Texas Breach Notification Law Amended, Changes Effective September 1, 2021
Texas’s data breach notification law was recently amended to require the state’s Attorney General to post notice of data breaches on a public website within 30 days of receiving notice of the data breach. It also requires companies to provide the AG with more information when notifying the AG of a breach.
Under existing Texas law, data breaches that impact 250 or more Texas residents must be reported to the state Attorney General within 60 days of becoming aware of the breach. Such notice currently requires companies to describe the breach, steps taken “regarding the breach,” whether law enforcement was involved, and the number of impacted state residents. Under the amended law, businesses will also be required to report the number of impacted Texans who were sent notice of the breach.
The new amendment also requires the Texas Attorney General to maintain a publicly accessible list of breach notifications submitted to the Attorney General’s Office. Within 30 days of receiving a data breach notification, the Texas AG must post a notice of such breach to their website. In posting such notice, the AG is instructed to exclude reported sensitive personal information, information that may compromise a system’s security or information that is confidential by law. Such notice is to be removed from the website after one year if the business reporting such breach does not report another breach during that period.
Putting it Into Practice: This change means that Texas, like Puerto Rico, will now require the Attorney General to publicly post the breach notices it receives from companies. While other states’ AGs do engage in this practice, it will be mandated under Texas law. Companies should keep this in mind when drafting any potentially required notice to the Texas AG.