Texas Cybersecurity Laws and Statutes
Texas cybersecurity law spans multiple statutory frameworks, regulatory agencies, and sector-specific mandates that collectively govern how public entities and private businesses handle data security, breach notification, and incident response. This page maps the primary statutes, enforcement bodies, classification boundaries, and structural tensions within the Texas legal landscape. Practitioners, compliance officers, and researchers will find here a structured reference to the codified requirements that apply across state agencies, local governments, educational institutions, and commercial operators.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
Texas cybersecurity law encompasses statutes, administrative codes, and regulatory standards that impose obligations related to information security, sensitive data protection, breach notification, and incident reporting on entities operating within the state. The primary legislative instruments are Texas Government Code, Chapter 2054, which governs state agencies and institutions of higher education, and Texas Business & Commerce Code, Chapter 521, which applies to private businesses holding sensitive personal information about Texas residents.
These frameworks do not operate in isolation. Federal statutes — including HIPAA for healthcare, the Gramm-Leach-Bliley Act for financial institutions, and FERPA for educational records — coexist with and, in some cases, supersede state requirements. The Texas Privacy Protection Act and its relationship to consumer data standards represents a separate but adjacent body of law that intersects with these frameworks.
Scope and geographic boundaries: This reference covers statutes enacted by the Texas Legislature and administrative standards issued by Texas state agencies. It addresses obligations applicable to Texas-based entities and to out-of-state entities that hold personal information on Texas residents. Multi-jurisdictional situations — such as international data transfers, multi-state class actions, or obligations under federal preemption doctrines — are not fully addressed here. The Regulatory Context for Texas Cybersecurity provides a detailed treatment of how state law interacts with federal frameworks. A broad orientation to the statutory and regulatory landscape is also available through the Texas Security Authority index.
Core mechanics or structure
Texas Government Code, Chapter 2054
Chapter 2054 is the foundational public-sector cybersecurity statute. Subchapter N-1, added by House Bill 3834 during the 86th Legislative Session (2019), codifies three core obligations for state agencies:
- Cybersecurity training — All state employees who use a computer as part of their regular duties must complete annual cybersecurity awareness training certified by the Texas Department of Information Resources (DIR) (Texas Gov. Code §2054.512).
- Cybersecurity incident reporting — State agencies must report cybersecurity incidents to DIR within a defined timeframe, and DIR coordinates with the Texas Division of Emergency Management (TDEM) when incidents threaten critical infrastructure.
- Biennial security plans — Agencies submit biennial information security plans to DIR, which publishes aggregated findings through its Statewide Information Security Assessment.
The Texas Cybersecurity Framework, administered by DIR, aligns to the NIST Cybersecurity Framework (CSF) and prescribes minimum security controls for all covered state entities under Texas Government Code §2054.133. The framework covers five functions: Identify, Protect, Detect, Respond, and Recover — matching NIST CSF's structure as documented at the NIST Computer Security Resource Center (CSRC).
Texas Business & Commerce Code, Chapter 521
Chapter 521 governs private-sector handling of sensitive personal information, defined as an individual's first name or first initial and last name combined with at least one of: Social Security number, driver's license number, financial account number with access credentials, or similar identifiers. Key provisions include:
- §521.052 — Businesses must implement reasonable procedures to protect sensitive personal information from unauthorized access.
- §521.053 — Breach notification must be sent to affected Texas residents not more than 60 days after discovery of a breach, with notification to the Texas Attorney General (OAG) when the breach affects 250 or more Texas residents (Texas B&C Code §521.053).
Supporting Statutes
- Texas Education Code §11.175 requires school district boards to adopt cybersecurity policies and designates a cybersecurity coordinator role at the district level.
- Texas Health & Safety Code provisions intersect with HIPAA for healthcare entities operating under state licensure.
- The Identity Theft Enforcement and Protection Act (Texas B&C Code Chapter 521, Subchapter B) gives the OAG civil enforcement authority, including the ability to seek injunctions and civil penalties.
Causal relationships or drivers
The current statutory architecture emerged primarily from documented failure events and legislative pressure following high-profile incidents. The 2019 coordinated ransomware attack against 22 Texas local government entities — one of the largest simultaneous ransomware campaigns against a U.S. state's public sector — directly accelerated legislative focus on incident coordination and reporting requirements during the 86th and 87th Legislative Sessions. Texas-specific ransomware threats and their regulatory consequences are documented in the Texas Ransomware Threats and Response reference.
Three structural drivers maintain ongoing pressure on the legislative framework:
- Critical infrastructure concentration — Texas hosts a disproportionate share of U.S. energy infrastructure, including ERCOT-operated electric grid assets and Gulf Coast petrochemical facilities. The Texas Critical Infrastructure Protection framework reflects federal CISA guidance that identifies 16 critical infrastructure sectors, several of which are heavily concentrated in Texas.
- Population-scale data exposure — With a resident population exceeding 30 million, breaches affecting Texas residents trigger Chapter 521 notification obligations at scale, motivating ongoing legislative refinement of the notification threshold and timeline.
- Federal mandates cascading to state level — CISA's Binding Operational Directives and Known Exploited Vulnerabilities Catalog (CISA KEV Catalog) create de facto compliance floors that state agencies must accommodate within DIR standards.
Classification boundaries
Texas cybersecurity obligations fall into 4 primary classification categories based on entity type:
Category 1 — State agencies and institutions of higher education
Governed by Texas Gov. Code Chapter 2054. DIR holds direct regulatory authority. Compliance is mandatory and subject to audit by the Texas State Auditor's Office (SAO), which publishes information security audit reports at sao.texas.gov.
Category 2 — Local governments and school districts
Public school districts fall under Texas Education Code §11.175. Cities and counties face requirements under Chapter 2054 when receiving state network services or funding, but local government cybersecurity obligations are less uniformly codified than state agency requirements. The Texas Cybersecurity for Local Governments and Texas Cybersecurity for School Districts pages detail these distinctions.
Category 3 — Private businesses holding Texas resident data
Governed by Texas B&C Code Chapter 521. No minimum size threshold exempts a business from the reasonable-procedures obligation of §521.052. The 60-day notification clock applies regardless of entity size.
Category 4 — Sector-regulated entities with overlapping federal requirements
Healthcare entities (HIPAA), financial institutions (GLBA), and electric utilities in the ERCOT region (NERC CIP standards) face parallel or superseding federal requirements. These entities must satisfy both layers. For sector-specific breakdowns, see Texas Cybersecurity for Healthcare Organizations, Texas Cybersecurity for Financial Institutions, and Texas Cybersecurity for Energy Sector.
Tradeoffs and tensions
Notification timelines vs. investigation completeness
The 60-day notification window under §521.053 creates tension between the legal obligation to notify promptly and the operational reality that forensic investigations of complex breaches frequently extend beyond that window. Notifying before the full scope is known risks providing incomplete or inaccurate information; delaying notification risks regulatory exposure.
State minimums vs. federal supersession
Texas Chapter 521 establishes a floor, not a ceiling. Entities subject to HIPAA must meet HIPAA's breach notification rules under 45 C.F.R. §§164.400–414, which include a 60-day window from discovery but with stricter risk assessment requirements. The more stringent standard applies, creating compliance overhead for dual-regulated entities.
DIR authority over state agencies vs. local government autonomy
DIR holds direct authority over state agencies but limited direct enforcement authority over counties and municipalities, which retain significant home-rule autonomy. This gap produces uneven security posture across the public sector, a tension reflected in the Texas Public Sector Cyber Risk Management framework discussions.
Workforce availability vs. mandate scope
Texas cybersecurity training mandates and incident response requirements assume a workforce with baseline digital literacy and access to certified training programs. The Texas Cybersecurity Workforce Development landscape reveals persistent gaps in the pipeline of credentialed practitioners to staff required positions.
Common misconceptions
Misconception 1: Chapter 521 only applies to large businesses.
Correction: Texas B&C Code §521.052 imposes the reasonable-procedures obligation on any "person" who maintains sensitive personal information — a term that encompasses individuals, partnerships, corporations, and associations. No revenue or employee-count threshold appears in the statute.
Misconception 2: The 60-day clock starts when a breach becomes public.
Correction: Under §521.053, the 60-day notification window begins at the point of discovery of the breach by the entity, not at the point of public disclosure. Delayed internal discovery does not extend the legal deadline retroactively.
Misconception 3: Compliance with DIR's Texas Cybersecurity Framework satisfies all cybersecurity obligations for a state agency.
Correction: DIR's framework addresses information security posture under Chapter 2054 but does not replace HIPAA requirements for state health agencies, FERPA obligations for public universities handling student records, or CISA Binding Operational Directives applicable to systems connected to federal networks.
Misconception 4: Ransomware payments are legally prohibited in Texas.
Correction: As of the 88th Legislative Session (2023), Texas has not enacted a blanket prohibition on ransomware payments by private entities. Specific restrictions apply to state agencies and local governments under executive guidance and DIR policies, but no statute uniformly criminalizes payment by private organizations.
Misconception 5: A company with no physical presence in Texas is exempt from Chapter 521.
Correction: The statute's protections apply to sensitive personal information about Texas residents, not only information held by Texas-domiciled entities. Out-of-state entities that collect or maintain data on Texas residents are within scope.
Checklist or steps (non-advisory)
The following sequence maps the statutory compliance elements under Texas B&C Code Chapter 521 and Texas Government Code Chapter 2054. This is a structural reference — not legal advice.
Private-sector entity compliance elements (Chapter 521)
- [ ] Identify all data assets containing sensitive personal information as defined under §521.002
- [ ] Document and implement reasonable security procedures and practices appropriate to the nature of the data and the size of the organization
- [ ] Establish a breach detection and classification process capable of triggering the §521.053 notification clock upon discovery
- [ ] Prepare notification templates for affected individuals and the Texas Attorney General
- [ ] Verify whether breach volume exceeds 250 Texas residents (AG notification threshold)
- [ ] Confirm notification delivery within 60 days of discovery date
- [ ] Retain records of breach discovery, investigation timeline, and notifications sent
State agency compliance elements (Chapter 2054 / DIR Framework)
- [ ] Confirm annual cybersecurity training enrollment for all employees using state-issued computer systems, in compliance with §2054.512
- [ ] Submit biennial information security plan to DIR per §2054.133
- [ ] Implement controls aligned to the Texas Cybersecurity Framework (NIST CSF-aligned)
- [ ] Establish incident reporting protocols per DIR and TDEM requirements
- [ ] Participate in DIR's Statewide Information Security Assessment cycle
- [ ] Coordinate with CISA for critical infrastructure threat intelligence applicable to agency systems
Reference table or matrix
| Statute / Standard | Primary Authority | Entity Scope | Key Obligation | Enforcement Body |
|---|---|---|---|---|
| Texas Gov. Code Ch. 2054 (Subchapter N-1) | DIR | State agencies, public universities | Annual training, biennial security plans, incident reporting | DIR, Texas SAO |
| Texas B&C Code §521.052 | Texas Legislature | Any entity holding TX resident sensitive personal info | Implement reasonable security procedures | Texas OAG |
| Texas B&C Code §521.053 | Texas Legislature | Any entity holding TX resident sensitive personal info | Breach notification within 60 days of discovery; AG notification if ≥250 residents affected | Texas OAG |
| Texas Education Code §11.175 | Texas Legislature | Public school districts (K–12) | Board-adopted cybersecurity policies; cybersecurity coordinator designation | Texas Education Agency (TEA) |
| Texas Cybersecurity Framework | DIR | State agencies | NIST CSF-aligned minimum controls under §2054.133 | DIR |
| HIPAA Breach Notification Rule (45 C.F.R. §§164.400–414) | HHS / OCR | Covered entities and business associates | Notification within 60 days; HHS Secretary notification for breaches ≥500 individuals | HHS Office for Civil Rights |
| NERC CIP Standards | NERC / FERC | Bulk electric system operators (including ERCOT participants) | Critical infrastructure protection controls | NERC, FERC |
| GLBA Safeguards Rule (16 C.F.R. Part 314) | FTC | Financial institutions | Written information security program; incident notification to FTC within 30 days for ≥500 customers | FTC |
References
- Texas Government Code, Chapter 2054 — Texas Legislature Online
- Texas Business & Commerce Code, Chapter 521 — Texas Legislature Online
- Texas Department of Information Resources (DIR) — Information Security
- Texas Attorney General — Data Security Breaches
- Texas State Auditor's Office (SAO)
- Texas Education Code, Chapter 11 — Texas Legislature Online
- NIST Cybersecurity Framework — NIST CSRC
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls
- CISA Known Exploited Vulnerabilities Catalog
- HHS HIPAA Breach Notification Rule (45 C.F.R. §§164.400–414)
- FTC Safeguards Rule (16 C.F.R. Part 314)
- NERC CIP Standards