How and Where to Report Cyber Incidents in Texas
Cyber incident reporting in Texas operates across a layered structure of state agencies, federal bodies, and sector-specific regulators — each with distinct jurisdiction, intake processes, and mandatory timelines. State agencies, local governments, healthcare entities, and private businesses face different reporting obligations depending on their sector classification and the nature of the incident. Understanding which body receives a report, when that report is due, and what information must be included is essential for any organization operating within Texas.
Definition and scope
A cyber incident, for reporting purposes, is any event that compromises the confidentiality, integrity, or availability of an information system or the data it processes. Under Texas Government Code, Chapter 2054, Subchapter N-1, state agencies and institutions of higher education are required to report cybersecurity incidents to the Texas Department of Information Resources (DIR). DIR defines a reportable incident in its published security standards as any event that has, or has the potential to have, a significant adverse impact on state information resources.
For private-sector entities, the reporting trigger shifts to breach notification obligations under Texas Business & Commerce Code §521.053, which requires notification when sensitive personal information has been acquired by an unauthorized party. The notification must reach affected Texas residents within 60 days of breach discovery.
Scope of this page: This reference covers reporting requirements applicable within Texas — specifically to state agencies, local governments, healthcare organizations, and businesses subject to Texas law. Federal preemption applies in sectors such as telecommunications (FCC jurisdiction) and financial services (GLBA, enforced by the FTC and federal banking regulators). Federally chartered institutions, tribal entities, and organizations whose data flows cross international borders face additional obligations not fully addressed here. For the full statutory and regulatory architecture, see the Regulatory Context for Texas Cybersecurity reference.
How it works
Incident reporting in Texas follows distinct pathways depending on the reporting entity's classification.
For state agencies and higher education institutions:
- Detect and contain — The agency's security operations team identifies and isolates the incident per DIR's Security Control Standards Catalog, which aligns with NIST SP 800-61 (Computer Security Incident Handling Guide, NIST CSRC).
- Report to DIR — Agencies submit a report through the DIR Cybersecurity Incident Reporting portal within the timeframe specified in the agency's incident response plan. DIR uses these reports to coordinate statewide threat intelligence.
- Notify CISA if critical infrastructure — The Cybersecurity and Infrastructure Security Agency (CISA) operates a 24/7 reporting line and web form for incidents affecting critical infrastructure, including energy, water, and transportation systems operating in Texas. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) further codifies federal reporting obligations for covered entities.
- Engage law enforcement — The Texas Department of Public Safety (DPS) and the FBI's Internet Crime Complaint Center (IC3) are the primary law enforcement recipients for criminal cyber incidents, including ransomware, fraud, and data theft.
For private businesses subject to breach notification:
- Notify affected Texas residents within 60 days of discovery (Texas B&C Code §521.053).
- If 10,000 or more Texas residents are affected, the Texas Attorney General's Office must also be notified (Texas AG Data Security Breach Portal).
- HIPAA-covered entities must additionally report to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights within 60 days of breach discovery for incidents affecting 500 or more individuals (HHS Breach Reporting Tool).
The /index provides a complete map of reference materials covering these parallel reporting tracks across sectors.
Common scenarios
Ransomware attack on a state agency: The agency immediately reports to DIR, notifies CISA (given the potential critical infrastructure nexus), and files a report with the FBI's IC3. If personal data was exfiltrated before encryption, breach notification obligations under §521.053 may also apply. Texas-specific ransomware threat context is detailed in Texas Ransomware Threats and Response.
Healthcare provider data breach: A hospital experiencing unauthorized access to electronic protected health information (ePHI) must report to HHS OCR under HIPAA and, if Texas residents are affected and the threshold is met, to the Texas Attorney General. HIPAA requirements apply regardless of Texas statute — these are parallel, not alternative, obligations.
Municipal government network intrusion: Local governments in Texas operate under different DIR authority than state agencies. A city or county experiencing a network intrusion should contact DIR's Security Operations Center and file with CISA if critical services are affected. Additional guidance on local government obligations appears in Texas Cybersecurity for Local Governments.
Small business phishing compromise: A private Texas business with no state contracts that suffers a phishing attack resulting in unauthorized access to customer financial data should report to the FBI's IC3, notify affected individuals within 60 days, and — if 10,000 or more residents are affected — notify the Texas AG. DIR has no direct regulatory authority over private companies lacking state contracts.
Decision boundaries
The correct reporting channel depends on three classification questions:
| Factor | State/Public Entity | Private Business | Healthcare Entity |
|---|---|---|---|
| Primary regulator | Texas DIR | Texas AG (breach notification) | HHS OCR + Texas AG |
| Incident report recipient | DIR + CISA (if critical infrastructure) | FBI IC3, CISA (optional) | HHS OCR, FBI IC3 |
| Notification timeline | DIR's incident response plan | 60 days (§521.053) | 60 days (HIPAA) |
| Law enforcement | DPS, FBI IC3 | FBI IC3 | FBI IC3 |
DIR authority vs. Texas AG authority: DIR governs security practices and incident reporting for state entities; the Texas AG holds civil enforcement authority over breach notification failures for all entities holding Texas resident data. These are distinct jurisdictions that can both apply to the same incident if the affected organization is a state contractor.
CISA voluntary vs. CIRCIA mandatory reporting: Before CIRCIA's implementing rules take full effect, CISA reporting remains voluntary for most entities. However, critical infrastructure operators — including Texas energy sector entities and water utilities — face mandatory federal reporting requirements that run alongside, not instead of, state-level obligations. See Texas Cybersecurity for Energy Sector and Texas Critical Infrastructure Protection for sector-specific thresholds.
Texas law vs. federal preemption: Texas breach notification law applies to any entity holding sensitive personal information on Texas residents. Federal law preempts Texas statute in specific sectors — national banks report to the Office of the Comptroller of the Currency, not the Texas AG. Organizations uncertain about their primary regulator should consult the statutory architecture described in Reporting Cyber Incidents in Texas alongside the DIR and Texas AG guidance documents linked below.
References
- Texas Department of Information Resources (DIR) — state agency cybersecurity authority, incident reporting portal, and Security Control Standards Catalog
- Texas Government Code, Chapter 2054, Subchapter N-1 — statutory basis for state agency cybersecurity and incident reporting obligations
- Texas Business & Commerce Code §521.053 — breach notification requirements, 60-day window, and AG notification threshold
- Texas Attorney General — Data Security Breaches — breach notification portal and civil enforcement authority
- CISA — Report a Cyber Issue — federal intake for critical infrastructure incidents, 24/7 reporting
- FBI Internet Crime Complaint Center (IC3) — law enforcement reporting for criminal cyber incidents
- HHS Office for Civil Rights — Breach Reporting Tool — HIPAA breach notification for healthcare entities
- NIST SP 800-61, Rev. 2 — Computer Security Incident Handling Guide — federal incident handling framework referenced by DIR standards
- FTC — Gramm-Leach-Bliley Act — federal financial sector privacy and security requirements