Sec. 2054.1125. SECURITY BREACH NOTIFICATION BY STATE AGENCY. (a) In this section:

(1) "Breach of system security" has the meaning assigned by Section 521.053, Business & Commerce Code.

(2) "Sensitive personal information" has the meaning assigned by Section 521.002, Business & Commerce Code.

(b) A state agency that owns, licenses, or maintains computerized data that includes sensitive personal information, confidential information, or information the disclosure of which is regulated by law shall, in the event of a breach or suspected breach of system security or an unauthorized exposure of that information:

(1) comply with the notification requirements of Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state; and

(2) not later than 48 hours after the discovery of the breach, suspected breach, or unauthorized exposure, notify:

(A) the department, including the chief information security officer; or

(B) if the breach, suspected breach, or unauthorized exposure involves election data, the secretary of state.

(c) Not later than the 10th business day after the date of the eradication, closure, and recovery from a breach, suspected breach, or unauthorized exposure, a state agency shall notify the department, including the chief information security officer, of the details of the event and include in the notification an analysis of the cause of the event.

Added by Acts 2009, 81st Leg., R.S., Ch. 419 (H.B. 2004), Sec. 4, eff. September 1, 2009.

Amended by:

Acts 2017, 85th Leg., R.S., Ch. 683 (H.B. 8), Sec. 8, eff. September 1, 2017.

Acts 2019, 86th Leg., R.S., Ch. 509 (S.B. 64), Sec. 14, eff. September 1, 2019.