Texas’ amended law requires businesses to notify the state Attorney General via a form that can be accessed and submitted through the AG website. 

In addition to these amendments to the breach notification statute, Texas updated the timeline and process for state agency and local governments to notify individuals of a data breach and added requirements for reporting to the state Department of Information Resources. The law now requires local governments and state agencies that own, license, or maintain sensitive personal information, confidential information, or regulated data sets to comply with the notification requirements of Texas Business & Commerce Code § 521.053 and to report certain data security incidents within 48 hours of discovery. The reports must be made to the DIR, or alternatively (if the security incident includes election data) the Texas Secretary of State.

Under the statute, a “security incident” is a breach or suspected breach of system security, as defined by the Texas data breach notification statute, and the introduction of ransomware into a computer, computer network, or computer system.

State agencies and local governments must report the details and the cause of a security incident to the DIR and the Texas Chief Information Security Officer within 10 days of the eradication, closure, and recovery from the security incident. Reporting forms may be found on the DIR website.

By shortening the reporting period and requiring reporting through a web form, Texas has signaled that the state is paying increased attention to data breaches and security incidents. This shift in approach follows a national trend, which seems to recognize the ever-increasing integration of computer systems into our everyday lives, and that government organizations host a significant amount of personal, financial, and security-related data.

Florida, Colorado, and Washington have also recently shortened their breach reporting periods to 30 days.  

Businesses should continue to review and update incident response plans to reflect these and other legislative changes. It is also important to stay informed of current cybersecurity threats, identify and address vulnerabilities, and confirm the adequacy of administrative, technical and physical controls.

The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries develop a comprehensive incident response plan or support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.