The new reporting obligation — which gives local government a 48-hour window — was passed on Sept. 1 and it applies to counties, cities, special districts, schools and more. If any of these local entities are hit with ransomware or if they discover — or even suspect — a system security breach, they must inform the Texas Department of Information Resources (DIR). Local governments then must follow up within 10 days of “incident eradication, closure, and recovery,” to give the DIR their analysis of the incident, per a press release emailed to media.
State agencies and higher education institutions were already required to report to DIR. State entities will continue following existing reporting processes, and the new portal is just for local government.
“With both state and local government entities reporting cybersecurity incidents to the state, DIR will have a more complete picture of the cyber threats Texas is facing,” State Cybersecurity Coordinator Tony Sauerhoff said in a press release. “DIR is here to assist state and local governments in the aftermath of a cyber incident. Sharing threat intelligence gained from these reports with other entities will prevent additional cyberattacks aimed at Texas.”
Most states require government entities to notify individuals when there are security breaches impacting personally identifiable information, per the National Conference of State Legislatures. But increasingly states are looking for more info about breaches and seeking insights into a wider array of cybersecurity incidents, aiming to offer support and better understand the changing nature of threats and needs.
When exactly to require reporting is often debated. Indiana officials previously told GovTech that their state’s law sought a reporting timeline fast enough that the state got intel in time to warn other potential victims, but also long enough to avoid overburdening local governments in the midst of incident response.
States have taken varied approaches. On the longer end is West Virginia’s 2021 law allowing state and local entities 10 days to inform the Cybersecurity Office about certain incidents. Meanwhile, New Jersey’s 2023 law gives 72 hours for public schools, government contractors and state and local governments to report. Indiana aligns with Texas, with a 48-hour reporting law for local governments.
Meanwhile, Georgia passed a 2021 law requiring local entities to report “all cyber incidents” that cause some or all critical business systems to become unavailable, and to do so within an hour. Likewise, Maryland’s 2022 policy tells local entities to report qualifying attacks within an hour of confirming they’ve detected an incident. There’s some leeway: if they need more time to confirm that “a reportable cyber incident” occurred, entities can take up to four hours from detection. And North Dakota advises public entities to inform the state of cybersecurity incidents as soon as they discover them.
On the national level, the federal government is working to enact a law obligating critical infrastructure owners and operators to report cyber incidents to the Cybersecurity and Infrastructure Security Agency. Details are still being hammered out before that law — the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) — goes into effect. But federal government has had to wrestle with the reporting timeline, too, and has settled on 72 hours for reporting security incidents and 24 hours for reporting ransomware payments.