State Infrastructure Protection Act
Model Bill Info | |
---|---|
Bill Title | State Infrastructure Protection Act |
Date Introduced | July 28, 2022 |
Type | Model Policy |
Status | Final |
Task Forces | Federalism and International Relations; Communications and Technology |
Keywords | International relations, privacy and security |
State Infrastructure Protection Act
AN ACT relating to prohibiting contracts or other agreements with certain foreign-owned companies in connection with critical infrastructure in this state.
BE IT ENACTED BY THIS LEGISLATIVE CHAMBER:
SECTION 1. This Act may be cited as the State Infrastructure Protection Act.
SECTION 2. The relevant section or chapter of the business or commerce code is amended as follows:
PROHIBITION ON AGREEMENTS WITH CERTAIN FOREIGN-OWNED COMPANIES IN CONNECTION WITH CRITICAL INFRASTRUCTURE
DEFINITIONS. In this section:
(1) “Company” means a sole proprietorship, organization, association, corporation, partnership, joint venture, limited partnership, limited liability partnership, or limited liability company, including a wholly owned subsidiary, majority-owned subsidiary, parent company, or affiliate of those entities or business associations, that exists to make a profit.
(2) “Critical infrastructure” means a communication infrastructure system, cybersecurity system, electric grid, hazardous waste treatment system, or water treatment facility.
(3) “Cybersecurity” means the measures taken to protect a computer, computer network, computer system, or other technology infrastructure against unauthorized use or access.
(4) “Designated country” means a country designated by the governor as a threat to critical infrastructure under the relevant legislation or code.
(6) “Access to” means the ability to approach or enter critical infrastructure.
(7) “Control of” means the ability to manage and/or manipulate critical infrastructure.
(8) “Provider” means a company that provides utility services, such as a power company or a city.
(9) “Utility services” means the end product provided to a consumer, such as power or water.
PROHIBITED ACCESS TO CRITICAL INFRASTRUCTURE.
(a) A business entity may not enter into an agreement relating to critical infrastructure in this state with a company:
(1) if, under the agreement, the company would be granted direct or remote access to or control of critical infrastructure in this state, excluding access specifically allowed by the business entity for product warranty and support purposes; and
(2) if the business entity knows that the company is:
(A) owned by or the majority of stock or other ownership interest of the company is held or controlled by:
(i) individuals who are citizens of China, Iran, North Korea, Russia, or a designated country; or
(ii) a company or other entity, including a governmental entity, that is owned or controlled by citizens of or is directly controlled by the government of China, Iran, North Korea, Russia, or a designated country; or
(B) headquartered in China, Iran, North Korea, Russia, or a designated country.
(b) The prohibition described by Subsection (a) applies regardless of whether:
(1) the company’s or its parent company’s securities are publicly traded; or
(2) the company or its parent company is listed on a public stock exchange as:
(A) a Chinese, Iranian, North Korean, or Russian company; or
(B) a company of a designated country.
(c) The prohibition described in Subsection (a) does not apply to a consumer’s receipt of utility services from a provider.
DESIGNATION OF COUNTRY AS THREAT TO CRITICAL INFRASTRUCTURE.
The governor, after consultation with the public safety director of the Department of Public Safety, may designate a country as a threat to critical infrastructure for purposes of this chapter.
(b) The governor shall consult the Homeland Security Council, established under the relevant government code, to assess a threat to critical infrastructure for purposes of making a designation under this section.
The relevant government code is amended to read as follows:
PROHIBITION ON CONTRACTS WITH CERTAIN FOREIGN-OWNED COMPANIES IN CONNECTION WITH CRITICAL INFRASTRUCTURE
DEFINITIONS. In this section:
(1) “Company” means a sole proprietorship, organization, association, corporation, partnership, joint venture, limited partnership, limited liability partnership, or limited liability company, including a wholly owned subsidiary, majority-owned subsidiary, parent company, or affiliate of those entities or business associations, that exists to make a profit.
(2) “Critical infrastructure” means a communication infrastructure system, cybersecurity system, electric grid, hazardous waste treatment system, or water treatment facility.
(3) “Cybersecurity” means the measures taken to protect a computer, computer network, computer system, or other technology infrastructure against unauthorized use or access.
(4) “Designated country” means a country designated by the governor as a threat to critical infrastructure under Section 2274.0103.
(5) “Governmental entity” means a state agency or political subdivision of this state.
(6) “Access to” means the ability to approach or enter critical infrastructure.
(7) “Control of” means the ability to manage and/or manipulate critical infrastructure.
(8) “Provider” means a company that provides utility services, such as a power company or a city.
(9) “Utility services” means the end product provided to a consumer, such as power or water.
PROHIBITED CONTRACTS.
(a) A governmental entity may not enter into a contract or other agreement relating to critical infrastructure in this state with a company:
(1) if, under the contract or other agreement, the company would be granted direct or remote access to or control of critical infrastructure in this state, excluding access specifically allowed by the governmental entity for product warranty and support purposes; and
(2) if the governmental entity knows that the company is:
(A) owned by or the majority of stock or other ownership interest of the company is held or controlled by:
(i) individuals who are citizens of China, Iran, North Korea, Russia, or a designated country; or
(ii) a company or other entity, including a governmental entity, that is owned or controlled by citizens of or is directly controlled by the government of China, Iran, North Korea, Russia, or a designated country; or
(B) headquartered in China, Iran, North Korea, Russia, or a designated country.
(b) The prohibition described by Subsection (a) applies regardless of whether:
(1) the company’s or its parent company’s securities are publicly traded; or
(2) the company or its parent company is listed on a public stock exchange as:
(A) a Chinese, Iranian, North Korean, or Russian company; or
(B) a company of a designated country.
(c) The prohibition described in Subsection (a) does not apply to a consumer’s receipt of utility services from a provider.
DESIGNATION OF COUNTRY AS THREAT TO CRITICAL INFRASTRUCTURE.
(a) The governor, after consultation with the public safety director of the Department of Public Safety, may designate a country as a threat to critical infrastructure for purposes of this chapter.
(b) The governor shall consult the Homeland Security Council to assess a threat to critical infrastructure for purposes of making a designation under this section.
SECTION 4. The relevant Business & Commerce Code, as added by this Act apply to a contract or agreement entered into on or after the effective date of this Act.
SECTION 5. This Act takes effect immediately if it is adopted by both state legislative chambers in accordance with the state constitution.