If you’re in Texas, you’ll want to take note of a recent law that took effect on September 1, 2021. Governor Greg Abbott signed House Bill 3746 that has amended the state’s data breach notification law.
The original law, Business and Commerce Code 521.053 established requirements for businesses around “any breach of system security” that they were alerted to or discovered on their own to notify within 60 days, any individual who had sensitive personal information that was or is reasonably believed to have been compromised in the breach. If the breach involves at least 250 Texas residents, the Texas Attorney General must also be notified within 60 days.
Changes – Part One
The amendment that HB 3746 brings to this law is two-fold. The first part requires that the following information be included with the notification to the Texas Attorney General:
- The number of affected Texas residents that have been sent disclosure of the breach via mail or other direct communication (at the time of the notification)
- Details outlining the nature and circumstances of the breach and how the sensitive personal information was used and acquired
- The total number of Texas residents affected by the breach (at the time of the notification)
- Details and information about whether law enforcement is engaged and investigating the breach
- Information on measures already taken by the person regarding the breach
- Information on intended measures that the person plans to take regarding the breach after the notification
Changes – Part Two
The second part of HB 3746 that amends the law is that a public listing requirement is now part of the Texas Attorney General’s role. A current list of all data breach notifications that have been received by the Attorney General’s office must be published on its website within 30 days. The listing will only be removed within the year “if the person who provided the notification has not notified the attorney general of any additional breaches”.
Growing Trend
This is not a change that Texas is taking on alone. California, Maine, and Washington maintain similar lists, though California’s requirement is only for breaches that affect 500 or more state residents. Are you familiar with the regulations for breach notifications within your own state when it comes to cybersecurity? Be sure to contact us today!