Texas amends data breach notification law, creates public listing of data breaches

David Duffy

Cybersecurity locks and data

On June 14, Texas Governor Greg Abbott signed House Bill 3746, which amends Texas’s data breach notification law. In doing so, Texas joins other states in requiring its attorney general to maintain a public listing of data breaches on its website. The amendments take effect September 1, 2021.

What does the Texas data breach reporting law require?

Texas Business and Commerce Code § 521.053 requires businesses to notify individuals and the Texas Attorney General after discovering or receiving notification of “any breach of system security.” The notice must go to any individual whose sensitive personal information was, or is reasonably believed to have been, breached within 60 days. The Texas Attorney General must be notified within 60 days if the breach involves at least 250 Texas residents.

HB 3746 makes two main changes to Texas’s breach notification requirements. First, HB 3746 now requires that the following be included in the notification to the Texas Attorney General:

Second, HB 3746 creates a public listing requirement on the part of the Texas Attorney General. Specifically, the Attorney General’s office must publish on its website a current list of all data breach notifications it has received. Notifications are added to the list within thirty days and are removed within the year “if the person who provided the notification has not notified the attorney general of any additional breaches.”

Is this a growing trend?

Texas is not alone in revisiting its data breach notice requirements. Texas is also not alone in requiring a public listing of data breaches. California has a similar requirement, although it is for breaches affecting 500 or more California residents. Maine and Washington also maintain similar lists.

As cybersecurity issues continue to evolve and compliance issues continue to pose significant threats to businesses, Thompson Coburn’s attorneys are closely monitoring privacy-related legislative developments nationwide. For questions, please contact the Thompson Coburn lawyer with whom you usually work, the authors, or any member of the firm’s Cybersecurity, Privacy and Data Governance practice group.

Libby Casale is an associate in Thompson Coburn’s Business Litigation practice group.

Please read before continuing

NOTICE.
Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you (an ‘engagement letter’).

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and, further, even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you. Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.