Data Breach Notification Law Update: Texas

Texas amended its data breach notification law to significantly tighten the deadline for notifying the state attorney general (AG) of a data breach affecting 250 or more state residents. Senate Bill 768, which amended Section 521.053 of the Texas Business and Commerce Code, shortens the deadline to notify the AG from "not later than" 60 days to "as soon as practicable and not later than 30 days" while leaving in place the 60 day deadline to notify residents. The amendments also require covered entities to submit breach reports to the state attorney general via an electronic form that is accessible on the AG's website.

The amendments go into effect on September 1, 2023, and otherwise do not change the existing provisions of the state's data breach notification law, including the 60 day deadline for notifying affected state residents of a data breach.

With its newly shortened deadline for notifying the state AG, Texas joins Colorado, Florida, Maine, and Washington in requiring covered entities to notifying government authorities of a data breach within 30 days. Only Vermont (14 days) and Puerto Rico (10 days) have shorter deadlines, and Texas joins only Vermont and Puerto Rico in having a deadline for notifying government authorities different from that for affected individuals.

Even before these amendments, Texas' data breach notification law stood out for a number of reasons. In particular, the law is unique among state data breach notification laws in expressly covering individuals who reside outside the state. The Texas law requires those doing business in the state who suffer a data breach notify any individual—not limited to Texas residents—whose personal data was acquired by an unauthorized person. The law further states that for an affected individual who resides in another state, the person providing the breach notification may comply with either the Texas law or the breach notification law in the state where that individual resides. The Texas law also requires the state AG to post data breach notifications that it receives on a publicly available website for up to one year (note that an entity that suffers a data breach need only notify the state AG if the breach affects 250 state residents). The AG's public site is reviewed regularly by plaintiffs' attorneys looking to bring class actions against companies that have reported a data breach.

States continue to amend and differentiate their data breach notification laws, complicating obligations for companies that collect personal information from individuals nationwide. DWT's Privacy and Security team regularly counsels clients on compliance with evolving data breach notification laws—both proactively and in response to data breaches and other security incidents. Our team maintains a summary of state data breach laws on our website.