Texas amends data breach reporting requirements

Constangy, Brooks, Smith & Prophete, LLP

Constangy, Brooks, Smith & Prophete, LLP

Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.

Texas’ amended law requires businesses to notify the state Attorney General via a form that can be accessed and submitted through the AG website. 

In addition to these amendments to the breach notification statute, Texas updated the timeline and process for state agency and local governments to notify individuals of a data breach and added requirements for reporting to the state Department of Information Resources. The law now requires local governments and state agencies that own, license, or maintain sensitive personal information, confidential information, or regulated data sets to comply with the notification requirements of Texas Business & Commerce Code § 521.053 and to report certain data security incidents within 48 hours of discovery. The reports must be made to the DIR, or alternatively (if the security incident includes election data) the Texas Secretary of State.

Under the statute, a “security incident” is a breach or suspected breach of system security, as defined by the Texas data breach notification statute, and the introduction of ransomware into a computer, computer network, or computer system.

State agencies and local governments must report the details and the cause of a security incident to the DIR and the Texas Chief Information Security Officer within 10 days of the eradication, closure, and recovery from the security incident. Reporting forms may be found on the DIR website.

By shortening the reporting period and requiring reporting through a web form, Texas has signaled that the state is paying increased attention to data breaches and security incidents. This shift in approach follows a national trend, which seems to recognize the ever-increasing integration of computer systems into our everyday lives, and that government organizations host a significant amount of personal, financial, and security-related data.

Florida, Colorado, and Washington have also recently shortened their breach reporting periods to 30 days.  

Businesses should continue to review and update incident response plans to reflect these and other legislative changes. It is also important to stay informed of current cybersecurity threats, identify and address vulnerabilities, and confirm the adequacy of administrative, technical and physical controls.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Constangy, Brooks, Smith & Prophete, LLP | Attorney Advertising

Written by:

Constangy, Brooks, Smith & Prophete, LLP

Constangy, Brooks, Smith & Prophete, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide