Sec. 542.004. CYBERSECURITY PROGRAM. (a) For purposes of Section 542.003 , a cybersecurity program must: (1) contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information; (2) conform to an industry-recognized cybersecurity framework as described by Subsection (b); (3) be designed to: (A) protect the security of personal identifying information and sensitive personal information; (B) protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information; and (C) protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates; and (4) with regard to the scale and scope, meet the following requirements: (A) for a business entity with fewer than 20 employees, simplified requirements, including password policies and appropriate employee cybersecurity training; (B) for a business entity with at least 20 employees but fewer than 100 employees, moderate requirements, including the requirements of the Center for Internet Security Controls Implementation Group 1; and (C) for a business entity with at least 100 employees but fewer than 250 employees, compliance with the requirements of Subsection (b). (b) A cybersecurity program under this section conforms to an industry-recognized cybersecurity framework for purposes of this section if the program conforms to: (1) a current version of or any combination of current versions of the following: (A) the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST); (B) the NIST's special publication 800-171; (C) the NIST's special publications 800-53 and 800-53a; (D) the Federal Risk and Authorization Management Program's FedRAMP Security Assessment Framework; (E) the Center for Internet Security Critical Security Controls for Effective Cyber Defense; (F) the ISO/IEC 27000-series information security standards published by the International Organization for Standardization and the International Electrotechnical Commission; (G) the Health Information Trust Alliance's Common Security Framework; (H) the Secure Controls Framework; (I) the Service Organization Control Type 2 Framework; or (J) other similar frameworks or standards of the cybersecurity industry; (2) if the business entity is subject to its requirements, the current version of the following: (A) the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.); (B) Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.); (C) the Federal Information Security Modernization Act of 2014 (Pub. L. No. 113-283); or (D) the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5); and (3) if applicable to the business entity, a current version of the Payment Card Industry Data Security Standard. (c) If any standard described by Subsection (b)(1) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the later of: (1) the implementation date published in the updated standard; or (2) the first anniversary of the date on which the updated standard is published.
‹ Prev All Texas sections Next ›
Lexace provides legal information, not legal advice, and no attorney–client relationship is created. Statute text is provided for general information and may not reflect the most recent amendments; verify against the official state code.