Sec. 509.007. PROTECTION OF PERSONAL DATA: COMPREHENSIVE INFORMATION SECURITY PROGRAM. (a) A data broker conducting business in this state has a duty to protect personal data held by that data broker as provided by this section.
(b) A data broker shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate for:
(1) the data broker's size, scope, and type of business;
(2) the amount of resources available to the data broker;
(3) the amount of data stored by the data broker; and
(4) the need for security and confidentiality of personal data stored by the data broker.
(c) The comprehensive information security program required by this section must:
(1) incorporate safeguards that are consistent with the safeguards for protection of personal data and information of a similar character under state or federal laws and regulations applicable to the data broker;
(2) include the designation of one or more employees of the data broker to maintain the program;
(3) require the identification and assessment of reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of any electronic, paper, or other record containing personal data, and the establishment of a process for evaluating and improving, as necessary, the effectiveness of the current safeguards for limiting those risks, including by:
(A) requiring ongoing employee and contractor education and training, including education and training for temporary employees and contractors of the data broker, on the proper use of security procedures and protocols and the importance of personal data security;
(B) mandating employee compliance with policies and procedures established under the program; and
(C) providing a means for detecting and preventing security system failures;
(4) include security policies for the data broker's employees relating to the storage, access, and transportation of records containing personal data outside of the broker's physical business premises;
(5) provide disciplinary measures for violations of a policy or procedure established under the program;
(6) include measures for preventing a terminated employee from accessing records containing personal data;
(7) provide policies for the supervision of third-party service providers that include:
(A) taking reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect personal data consistent with applicable law; and
(B) requiring third-party service providers by contract to implement and maintain appropriate security measures for personal data;
(8) provide reasonable restrictions on physical access to records containing personal data, including by requiring the records containing the data to be stored in a locked facility, storage area, or container;
(9) include regular monitoring to ensure that the program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal data and, as necessary, upgrading information safeguards to limit the risk of unauthorized access to or unauthorized use of personal data;
(10) require the regular review of the scope of the program's security measures that must occur:
(A) at least annually; and
(B) whenever there is a material change in the data broker's business practices that may reasonably affect the security or integrity of records containing personal data;
(11) require the documentation of responsive actions taken in connection with any incident involving a breach of security, including a mandatory post-incident review of each event and the actions taken, if any, to make changes in business practices relating to protection of personal data in response to that event; and
(12) to the extent technically feasible, include the following procedures and protocols with respect to computer system security requirements or procedures and protocols providing a higher degree of security, for the protection of personal data:
(A) the use of secure user authentication protocols that include each of the following features:
(i) controlling user log-in credentials and other identifiers;
(ii) using a reasonably secure method of assigning and selecting passwords or using unique identifier technologies, which may include biometrics or token devices;
(iii) controlling data security passwords to ensure that the passwords are kept in a location and format that do not compromise the security of the data the passwords protect;
(iv) restricting access to only active users and active user accounts; and
(v) blocking access to user credentials or identification after multiple unsuccessful attempts to gain access;
(B) the use of secure access control measures that include:
(i) restricting access to records and files containing personal data to only employees or contractors who need access to that personal data to perform the job duties of the employees or contractors; and
(ii) assigning to each employee or contractor with access to a computer containing personal data unique identification and a password, which may not be a vendor-supplied default password, or using another protocol reasonably designed to maintain the integrity of the security of the access controls to personal data;
(C) encryption of:
(i) transmitted records and files containing personal data that will travel across public networks; and
(ii) data containing personal data that is transmitted wirelessly;
(D) reasonable monitoring of systems for unauthorized use of or access to personal data;
(E) encryption of all personal data stored on laptop computers or other portable devices;
(F) for files containing personal data on a system that is connected to the Internet, the use of reasonably current firewall protection and operating system security patches that are reasonably designed to maintain the integrity of the personal data; and
(G) the use of:
(i) a reasonably current version of system security agent software that must include malware protection and reasonably current patches and virus definitions; or
(ii) a version of system security agent software that is supportable with current patches and virus definitions and is set to receive the most current security updates on a regular basis.
Added by Acts 2023, 88th Leg., R.S., Ch. 963 (S.B. 2105), Sec. 1, eff. September 1, 2023.