(a) For purposes of Section 542.003, a cybersecurity program must:
- (1) contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information;
- (2) conform to an industry-recognized cybersecurity framework as described by Subsection (b);
(3) be designed to:
- (A) protect the security of personal identifying information and sensitive personal information;
- (B) protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information; and
- (C) protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates; and
(4) with regard to the scale and scope, meet the following requirements:
- (A) for a business entity with fewer than 20 employees, simplified requirements, including password policies and appropriate employee cybersecurity training;
- (B) for a business entity with at least 20 employees but fewer than 100 employees, moderate requirements, including the requirements of the Center for Internet Security Controls Implementation Group 1; and
- (C) for a business entity with at least 100 employees but fewer than 250 employees, compliance with the requirements of Subsection (b).
(b) A cybersecurity program under this section conforms to an industry-recognized cybersecurity framework for purposes of this section if the program conforms to:
(1) a current version of or any combination of current versions of the following:
- (A) the Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology (NIST);
- (B) the NIST's special publication 800-171;
- (C) the NIST's special publications 800-53 and 800-53a;
- (D) the Federal Risk and Authorization Management Program's FedRAMP Security Assessment Framework;
- (E) the Center for Internet Security Critical Security Controls for Effective Cyber Defense;
- (F) the ISO/IEC 27000-series information security standards published by the International Organization for Standardization and the International Electrotechnical Commission;
- (G) the Health Information Trust Alliance's Common Security Framework;
- (H) the Secure Controls Framework;
- (I) the Service Organization Control Type 2 Framework; or
- (J) other similar frameworks or standards of the cybersecurity industry;
(2) if the business entity is subject to its requirements, the current version of the following:
- (A) the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);
- (B) Title V, Gramm-Leach-Bliley Act (15 U.S.C. Section 6801 et seq.);
- (C) the Federal Information Security Modernization Act of 2014 (Pub. L. No. 113-283); or
- (D) the Health Information Technology for Economic and Clinical Health Act (Division A, Title XIII, and Division B, Title IV, Pub. L. No. 111-5); and
- (3) if applicable to the business entity, a current version of the Payment Card Industry Data Security Standard.
(c) If any standard described by Subsection (b)(1) is published and updated, a business entity's cybersecurity program continues to meet the requirements of a program under this section if the entity updates the program to meet the updated standard not later than the later of:
- (1) the implementation date published in the updated standard; or
- (2) the first anniversary of the date on which the updated standard is published.
Added by Acts 2025, 89th Leg., R.S., Ch. 1029 (S.B. 2610), Sec. 1, eff. September 1, 2025.