(a) Each state agency implementing an Internet website or mobile application that processes any sensitive personal or personally identifiable information or confidential information must:
(1) submit a biennial data security plan to the department not later than June 1 of each even-numbered year to establish planned beta testing for the website or application; and
(2) subject the website or application to a vulnerability and penetration test and address any vulnerability identified in the test.
(b) The department shall review each data security plan submitted under Subsection (a) and make any recommendations for changes to the plan to the state agency as soon as practicable after the department reviews the plan.