September 16, 2021

Volume XI, Number 259

Advertisement

September 16, 2021

Subscribe to Latest Legal News and Analysis

September 15, 2021

Subscribe to Latest Legal News and Analysis

September 14, 2021

Subscribe to Latest Legal News and Analysis

Texas Breach Notification Law Amended, Changes Effective September 1, 2021

Texas’s data breach notification law was recently amended to require the state’s Attorney General to post notice of data breaches on a public website within 30 days of receiving notice of the data breach. It also requires companies to provide the AG with more information when notifying the AG of a breach.

Under existing Texas law, data breaches that impact 250 or more Texas residents must be reported to the state Attorney General within 60 days of becoming aware of the breach. Such notice currently requires companies to describe the breach, steps taken “regarding the breach,” whether law enforcement was involved, and the number of impacted state residents. Under the amended law, businesses will also be required to report the number of impacted Texans who were sent notice of the breach.

The new amendment also requires the Texas Attorney General to maintain a publicly accessible list of breach notifications submitted to the Attorney General’s Office. Within 30 days of receiving a data breach notification, the Texas AG must post a notice of such breach to their website. In posting such notice, the AG is instructed to exclude reported sensitive personal information, information that may compromise a system’s security or information that is confidential by law. Such notice is to be removed from the website after one year if the business reporting such breach does not report another breach during that period.

Putting it Into PracticeThis change means that Texas, like Puerto Rico, will now require the Attorney General to publicly post the breach notices it receives from companies. While other states’ AGs do engage in this practice, it will be mandated under Texas law. Companies should keep this in mind when drafting any potentially required notice to the Texas AG.

Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 179
Advertisement

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Genevieve Perez, Sheppard Mullin Law Firm, Emtertainment and Digital Media Attorney
Associate

Genevieve Perez is an associate in the Entertainment and Digital Media Practice Group in the firm's New York office. Genevieve’s practice focuses on transactional matters in the entertainment, technology, media, fashion and advertising fields.

212-653-8700
Advertisement
Advertisement
Advertisement