On June 14, Texas Governor Greg Abbott signed House Bill 3746, which amends Texas’s data breach notification law. In doing so, Texas joins other states in requiring its attorney general to maintain a public listing of data breaches on its website. The amendments take effect September 1, 2021.
What does the Texas data breach reporting law require?
Texas Business and Commerce Code § 521.053 requires businesses to notify individuals and the Texas Attorney General after discovering or receiving notification of “any breach of system security.” The notice must go to any individual whose sensitive personal information was, or is reasonably believed to have been, breached within 60 days. The Texas Attorney General must be notified within 60 days if the breach involves at least 250 Texas residents.
HB 3746 makes two main changes to Texas’s breach notification requirements. First, HB 3746 now requires that the following be included in the notification to the Texas Attorney General:
- the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;
- a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
- the number of residents of this state affected by the breach at the time of notification;
- the measures taken by the person regarding the breach;
- any measures the person intends to take regarding the breach after the notification under this subsection; and
- information regarding whether law enforcement is engaged in investigating the breach.
Second, HB 3746 creates a public listing requirement on the part of the Texas Attorney General. Specifically, the Attorney General’s office must publish on its website a current list of all data breach notifications it has received. Notifications are added to the list within thirty days and are removed within the year “if the person who provided the notification has not notified the attorney general of any additional breaches.”
Is this a growing trend?
Texas is not alone in revisiting its data breach notice requirements. Texas is also not alone in requiring a public listing of data breaches. California has a similar requirement, although it is for breaches affecting 500 or more California residents. Maine and Washington also maintain similar lists.
As cybersecurity issues continue to evolve and compliance issues continue to pose significant threats to businesses, Thompson Coburn’s attorneys are closely monitoring privacy-related legislative developments nationwide. For questions, please contact the Thompson Coburn lawyer with whom you usually work, the authors, or any member of the firm’s Cybersecurity, Privacy and Data Governance practice group.
Libby Casale is an associate in Thompson Coburn’s Business Litigation practice group.