Texas’ data breach law update gives businesses plenty to consider
Texas recently amended its data breach notification law, providing a few noteworthy changes. The amended law took effect on September 1, 2023, and entities conducting business in the state should contemplate the provisions carefully.
New timeline and reporting
The primary point of focus of the amendment is the time period entities have to report breaches to the state Attorney General, shortening that period from 60 days to 30 days. Only Vermont and Puerto Rico have shorter deadlines for reporting – 14 business days and 10 days, respectively.
Additionally, the amendment requires the attorney general to create a mechanism for electronic submissions of breaches. This new reporting form is broken out into six parts involving the following:
- Part A - Requires identifying information of the business;
- Part B - Detailed description of the nature and circumstances of the breach (discovery date, start date if known, end date if known), types of personal information involved in the breach, whether information was encrypted, and type of breach (phishing, ransomware, credential compromise, etc.), along with location of breached information;
- Part C - Measures taken by the entity regarding the breach, such as notification provided to individuals, training, security measures, policy updates, etc.;
- Part D – number of persons affected (total and the Texas specific number);
- Part E – law enforcement notifications; and
- Part F – information on the submission form (who is submitting it and relationship to organization).
While these changes to the existing statute are few, they do warrant an understanding of these new nuances by entities operating in Texas and compliance with them.
What businesses should consider
Entities should be mindful of the information included on the new notification form, as it could be considered a public record, given the mandate that the attorney general shall publish a list of notifications received. This means that individuals and plaintiff’s attorneys could access the information in the form, though the amendment also requires the removal of the posted notifications after one year. While there were changes to the deadline and mechanism for reporting breaches to the attorney general, the threshold requirement of 250 Texas residents remains the same.
Businesses should note that the deadline to notify individuals under the amended law is the same 60-day period as the original statute, though that is not an invitation to delay in notifications, particularly considering the updated form requires noting in Part C whether individuals have been notified.
If you have questions about your company’s compliance with cyber regulations, concerns about vulnerability to a ransomware attack or other breach, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkin’s national data privacy and cybersecurity team. You can also find additional legislative updates by going to McDonald Hopkins Legal Insights.