Texas has amended its data breach notification law to create new reporting requirements and deadlines.
The amendments, effective Jan. 1, 2020, require an entity that experiences a data breach to notify impacted individuals within 60 days of discovery. Previously, the law only required notice to impacted residents “as quickly as possible.” Additionally, the new law requires notification to the Texas Attorney General, also within 60 days of discovery, if a breach impacts more than 250 Texas residents. The Attorney General notification must include a detailed description of the nature and circumstances of the breach or the use of the sensitive information acquired as a result of the breach; the number of Texas residents impacted by the breach; measures taken or intended to be taken in response to the breach; and information concerning whether law enforcement is investigating the breach. The law previously did not require notice to be made to the Texas Attorney General.