Texas recently enacted House Bill 300 (the Law). Its primary purpose is to add significant privacy requirements to the Texas Medical Records Privacy statute, but lurking among those provisions are amendments to Texas’s breach notification law which, if triggered, purport to require notice in all 50 states.

The Law applies Texas’s breach notification requirements to organizations “conducting business” in the state of Texas. The Law does not define what “conducting business” in Texas means, but a business that maintains a physical presence in Texas or has regular commercial dealings with Texas residents likely will be covered by the Law.

If a covered business suffers a breach, the Law requires that breach notification be given to affected residents of Texas and affected residents of “another state that does not require [breach notification].” If the other state’s law also requires breach notification, then the Texas requirements are deemed satisfied when notice is provided to the other state’s residents in keeping with the other state’s law. If the other state’s law does not require notification, but Texas law applies (i.e., the business operates in the state, etc.) and would require notice, then breach notification will have to be provided to residents of the other state following Texas requirements for notification. The result is that breaches affecting residents of other states will have to be analyzed under both the law of the state where an affected person resides and Texas law to determine if breach notification is required.