Sec. 11.175. DISTRICT CYBERSECURITY. (a) In this section:

(1) "Breach of system security" means an incident in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.

(2) "Cyber attack" means an attempt to damage, disrupt, or gain unauthorized access to a computer, computer network, or computer system.

(3) "Cybersecurity" means the measures taken to protect a computer, computer network, or computer system against unauthorized use or access.

(b) Each school district shall adopt a cybersecurity policy to:

(1) secure district cyberinfrastructure against cyber attacks and other cybersecurity incidents; and

(2) determine cybersecurity risk and implement mitigation planning.

(c) A school district's cybersecurity policy may not conflict with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code.

(d) The superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters.

(e) The district's cybersecurity coordinator shall report to the agency any cyber attack or other cybersecurity incident against the district cyberinfrastructure that constitutes a breach of system security as soon as practicable after the discovery of the attack or incident.

(f) The district's cybersecurity coordinator shall provide notice to a parent of or person standing in parental relation to a student enrolled in the district of an attack or incident for which a report is required under Subsection (e) involving the student's information.

Added by Acts 2019, 86th Leg., R.S., Ch. 605 (S.B. 820), Sec. 1, eff. September 1, 2019.