerce Code. | ||
| (b) A state agency or local government that owns, licenses, | ||
| or maintains computerized data that includes sensitive personal | ||
| information, confidential information, or information the | ||
| disclosure of which is regulated by law shall, in the event of a | ||
| security incident [ |
||
| (1) comply with the notification requirements of | ||
| Section 521.053, Business & Commerce Code, to the same extent as a | ||
| person who conducts business in this state; [ |
||
| (2) not later than 48 hours after the discovery of the | ||
| security incident [ |
||
| (A) the department, including the chief | ||
| information security officer; or | ||
| (B) if the security incident [ |
||
| secretary of state; and | ||
| (3) comply with all department rules relating to | ||
| reporting security incidents as required by this section. | ||
| (c) Not later than the 10th business day after the date of | ||
| the eradication, closure, and recovery from a security incident | ||
| [ |
||
| agency or local government shall notify the department, including | ||
| the chief information security officer, of the details of the | ||
| security incident [ |
||
| analysis of the cause of the security incident [ |
||
| (d) This section does not apply to a security incident that | ||
| a local government is required to report to an independent | ||
| organization certified by the Public Utility Commission of Texas | ||
| under Section 39.151, Utilities Code. | ||
| SECTION 2. This Act takes effect September 1, 2023. | ||
