(a) In this section:
(1) “Security incident” means:
(A) a breach or suspected breach of system security as defined by § 521.053, Business & Commerce Code; and
(B) the introduction of ransomware, as defined by § 33.023, Penal Code, into a computer, computer network, or computer system.
(2) “Sensitive personal information” has the meaning assigned by § 521.002, Business & Commerce Code.
(b) A state agency or local government that owns, licenses, or maintains computerized data that includes sensitive personal information, confidential information, or information the disclosure of which is regulated by law shall, in the event of a security incident:
(1) comply with the notification requirements of § 521.053, Business & Commerce Code, to the same extent as a person who conducts business in this state;
(2) not later than 48 hours after the discovery of the security incident, notify:
(A) the department, including the chief information security officer; or
(B) if the security incident involves election data, the secretary of state; and
(3) comply with all department rules relating to reporting security incidents as required by this section.

(c) Not later than the 10th business day after the date of the eradication, closure, and recovery from a security incident, a state agency or local government shall notify the department, including the chief information security officer, of the details of the security incident and include in the notification an analysis of the cause of the security incident.
(d) This section does not apply to a security incident that a local government is required to report to an independent organization certified by the Public Utility Commission of Texas under § 39.151, Utilities Code.