How Texas’ New Data Breach Law Will Affect Businesses
Recent changes to data privacy legislation in the Lone Star State will likely affect the incident response plan of any company that does business in the state.
When changes to Texas' data breach notification law go into effect in 2020, companies that do business in the state will have 60 days to disclose a data breach.
Governor Greg Abbot signed the legislation, House Bill 4390, an amendment to the Texas Identity Theft Enforcement and Protection Act, on June 14, 2019.
The law requires businesses to contact the Texas Attorney General within 60 days if the personal information of 250 or more Texans are affected. Businesses will be asked to include the following in their notification:
- A detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
- The number of Texas residents affected by the breach at the time of notification;
- The measures that have been taken in response to the breach;
- Any measures the business intends to take after the notification; and
- Information regarding whether law enforcement is engaged in investigating the breach.
The law clarifies a previous portion of the statute that instructed companies to notify data breach victims "as quickly as possible."
HB 4390, known as the Texas Privacy Protection Act, would also create the Texas Privacy Protection Advisory Council, a consortium that’d be tasked with researching data privacy laws not just in the U.S., but worldwide, and making recommendations for the Texas legislature to consider the next time the Texas Legislature reconvenes.
The council is aiming to have a diverse roster of 15, including:
- Five members of the house of representatives appointed by the speaker of the house of representatives;
- Five senators appointed by the lieutenant governor;
- Five members of industry who are residents of this state appointed by the governor as follows:
• One member representing the retail and electronic transaction industry;
• One member representing the telecommunications industry;
• One member representing the consumer data analytics industry;
• One member representing the advertising industry; and
• One member representing the Internet service provider industry.
HB 4390 is one of two privacy bills introduced by legislators in Texas this year. The other, the Texas Consumer Privacy Act, bore more similarities to the California Consumer Protection Act (CCPA) and the EU's General Data Protection Regulation (GDPR) in tone but stalled in the Texas House of Representatives in favor of HB-4390.
The legislation, also known as House Bill 4518, would have granted consumers the right to know what information about them is being collected, distributed, and sold, the right to opt out of the sale of that data, and the right to delete that data.
Texas has been hit by 661 data breaches since 2008, the third among states with the most data breaches since 2008, according to Comparitech, a website that analyzed data compiled by the Privacy Rights Clearinghouse and Identity Theft Resource Center. New York came in second, with 729 data breaches exposing 293 million records; California led the charge with 1,493 data breaches exposing 5.59 billion records.