(1) “Commission” means the Tennessee public utilities commission; and(2) “Utility” means a public utility that provides electric, water, wastewater, or natural gas services.(b)(1) By July 1, 2023, or within one (1) year after a utility is formed, whichever is later, a utility shall prepare and implement a cyber security plan to provide for the protection of the utility’s facilities from unauthorized use, alteration, ransom, or destruction of electronic data. The utility shall annually submit documentation of the utility’s compliance with this section to the commission by July 1.(2) The documentation required by this section must be made in writing and under oath by the chief executive officer, president, or other person with an equivalent role of the utility.(c) A utility shall assess and update the cyber security plan implemented pursuant to this section no less frequently than once every two (2) years to address new threats.(d) A utility that fails to comply with this section is subject to reasonable sanctions ordered by the commission as described in rule. The fees collected from civil penalties under this section must be remitted to the commission for enforcement of this section.(e) The commission shall enforce this section and may promulgate rules necessary to effectuate this section. The rules must be promulgated in accordance with the Uniform Administrative Procedures Act, compiled in title 4, chapter 5.(f) The commission shall include with the annual report required under § 65-1-111, a separate report regarding compliance with this section to the chair of the commerce committee of the house of representatives, the chair of the commerce and labor committee of the senate, the department of safety, and the legislative librarian. The report must include, at a minimum, information on the utilities that have failed to comply with this section.
