Effective January 1, 2020, the Texas legislature will impose new notification requirements on businesses that maintain personal information of customers. House Bill 4390 amends the Texas Identity Theft Enforcement and Protection Act by requiring that Texas residents be notified of a data security breach within sixty (60) days of the determination that a breach has occurred. A “breach of system security” is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.” This Amendment marks a substantial departure from section 521.053(b) of the former law, which only required that businesses notify impacted individuals “as quickly as possible” − in effect allowing businesses greater flexibility in reporting a given data security incident.
Additionally, if a breach impacts more than 250 Texas residents, the business responsible for maintaining the sensitive personal information must provide notice of the incident to the Texas Attorney General within the same 60-day time period that governs notification of Texas residents.
The notification to the Texas Attorney General must include the following information:
A detailed description of the breach or the use of sensitive information acquired during the breach
The number of Texas residents affected
Measures taken to date regarding the breach
Any measures that will be taken in the future regarding the breach
An indication of whether law enforcement has been notified.
Despite placing increased notification requirements on businesses harboring sensitive personal information, the new bill brings Texas more in line with breach notification laws previously implemented around the country. House Bill 4390 also creates the Texas Privacy Protection Advisory Council, which is tasked with studying various data security laws domestically and abroad to prepare recommendations for statutory changes to the Texas legislature prior to the next legislative session beginning on January 12, 2021.
Given the imposition of a defined notification timeline, all businesses that collect personal information from individuals in Texas should place renewed importance on establishing a clear and concise data security incident response plan that is circulated to the necessary personnel. Failure to comply with notification requirements could result in civil penalties of up to $100 per person or $250,000. Whether this Amendment simultaneously results in an increase of activity at the office of the Texas Attorney General remains to be seen.