Quick Facts
***Amendments to TX Data Breach Notification Statute scheduled to go into effect on 9/1/23
Breach Based on Harm Threshold: No
Deadline for Consumer Notice: Without unreasonable delay, but no later than 60 days
Government Notification Required: Yes, if 250+ residents are affected
Scope of this Summary:
Notification requirements applicable to persons who conduct business in Texas and who own, license, or maintain covered info associated with any individual (whether or not they are a Texas resident, though individuals who are residents of another state that requires notice of a data breach may be notified under that state's law). Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
The notification obligation is not subject to a risk assessment.
Breach Defined
Unauthorized acquisition that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted so long as encryption key was not accessed or acquired.
Form of Covered Info
Electronic Only
Covered Information
An individual's first name or first initial and last name in combination with any one or more of the following items:
- Social Security number.
- Driver's license number or government-issued identification number.
- Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.
- Information that identifies an individual and relates to:
- The physical or mental health or condition of the individual.
- The provision of health care to the individual.
- Payment for the provision of health care to the individual.
Consumer Notice Timing
Must be made as quickly as possible except as necessary to determine the scope of the breach and restore the reasonable integrity of the system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The statute does not provide content requirements for the notice to affected persons.
Delayed Notice
Notification may be delayed if law enforcement determines notice will impede a criminal investigation.
Notification must be made as soon as law enforcement determines that the notification will not compromise the investigation.
Government Notice
Effective September 1, 2023, must notify the Attorney General no later than 30 days after the discovery of the breach if it involves at least 250 residents. Notification must include a detailed description of the breach or the use of covered information acquired as a result of the breach; the number of residents affected; measures taken and intended to be taken regarding the breach; and whether law enforcement is investigating the breach.
Consumer Reporting Agency Notice
If more than 10,000 persons are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
The statute does not include exceptions for entities subject to other laws.
Third-Party Notice
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach.
Private Right of action
The Texas statute does not provide for a private right of action.
Potential Penalties
Violations may result in civil penalties.
This summary is for informational purposes only. It provides general information and not legal advice or opinions regarding specific facts. Additional requirements or conditions may apply to any or all provisions referenced herein. For more information about the state data breach notification laws or other data security matters, please seek the advice of counsel.
Last revised on June 15, 2023