SB 271 Security Incident Reporting

Overview 

Texas Government Code 2054.603 requires state agencies and local governments that experience a security incident to: 

• report to DIR within 48 hours after discovery (or to notify the secretary of state if the incident involves election data), and 

• comply with the notification requirements of Section 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state. 

It also requires entities to report to DIR the details of the security incident and an analysis of the cause of the incident within 10 days after incident eradication, closure and recovery. 

Who is Required to Report? 

State and local governments that own, license, or maintain computerized data that includes sensitive personal information, confidential information, or information the disclosure of which is regulated by law, that experience a security incident are required to report. 

Note: The reporting requirement does not apply to a security incident that a local government is required to report to an independent organization certified by the Public Utility Commission of Texas under Section 39.151, Utilities Code. 

Effective Date 

The reporting requirements take effect September 1, 2023. (Note: State agencies were previously required to report incidents to DIR and should continue to adhere to existing reporting requirements.) 

Definitions 

Local government: a county, municipality, special district, school district, junior college district, or other political subdivision of the state 

Security incident:  

• a breach or suspected breach of system security as defined by Section 521.053, Business & Commerce Code; and  

• the introduction of ransomware, as defined by Section 33.023, Penal Code, into a computer, computer network, or computer system. 

Sensitive personal information: as defined in Section 521.002, Business & Commerce Code 

How to Report 

Incident reports will be submitted via the Archer Engage secure webform.  To submit an incident: 

• Create an Engage account (first-time only).
• Log into Engage (enter username and password; submit one-time verification code).
• Note: If after logging in, you are not redirected to the incident form, please click the Engage link again. 
• Submit incident report and receive email confirmation, this email may be delayed by up to 30 minutes from when you submit your report (retain email confirmation with incident ID).
• Submit incident closure and receive email confirmation.

Refer to the user guide for detailed instructions:

Local Government Incident Reporting User Guide

Section 11.175 of the Education Code requires school districts and charter schools to report any cyber-attack or other cybersecurity incident that constitutes a “Breach of system security” in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.  Submitting the local government incident report satisfies this requirement.

Note: If you are unable to submit an incident using the reporting form, contact the DIR Incident Response Hotline, (877) DIR-CISO, for assistance.

Frequently Asked Questions (FAQs)