The Texas Legislature adopted legislation amending laws regarding notifications required following a breach of security of computerized data. The bill goes into effect Sept. 1, 2021.
State law requires a person who is required to disclose or provide notification of a breach of system security under state law to notify the attorney general of that breach within 60 days after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of the state.
Under House Bill 3746’s provisions, that notification must include the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification.
The bill also requires the attorney general to post on the attorney general’s website a listing of the notifications he or she has received, excluding any sensitive personal information that may have been reported to the attorney general under state law, any information that may compromise a data system’s security, and any other information reported to the attorney general that is made confidential by law. The attorney general must:
- Update the listing not later than the 30 day after the date the attorney general receives notification of a new breach of system security.
- Remove a notification from the listing not later than the first anniversary of the date the attorney general added the notification to the listing if the person who provided the notification has not notified the attorney general of any additional breaches under subsection (i) during that period.
- Maintain only the most recently updated listing on the attorney general’s website.”