If you’re in Texas, you’ll want to take note of a recent law that took effect on September 1, 2021. Governor Greg Abbott signed House Bill 3746 that has amended the state’s data breach notification law.
The original law, Business and Commerce Code 521.053 established requirements for businesses around “any breach of system security” that they were alerted to or discovered on their own to notify within 60 days, any individual who had sensitive personal information that was or is reasonably believed to have been compromised in the breach. If the breach involves at least 250 Texas residents, the Texas Attorney General must also be notified within 60 days.
Changes – Part One
The amendment that HB 3746 brings to this law is two-fold. The first part requires that the following information be included with the notification to the Texas Attorney General:
- The number of affected Texas residents that have been sent disclosure of the breach via mail or other direct communication (at the time of the notification)
- Details outlining the nature and circumstances of the breach and how the sensitive personal information was used and acquired
- The total number of Texas residents affected by the breach (at the time of the notification)
- Details and information about whether law enforcement is engaged and investigating the breach
- Information on measures already taken by the person regarding the breach
- Information on intended measures that the person plans to take regarding the breach after the notification
Changes – Part Two
The second part of HB 3746 that amends the law is that a public listing requirement is now part of the Texas Attorney General’s role. A current list of all data breach notifications that have been received by the Attorney General’s office must be published on its website within 30 days. The listing will only be removed within the year “if the person who provided the notification has not notified the attorney general of any additional breaches”.
This is not a change that Texas is taking on alone. California, Maine, and Washington maintain similar lists, though California’s requirement is only for breaches that affect 500 or more state residents. Are you familiar with the regulations for breach notifications within your own state when it comes to cybersecurity? Are you supporting clients in states outside of your own? Keeping up with cybercrime is a full-time job, and when the government gets involved there’s a new level of accountability that obviously can’t be overlooked. These laws and regulations are emphasizing the threat that businesses face when it comes to criminal activity. That, along with the compliance issues that must be addressed are something that we can help you understand as a Breach Secure Now partner. Not yet a partner? Be sure to contact us today!