Texas to Publish Data Breach Notifications

Lawmakers in Texas have passed a bill requiring notices to be published online of any data breaches involving the personal information of 250 or more Lone Star State residents.

The unanimously passed House Bill 3746, which amends the Texas Business and Commerce Code §521.053, requires the Texas Attorney General's Office to post the breach notifications to its public-facing website.

Notifications must be uploaded to the website within 30 days of receipt, and listings of organizations impacted by a data breach must remain in place for a period of 12 months.

A listing will only be removed if the individual or company does not suffer any further data breaches affecting 250 or more Texas residents during the year-long listing period. 

Under current Texas law, notifications that a security system has been breached must be sent to the state Attorney General within 60 days of detection. 

Included in the breach notice must be a detailed description of the scope of the breach, how it happened, and what sensitive information may have been compromised, exfiltrated, stolen or deleted in the security incident.

Though it may not be a final tally, another detail that must be included in the data breach notice is the number of individuals known to be impacted by the breach at the time it is reported to the State Attorney General. 

Breached individuals and organizations cannot simply report a data breach incident to the Attorney General's Office and walk away. Their notice must include a description of what measures were taken to mitigate the breach and details of what future actions will be taken regarding the incident.

The Office must be informed as to whether law enforcement has been notified and is investigating the breach. It must also be instructed over how many Texas residents have been notified about the breach, by mail or another direct method of communication, at the time the incident is reported.

Before it becomes law, the bill must be signed by Texas governor Greg Abbott. Should it be graced with Abbott's signature, the law will take effect from September 1, 2021.

By passing the new bill, the Texas Legislature has followed in the footsteps of California and Maine.

What’s Hot on Infosecurity Magazine?