New Texas Data Breach Law to Come Into Effect on September 1, 2021
- Texas will have a new data breach reporting law in September, and it’s going to be strict.
- The state is becoming home to an increasing number of tech companies that manage troves of data.
- Any data breach involving more than 250 people will have to be reported, and notices will have to be sent to the affected.
Texas is pushing a new legislature forward that comes as an amendment to the Texas Business and Commerce Code § 521.053 - and basically adds provisions to enforce the notification of the authorities when a company based in the state suffers a data breach. More specifically, the bill dictates that any entity that suffers a data breach that involves at least 250 Texas residents should notify the Texas attorney general of the fact.
The reported incident will be posted on a “wall of shame” on the attorney general office website and will be kept there for a year. If the breached entity doesn’t have any new security lapses during the year that passed, the entry will be removed. In addition to that, the companies will be obliged to inform the public of how many Texas residents have been impacted by a breach and then notify them personally by sending an alert via email.
This is similar to how things work in other American states like California, for example. There, the Attorney General's office maintains a dedicated portal where all reported data breaches and their corresponding notices of a breach are posted.
The two states have been peculiarly linked in the aftermath of the pandemic that pushed the workforce to work from home and companies to reconsider their approach and relocate to places that offer more lax taxation and regulatory policies. There’s an ongoing wave of migration of companies and employees from California to Texas, and of course, there are many factors that play a role in that. The result is a boom taking place in Texas right now, and letting tech firms that handle troves of data hide breaches under the rug isn’t a good idea anymore.
There’s also the national effort to create a stronger data breach and notification system that involves private, public, federal, and all critical entities in the country, so everything advocates towards the passing of new regulatory obligations that underpin data protection and reporting.
The new law, named “House Bill 3746”, has already been approved by the Texas Legislature and now awaits the signature of Governor Greg Abbott. We see no reason for this not to happen, so we expect the new requirements to come into effect beginning September 1, 2021.