Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.
Texas’ amended law requires businesses to notify the state Attorney General via a form that can be accessed and submitted through the AG website.
In addition to these amendments to the breach notification statute, Texas updated the timeline and process for state agency and local governments to notify individuals of a data breach and added requirements for reporting to the state Department of Information Resources. The law now requires local governments and state agencies that own, license, or maintain sensitive personal information, confidential information, or regulated data sets to comply with the notification requirements of Texas Business & Commerce Code § 521.053 and to report certain data security incidents within 48 hours of discovery. The reports must be made to the DIR, or alternatively (if the security incident includes election data) the Texas Secretary of State.
Under the statute, a “security incident” is a breach or suspected breach of system security, as defined by the Texas data breach notification statute, and the introduction of ransomware into a computer, computer network, or computer system.
State agencies and local governments must report the details and the cause of a security incident to the DIR and the Texas Chief Information Security Officer within 10 days of the eradication, closure, and recovery from the security incident. Reporting forms may be found on the DIR website.
By shortening the reporting period and requiring reporting through a web form, Texas has signaled that the state is paying increased attention to data breaches and security incidents. This shift in approach follows a national trend, which seems to recognize the ever-increasing integration of computer systems into our everyday lives, and that government organizations host a significant amount of personal, financial, and security-related data.
Florida, Colorado, and Washington have also recently shortened their breach reporting periods to 30 days.
Businesses should continue to review and update incident response plans to reflect these and other legislative changes. It is also important to stay informed of current cybersecurity threats, identify and address vulnerabilities, and confirm the adequacy of administrative, technical and physical controls.
The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.
- Partner
Laura is a member of the Constangy Cyber Team and brings more than a decade of experience ensuring clients are fully informed of their potential legal obligations under federal and state data breach notification statutes by ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Matthew Basilotto
- Bert Bender
- Ansley Bryan
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Rebecca D.C. Eng
- Laura Funk
- Lauren Godfrey
- Taren N. Greenidge
- Seth Greenwald
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Victoria Okraszewski
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Scott Satkin
- Allen Sattler
- Brent Sedge
- Ryan Steidl
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Robert R. Wennagel
- Rob Yang
Archives
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023