Texas Amends Data Breach Notification Law

Are you aware of the recent change to Texas’ data breach notification law? On June 14, 2021, Governor Greg Abbot signed House Bill 3746 that has amended the state’s data breach notification law. 

The original law, Business and Commerce Code  521.053 established requirements for businesses around “any breach of system security” that they were alerted to or discovered on their own to notify within 60 days, any individual who had sensitive personal information that was or is reasonably believed to have been compromised in the breach.  If the breach involves at least 250 Texas residents, the Texas Attorney General must also be notified within 60 days.    

Changes – Part One

The amendment that HB 3746 brings to this law is two-fold.  The first part requires that the following information be included with the notification to the Texas Attorney General:

  1. The number of affected Texas residents that have been sent disclosure of the breach via mail or other direct communication (at the time of the notification)
  2. Details outlining the nature and circumstances of the breach and how the sensitive personal information was used and acquired
  3. The total number of Texas residents affected by the breach (at the time of the notification)
  4. Details and information about whether law enforcement is engaged and investigating the breach
  5. Information on measures already taken by the person regarding the breach
  6. Information on intended measures that the person plans to take regarding the breach after the notification

Changes – Part Two

The second part of HB 3746 that amends the law is that a public listing requirement is now part of the Texas Attorney General’s role.  A current list of all data breach notifications that have been received by the Attorney General’s office must be published on its website within 30 days.  The listing will only be removed within the year “if the person who provided the notification has not notified the attorney general of any additional breaches”.

Growing Trend

This is not a change that Texas is taking on alone.  CaliforniaMaine, and Washington maintain similar lists, though California’s requirement is only for breaches that affect 500 or more state residents. 

Don’t let a data breach ruin your business! Contact Cyberworks today to learn more about our cybersecurity solutions.

© Cyberworks Technology Group – 2023