HB5331

Regular Session

Relating to the enforceability of certain state agency and local government contract language regarding required security incident notifications.

CriticalImmediate action required

Low Cost

Effective:2025-06-20

Compliance Analysis

Key implementation requirements and action items for compliance with this legislation

Implementation Timeline

Effective Date: June 20, 2025
Compliance Deadline: Immediate. The Legislature designated this act as a "clarification of existing law," meaning it applies to all contracts currently in force, regardless of execution date.
Agency Rulemaking: No specific rulemaking is mandated for this bill; however, the Department of Information Resources (DIR) sets the underlying reporting standards. Monitor DIR announcements for updates on how this impacts joint-reporting protocols between vendors and agencies.

Immediate Action Plan

Immediate: Issue a directive to Legal and Sales teams to stop negotiating for "consent to notify" rights in Texas public sector deals.
Immediate: Update Incident Response Plans to acknowledge that Texas government clients have an independent, non-negotiable duty to report to the DIR.
30 Days: Audit active MSAs and Cyber Insurance policies held by Texas public entities to identify void clauses.
Ongoing: Monitor DIR guidance regarding the specific definition of "security incident" to ensure your contract definitions do not conflict with the state's statutory threshold for reporting.

Operational Changes Required

Contracts

Review and Revise Templates: You must immediately strip "gag clauses" from standard government contract templates. Specifically, remove any language requiring a government client to:

1. Obtain your written consent before notifying the DIR of a breach.
2. Delay notification to the DIR until your internal investigation is complete (if that delay exceeds statutory reporting limits).
3. Indemnify you for damages resulting from a mandatory statutory report.

Existing Contracts: Do not attempt to enforce these provisions in current contracts. They are void as a matter of law.

Hiring/Training

Incident Response (IR) Teams: Train IR leads and external counsel that they cannot legally block a Texas government client from reporting an incident. Your IR protocols must shift from "controlling the disclosure" to "coordinating the data" to ensure the client's report is accurate.

Claims Adjusters (Insurance): Insurers must instruct adjusters that a government entity’s unilateral report to the DIR does not constitute a breach of policy conditions regarding "voluntary admission of liability" or "unauthorized publication."

Reporting & Record-Keeping

Internal Audit: Conduct an internal audit of active public sector contracts to identify those with voided restrictive language. While you do not need to re-paper these contracts immediately, you should attach a memo to the file noting that the notification restrictions are unenforceable under HB5331.

Fees & Costs

Litigation Risk: There are no new statutory fees. However, attempting to enforce a voided restriction in court could lead to bad-faith contracting claims and liability for the government's legal fees.

Strategic Ambiguities & Considerations

Definition of "Restrict": The law voids language that "prohibits or restricts" compliance. It is currently unclear if procedural coordination clauses (e.g., "Client must provide Vendor 4 hours notice prior to DIR notification") constitute a "restriction."

*Counsel Warning:* If a procedural requirement causes the government to miss its strict statutory reporting deadline (often 48 hours or less), courts will almost certainly deem it a void restriction. Erring on the side of unimpeded reporting is the only safe harbor until case law develops.

Need Help Understanding Implementation?

Our government affairs experts can walk you through this bill's specific impact on your operations.

Schedule Consultation

Information presented is for general knowledge only and is provided without warranty, express or implied. Consult qualified government affairs professionals and legal counsel before making compliance decisions.

Legislative Timeline

This bill's path through the Texas Legislature

TopicsCity Government City Government--general County Government County Government--general Electronic Information Systems Insurance Insurance--general State Agencies, Boards & Commissions Purchasing Purchasing--local Purchasing--state

Official Analysis

View HRO Analysis View All Bill Documents

BILL ANALYSIS

H.B. 5331

By: Dean

Delivery of Government Efficiency

Committee Report (Unamended)

BACKGROUND AND PURPOSE

The bill author has informed the committee that state agencies and local governments often purchase cybersecurity insurance to help manage the risk of cyberattacks. However, some policies may include clauses that restrict or prohibit the disclosure of cybersecurity incidents, conflicting with the requirement in state law to report cyberattacks to the Texas Department of Information Resources within 48 hours of discovery. H.B. 5331 seeks to ensure that public entities are not contractually restricted from fulfilling their legal obligations under state law by clarifying that any language in a cybersecurity insurance contract or other contract for goods and services that prevents a state agency or local government from complying with required security incident notifications is void and unenforceable.

CRIMINAL JUSTICE IMPACT

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

RULEMAKING AUTHORITY

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

ANALYSIS

H.B. 5331 amends the Government Code to establish that contract language in a cybersecurity insurance contract or other contract for goods or services prohibiting or restricting a state agency's or local government's compliance with statutory provisions relating to security incident notification by a state agency or local government or otherwise circumventing the requirements of those provisions is void and unenforceable. The bill's provisions are expressly intended to clarify rather than change existing law.

EFFECTIVE DATE

On passage, or, if the bill does not receive the necessary vote, September 1, 2025.

House Authors

Rep. Jay DeanRepublican · Primary Author

Joint Authors

Phil King (R)

Bill Text(with markup)

H.B. No. 5331

View bill text in multiple formats on Texas Legislature website

Fiscal NoteView Original

	AN ACT
	relating to the enforceability of certain state agency and local
	government contract language regarding required security incident
	notifications.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1. Section 2054.603, Government Code, is amended by
	adding Subsection (e) to read as follows:
	(e) Contract language in a cybersecurity insurance contract
	or other contract for goods or services prohibiting or restricting
	a state agency's or local government's compliance with this section
	or otherwise circumventing the requirements of this section is void
	and unenforceable.
	SECTION 2. Section 2054.603(e), Government Code, as added
	by this Act, is intended to clarify rather than change existing law.
	SECTION 3. This Act takes effect immediately if it receives
	a vote of two-thirds of all the members elected to each house, as
	provided by Section 39, Article III, Texas Constitution. If this
	Act does not receive the vote necessary for immediate effect, this
	Act takes effect September 1, 2025.

LEGISLATIVE BUDGET BOARD
Austin, Texas

FISCAL NOTE, 89TH LEGISLATIVE REGULAR SESSION


April 21, 2025

TO:	Honorable Giovanni Capriglione, Chair, House Committee on Delivery of Government Efficiency

FROM:	Jerry McGinty, Director, Legislative Budget Board

IN RE:	HB5331 by Dean (Relating to the enforceability of certain state agency and local government contract language regarding required security incident notifications.), As Introduced

No fiscal implication to the State is anticipated.

Local Government Impact

No fiscal implication to units of local government is anticipated.

Source Agencies:

313 Department of Information Resources

LBB Staff:

JMc, RStu, BC

Related Legislation

Explore more bills from this author and on related topics

Frequently Asked Questions

Common questions about HB5331

What does Texas HB5331 do?

Effective immediately, Texas law voids any contractual provision in Master Services Agreements (MSAs) or insurance policies that prohibits or restricts a state agency or local government from reporting a security incident to the Department of Information Resources (DIR). This legislation applies retroactively to all active contracts, meaning vendors and insurers can no longer legally enforce "consent to notify" clauses or delay government disclosures to control the public narrative of a data breach. Implementation Timeline Effective Date: June 20, 2025 Compliance Deadline: Immediate.

Who authored HB5331?

HB5331 was authored by Texas Representative Jay Dean during the Regular Session.

When was HB5331 signed into law?

HB5331 was signed into law by Governor Greg Abbott on June 20, 2025.

How urgent is compliance with HB5331?

The compliance urgency for HB5331 is rated as "critical". Businesses and organizations should review the requirements and timeline to ensure timely compliance.

What is the cost impact of HB5331?

The cost impact of HB5331 is estimated as "low". This may vary based on industry and implementation requirements.

What topics does HB5331 address?

HB5331 addresses topics including city government, city government--general, county government, county government--general and electronic information systems.

Legislative data provided by LegiScanLast updated: November 25, 2025

Need Strategic Guidance on This Bill?

Need help with Government Relations, Lobbying, or compliance? JD Key Consulting has the expertise you're looking for.