January 30, 2023

Volume XIII, Number 30


January 27, 2023

Subscribe to Latest Legal News and Analysis

Texas Updates Data Breach Notification Requirements

Effective January 1, 2020, the Texas legislature will impose new notification requirements on businesses that maintain personal information of customers. House Bill 4390 amends the Texas Identity Theft Enforcement and Protection Act by requiring that Texas residents be notified of a data security breach within sixty (60) days of the determination that a breach has occurred. A “breach of system security” is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.” This Amendment marks a substantial departure from section 521.053(b) of the former law, which only required that businesses notify impacted individuals “as quickly as possible” − in effect allowing businesses greater flexibility in reporting a given data security incident.

Additionally, if a breach impacts more than 250 Texas residents, the business responsible for maintaining the sensitive personal information must provide notice of the incident to the Texas Attorney General within the same 60-day time period that governs notification of Texas residents.

The notification to the Texas Attorney General must include the following information:

  • A detailed description of the breach or the use of sensitive information acquired during the breach

  • The number of Texas residents affected

  • Measures taken to date regarding the breach

  • Any measures that will be taken in the future regarding the breach

  • An indication of whether law enforcement has been notified.

Despite placing increased notification requirements on businesses harboring sensitive personal information, the new bill brings Texas more in line with breach notification laws previously implemented around the country. House Bill 4390 also creates the Texas Privacy Protection Advisory Council, which is tasked with studying various data security laws domestically and abroad to prepare recommendations for statutory changes to the Texas legislature prior to the next legislative session beginning on January 12, 2021.

Given the imposition of a defined notification timeline, all businesses that collect personal information from individuals in Texas should place renewed importance on establishing a clear and concise data security incident response plan that is circulated to the necessary personnel. Failure to comply with notification requirements could result in civil penalties of up to $100 per person or $250,000. Whether this Amendment simultaneously results in an increase of activity at the office of the Texas Attorney General remains to be seen.

© 2023 Wilson ElserNational Law Review, Volume IX, Number 305

About this Author

Gregory Bautista, Wilson Elser, Civil Litigation Lawyer, Data Privacy matters Attorney

Gregory Bautista is an experienced civil litigator with a focus on data breach response. He is keenly aware of the growing importance of assisting clients in developing and implementing data security risk management measures related to the receipt and use of highly sensitive and confidential data. Greg provides his clients with knowledge and guidance on information governance and e-discovery matters. He has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy.

William Douglas Sanders Associate Wilson Elser Asbestos Complex Tort & General Casualty Toxic Tort

William Sanders practices in all aspects of active litigation and has tried more than 25 cases to verdict. Through his extensive experience, William has become adept at motion practice, depositions and negotiating favorable settlements on behalf of his clients. 

During law school, William clerked with the Honorable Judge Craig Smith in the 192nd Civil District Court in Dallas County. He has obtained a number of successful personal injury verdicts brought against defendants, concentrating his practice in personal injury as well as toxic tort matters.