The bill, H.B. No. 4231, aims to enhance cybersecurity measures for retail public utilities that provide water or sewer services in Texas. It amends the Government Code to include retail public utilities as eligible customers for cybersecurity services provided by the Department of Information Resources. Specifically, it adds a new section to the Water Code that prohibits these utilities from connecting their supervisory control and data acquisition systems to the Internet, while allowing for intranet or site-to-site virtual private network operations. The bill also mandates the adoption of cybersecurity requirements, including employee identification authentication and annual cybersecurity training for employees with access to the utility's computer systems.

Additionally, the bill establishes a framework for security assessments and compliance audits, requiring retail public utilities to report the results of these assessments to relevant commissions and departments. It also outlines the notification process for security incidents involving sensitive personal information, requiring utilities to inform the appropriate authorities within 48 hours of discovering such incidents. The Texas Commission on Environmental Quality and the Department of Information Resources are tasked with implementing the necessary rules by September 1, 2026, and retail public utilities must comply with the new cybersecurity requirements by September 1, 2027. The act is set to take effect on September 1, 2025.

Statutes affected:
Introduced: Government Code 2054.0525, Government Code 2059.058 (Government Code 2059, Government Code 2054)