Texas Data Breach Rule Summary

Texas Data Breach Notification

Tex. Bus. & Com. Code § 521.002, § 521.053, § 521.151, § 521.152

 

SUMMARY:

EFFECTIVE.  April 1, 2009

WHO DOES THIS LAW APPLY TO.  (1) Any person or business that conducts business in Texas and owns or licenses computerized data that includes Personal Information; and (2) any person or business that maintains unencrypted data that includes Personal Information.

WHAT IS A BREACH.  Unauthorized acquisition of computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person or business, including encrypted data if the person accessing the data has the key.  Good faith acquisition of Personal Information by an employee or agent of the owner for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.

WHAT IS PERSONAL INFORMATION.  An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted:

• Social Security Number.

• Driver’s license number or government-issued identification card number.

• Account number, credit card or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.

• Information that identifies an individual and relates to:

  • Physical or mental health or condition of an individual.

  • Provision of health care for an individual.

  • Payment for health care services.

Personal Information does not include public information that is lawfully available from Federal, State, or local government records.

WHO TO NOTIFY OF THE BREACH.  Notification of the breach must be sent to the residents affected if the Personal Information was, or is reasonably believed to have been, acquired by an unauthorized person.  If the Personal Information acquired belongs to a resident of another State which does not require notification, Texas law shall apply.  

If more than 250 residents are notified, then notice must be sent to the Attorney General no later than sixty days after discovery of the breach.  Notification must include:

• A detailed description of the breach or the use of personal information acquired.

• The number of residents affected.

• The measures taken regarding the breach.

• Any measures the subject entity intends to take regarding the breach.

• Whether law enforcement is investigating the breach.

If more than 10,000 residents are involved in a breach, the person or business shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a, of the timing, distribution, and content of the notice(s). 

EXCEPTION.  This Section does not apply to the following:

• Statute does not apply to encrypted information if the encryption key was not accessed or acquired.

• A person or business which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person or business in accordance with its policies.

WHEN TO NOTIFY OF THE BREACH.  Notification must be sent when the person or business discovers or is notified of a security breach.  The disclosure shall be made as soon as possible consistent with measures necessary to determine the scope of the breach, and to restore the reasonable integrity of the data system, but within 60 days.  Notification may be delayed if it will impede a criminal investigation and is requested by law enforcement.  In that instance, notification will be made as soon as clearance by law enforcement is obtained. 

HOW TO NOTIFY OF THE BREACH.  Notice may be provided by one of the following methods:

• Written notice to the last known address of the individual.

• Electronic (if it is consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).

• If the affected person is a resident of a state that has its own breach notification requirement, the entity may provide notice under that State’s law or under Texas law.

• Substitute notice as provided below.

SUBSTITUTE NOTICE AVAILABLE.  If the person or business can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person or business has insufficient contact information, substitute notice may be used.  Substitute notice shall consist of all of the following:

• Email notice if the person or business has an email address for the individual(s) subject to notice.

• Conspicuous posting of the notice on the website of the person or business if one is maintained.

• Notification published in or broadcast on major statewide media.

NOTICE TO THIRD-PARTIES.  Any person or business that maintains unencrypted data that includes Personal Information that it does not own, shall notify the owner or license holder of the security breach immediately upon discovery.  The person or business that owns or licenses the computerized data shall provide notice to the individual. 

CONSEQUENCES FOR FAILING TO NOTIFY.  The Attorney General may bring an action to recover a civil penalty of at least $2,000, but not to exceed $50,000, for each violation.  The Attorney General may also bring enforcement actions to obtain injunctive relief and recover attorney’s fees and costs.  In addition, any person or business that fails to take reasonable action to provide notice of a security breach, is liable to the State for up to $100 per individual to whom notice is due, for each consecutive day that reasonable action to comply is not taken, not to exceed $250,000, per breach.

PRIVATE RIGHT OF ACTION.  None provided in the statute.

REQUIREMENTS OF REASONABLE SECURITY MEASURES. 

DATA DISPOSAL PROVISIONS.  Tex. Bus. & Com. Code § 521.052 and TX Bus & Com. Code § 72.004. When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable.

LEGISLATIVE UPDATES.

H.B. 2278 – Signed into law on 6/15/2007, Effective 4/1/2009. Amended by H.B. 2004.

H.B. 2004 – Signed into law on 5/21/2009, Effective 9/1/2009.

H.B. 300 – Signed into law on 6/17/2011, Effective 9/1/2012.

S.B. 1610 – Signed into law on 6/14/2013, Effective 6/14/2013.

H.B. 4390 – signed into law 6/14/2019, Effective 1/1/2020.

H.B. 3529 – signed into law 5/26/2021, Effective 9/1/2021.

H.B. 3746 – signed into law 6/14/2021, Effective 9/1/2021.

 

For more information, see here:  https://texas.public.law/statutes/tex._bus._and_com._code_section_521.002

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.