SB 271 Security Incident Reporting

Overview

Texas Government Code 2054.603 requires state agencies and local governments that experience a security incident to: 

  • report to DIR within 48 hours after discovery (or to notify the secretary of state if the incident involves election data), and 
  • comply with the notification requirements of Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state. 

It also requires entities to report to DIR the details of the security incident and an analysis of the cause of the incident within 10 days after incident eradication, closure and recovery. 

Who is Required to Report? 

State and local governments that own, license, or maintain computerized data that includes sensitive personal information, confidential information, or information the disclosure of which is regulated by law, that experience a security incident are required to report. 

Note: The reporting requirement does not apply to a security incident that a local government is required to report to an independent organization certified by the Public Utility Commission of Texas under Section 39.151, Utilities Code

Effective Date 

The reporting requirements take effect September 1, 2023. (Note: State agencies were previously required to report incidents to DIR and should continue to adhere to existing reporting requirements.) 

Definitions 

Local government: a county, municipality, special district, school district, junior college district, or other political subdivision of the state 

Security incident:  

  • the introduction of ransomware, as defined by Section 33.023, Penal Code, into a computer, computer network, or computer system. 

Sensitive personal information: as defined in Section 521.002, Business & Commerce Code 

How to Report 

Incident reports will be submitted via the Archer Engage secure webform.  To submit an incident: 

  • Create an Engage account (first-time only).
  • Log into Engage (enter username and password; submit one-time verification code).
  • Note: If after logging in, you are not redirected to the incident form, please click the Engage link again. 
  • Submit incident report and receive email confirmation, this email may be delayed by up to 30 minutes from when you submit your report (retain email confirmation with incident ID).
  • Submit incident closure and receive email confirmation.

Refer to the user guide for detailed instructions:

Local Government Incident Reporting User Guide

Section 11.175 of the Education Code requires school districts and charter schools to report any cyber-attack or other cybersecurity incident that constitutes a “Breach of system security” in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.  Submitting the local government incident report satisfies this requirement.

Note: If you are unable to submit an incident using the reporting form, contact the DIR Incident Response Hotline, (877) DIR-CISO, for assistance.

Frequently Asked Questions (FAQs)

Section 521.053, Business & Commerce Code requires organizations to report any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person or to the data owner immediately. Public reports may be required for breaches involving 10,000 or more individuals.

An organization that is required to disclose or provide notification under this section, is required to notify the Texas Attorney General as soon as practicable and not later than the 30th day after discovery, if the breach involves at least 250 Texas residents. This notification must be submitted electronically and must include:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired because of the breach.
  • The number of residents of this state affected by the breach at the time of notification.
  • The measures taken by the person or organization regarding the breach.
  • Any measures the person or organization intends to take regarding the breach after the notification under this subsection.
  • Information regarding whether law enforcement is engaged in investigating the breach.

Yes, calling the DIR incident response hotline satisfies the requirement to report an incident within 48 hours of discovery.  There is an additional requirement to report to DIR the details of the security incident and an analysis of the cause of the incident within 10 days after incident eradication, closure and recover.  To enable this process, an incident needs to be submitted via the Archer Engage secure webform.  DIR can assist with this, if needed.

Last Updated: 10/19/2023

About File Formats

Some documents on this page are in the PDF format. Please download the Adobe Reader in order to view these documents.