Texas amends data breach notification law

Texas has amended its data breach notification law to create new reporting requirements and deadlines. 

The amendments, effective Jan. 1, 2020, require an entity that experiences a data breach to notify impacted individuals within 60 days of discovery. Previously, the law only required notice to impacted residents “as quickly as possible.” Additionally, the new law requires notification to the Texas Attorney General, also within 60 days of discovery, if a breach impacts more than 250 Texas residents. The Attorney General notification must include a detailed description of the nature and circumstances of the breach or the use of the sensitive information acquired as a result of the breach; the number of Texas residents impacted by the breach; measures taken or intended to be taken in response to the breach; and information concerning whether law enforcement is investigating the breach. The law previously did not require notice to be made to the Texas Attorney General.

Of interest, the law also creates an advisory body that is to study data privacy laws of Texas, other states, and foreign nations, and provide recommended changes to Texas civil and criminal law concerning data privacy and protection. This new body is separate from two other bodies that Texas established last month to address concerns of cyber threats facing its utilities and electric cooperatives.  Will Texas become another state seeking to pass comprehensive data privacy legislation, following in the footsteps of California?  We will have to wait and see.

Attorneys from McDonald Hopkins’ Data Privacy and Cybersecurity Practice Group are monitoring legislative activity in this space and are available to assist business entities comply with rapidly changing data breach notification laws.