Texas recently signed into law House Bill 4390 (HB 4390), which amends the timing requirements for providing data breach notices to impacted individuals, adds a requirement to notify the Texas Attorney General of a breach, and creates a new temporary council to study, develop, and propose recommendations for the Texas legislature on data privacy laws.
Currently, under the Texas Identity Theft Enforcement and Protection Act, in certain contexts, notice must be provided “as quickly as possible” to individuals whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. HB 4390 revises this timing requirement to provide that such notification generally must be made “without unreasonable delay,” and in each case must occur by the 60th day after the date on which the breached business determined that its breach occurred. HB 4390 also adds a requirement to notify the Texas Attorney General, generally within the same timeframe, if the breach affects at least 250 Texas residents. The notification to the Texas Attorney General must include a description of the breach or use of sensitive personal information acquired as a result of the breach, the number of Texas residents affected, measures taken and that will be taken by the person reporting the incident, and whether law enforcement is engaged in investigating the breach.
HB 4390 also establishes a new temporary Texas Privacy Protection Advisory Council to study data privacy laws in Texas, other states, and relevant foreign jurisdictions in order to make recommendations to the Texas legislature on specific statutory changes regarding the privacy and protection of certain personally identifiable information. The Council is required to report its findings and recommendations to the members of the legislature by September 1, 2020.
Although the Council-related provisions go into effect on September 1, 2019, the remainder of HB 4390 (regarding data breach notifications) will take effect on January 1, 2020.