[BreachExchange] Texas Updates Data Breach Notification Requirements

Destry Winant destry at riskbasedsecurity.com
Wed Nov 6 09:31:07 EST 2019


https://www.jdsupra.com/legalnews/texas-updates-data-breach-notification-64078/

Effective January 1, 2020, the Texas legislature will impose new
notification requirements on businesses that maintain personal
information of customers. House Bill 4390 amends the Texas Identity
Theft Enforcement and Protection Act by requiring that Texas residents
be notified of a data security breach within sixty (60) days of the
determination that a breach has occurred. A “breach of system
security” is defined as the “unauthorized acquisition of computerized
data that compromises the security, confidentiality, or integrity of
sensitive personal information maintained by a person, including data
that is encrypted if the person accessing the data has the key
required to decrypt the data.” This Amendment marks a substantial
departure from section 521.053(b) of the former law, which only
required that businesses notify impacted individuals “as quickly as
possible” − in effect allowing businesses greater flexibility in
reporting a given data security incident.

Additionally, if a breach impacts more than 250 Texas residents, the
business responsible for maintaining the sensitive personal
information must provide notice of the incident to the Texas Attorney
General within the same 60-day time period that governs notification
of Texas residents.

The notification to the Texas Attorney General must include the
following information:

A detailed description of the breach or the use of sensitive
information acquired during the breach
The number of Texas residents affected
Measures taken to date regarding the breach
Any measures that will be taken in the future regarding the breach
An indication of whether law enforcement has been notified.

Despite placing increased notification requirements on businesses
harboring sensitive personal information, the new bill brings Texas
more in line with breach notification laws previously implemented
around the country. House Bill 4390 also creates the Texas Privacy
Protection Advisory Council, which is tasked with studying various
data security laws domestically and abroad to prepare recommendations
for statutory changes to the Texas legislature prior to the next
legislative session beginning on January 12, 2021.

Given the imposition of a defined notification timeline, all
businesses that collect personal information from individuals in Texas
should place renewed importance on establishing a clear and concise
data security incident response plan that is circulated to the
necessary personnel. Failure to comply with notification requirements
could result in civil penalties of up to $100 per person or $250,000.
Whether this Amendment simultaneously results in an increase of
activity at the office of the Texas Attorney General remains to be
seen.


More information about the BreachExchange mailing list