Texas amends data breach reporting requirements
By on Posted in Cybersecurity, Data Privacy

Texas recently amended its breach notification statute to shorten the time businesses have to notify the state Attorney General after a data breach affecting 250 or more Texas residents. As of September 1, businesses must notify the Attorney General within 30 days from when they determine that a breach has occurred. Previously, businesses had up to 60 days.

Texas’ amended law requires businesses to notify the state Attorney General via a form that can be accessed and submitted through the AG website. 

In addition to these amendments to the breach notification statute, Texas updated the timeline and process for state agency and local governments to notify individuals of a data breach and added requirements for reporting to the state Department of Information Resources. The law now requires local governments and state agencies that own, license, or maintain sensitive personal information, confidential information, or regulated data sets to comply with the notification requirements of Texas Business & Commerce Code § 521.053 and to report certain data security incidents within 48 hours of discovery. The reports must be made to the DIR, or alternatively (if the security incident includes election data) the Texas Secretary of State.

Under the statute, a “security incident” is a breach or suspected breach of system security, as defined by the Texas data breach notification statute, and the introduction of ransomware into a computer, computer network, or computer system.

State agencies and local governments must report the details and the cause of a security incident to the DIR and the Texas Chief Information Security Officer within 10 days of the eradication, closure, and recovery from the security incident. Reporting forms may be found on the DIR website.

By shortening the reporting period and requiring reporting through a web form, Texas has signaled that the state is paying increased attention to data breaches and security incidents. This shift in approach follows a national trend, which seems to recognize the ever-increasing integration of computer systems into our everyday lives, and that government organizations host a significant amount of personal, financial, and security-related data.

Florida, Colorado, and Washington have also recently shortened their breach reporting periods to 30 days.  

Businesses should continue to review and update incident response plans to reflect these and other legislative changes. It is also important to stay informed of current cybersecurity threats, identify and address vulnerabilities, and confirm the adequacy of administrative, technical and physical controls.

The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

TAGS: Cyber Team, CyberMonday, Cybersecurity, Data Breach, Data Privacy, Data Security, Texas
Facebook Twitter/X Linkedin Email
  • Laura Funk wearing a gray blazer over a dark top, arms crossed, posed against a light blue and white geometric background.
    Laura Funk
    Partner

    Laura counsels organizations in education, financial services, the public sector, and healthcare. She leads clients through data breach response from the first assessment to resolution, coordinating with digital forensics and ...

    More from Laura: Full Bio | Contact Author | Blog Posts

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek