Information Security
SB 271 Security Incident Reporting
Overview
Government Code 2054.603 requires state agencies and local governments that experience a security incident to:
- report to DIR within 48 hours after discovery (or to notify the secretary of state if the incident involves election data) if the security incident is assessed to:
- propagate to other state systems;
- result in criminal violations that shall be reported to law enforcement in accordance with state or federal information security or privacy laws;
- involve the unauthorized disclosure or modification of confidential information, e.g., sensitive personal information as defined in Texas Business and Commerce Code § 521.002(a)(2) and other applicable laws that may require public notification; or
- be an unauthorized incident that compromises, destroys, or alters information systems, applications, or access to such systems or applications in any way; and
- comply with the notification requirements of Business & Commerce Code Section 521.053, to the same extent as a person who conducts business in this state.
It also requires entities to report to DIR the details of the security incident and an analysis of the cause of the incident within 10 days after incident eradication, closure and recovery.
Who is Required to Report?
State and local governments that own, license, or maintain computerized data that includes sensitive personal information, confidential information, or information the disclosure of which is regulated by law, that experience a security incident are required to report.
Note: The reporting requirement does not apply to a security incident that a local government is required to report to an independent organization certified by the Public Utility Commission of Texas under Utilities Code Section 39.151.
Effective Date
The reporting requirements take effect September 1, 2023. (Note: State agencies were previously required to report incidents to DIR and should continue to adhere to existing reporting requirements.)
Why Submit Incidents?
Security incident submission is legally required for state and local governments, as described above. However, in addition to satisfying Government Code and Education Code reporting requirements, submitting incidents to DIR helps DIR to gain awareness of the scope of incidents impacting the state and to connect entities to DIR’s Cybersecurity Incident Response Team (CIRT) and other incident investigation, response, and recovery resources (as applicable).
Definitions
Local government: a county, municipality, special district, school district, junior college district, or other political subdivision of the state
Security incident:
-
a breach or suspected breach of system security as defined by Business & Commerce Code Section 521.053; and
-
the introduction of ransomware, as defined by Penal Code Section 33.023, into a computer, computer network, or computer system.
Sensitive personal information: as defined in Business & Commerce Code Section 521.002
How to Report
Incident reports will be submitted via the Archer Engage secure webform. To submit an incident:
- Create an Engage account (first-time only).
- Log into Engage (enter username and password; submit one-time verification code).
- Note: If after logging in, you are not redirected to the incident form, please click the Engage link again.
- Submit incident report and receive email confirmation, this email may be delayed by up to 30 minutes from when you submit your report (retain email confirmation with incident ID).
- Submit incident closure and receive email confirmation.
Refer to the user guide for detailed instructions:
Local Government Incident Reporting User Guide
Education Code Section 11.175 requires school districts and charter schools to report any cyber attack or other cybersecurity incident that constitutes a “Breach of system security” in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action. Submitting the local government incident report satisfies this requirement.
Note: If you are unable to submit an incident using the reporting form, contact the DIR Incident Response Hotline, (877) DIR-CISO, for assistance.
Frequently Asked Questions (FAQs)
Section 521.053, Business & Commerce Code requires organizations to report any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person or to the data owner immediately. Public reports may be required for breaches involving 10,000 or more individuals.
An organization that is required to disclose or provide notification under this section, is required to notify the Texas Attorney General as soon as practicable and not later than the 30th day after discovery, if the breach involves at least 250 Texas residents. This notification must be submitted electronically and must include:
- A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired because of the breach.
- The number of residents of this state affected by the breach at the time of notification.
- The measures taken by the person or organization regarding the breach.
- Any measures the person or organization intends to take regarding the breach after the notification under this subsection.
- Information regarding whether law enforcement is engaged in investigating the breach.
Yes, calling the DIR incident response hotline satisfies the requirement to report an incident within 48 hours of discovery. There is an additional requirement to report to DIR the details of the security incident and an analysis of the cause of the incident within 10 days after incident eradication, closure and recover. To enable this process, an incident needs to be submitted via the Archer Engage secure webform. DIR can assist with this, if needed.
Last Updated: 3/1/2024