Texas passed a bill amending security breach disclosure requirements. Under the bill, a person or business that owns or licenses (“owner or licensee”) personal information about Texas residents must notify the attorney general in the event a security breach affects at least 250 Texas residents. The attorney general must be notified no later that 60 days after the owner or licensee determined that the security breach occurred. The bill also mandates the information that must be included in the attorney general notification. In addition, the bill requires an owner or licensee to provide a security breach disclosure to all affected Texas residents without unreasonable delay, but no later than the 60th day after the date on which the person determined that the breach occurred (except: as is consistent with the legitimate needs of law enforcement; or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system). The security breach disclosure was previously required to be provided as quickly as possible. The bill becomes effective January 1, 2020.
See Texas Legislature website for the full text of the Statutes:
https://capitol.texas.gov/tlodocs/86R/billtext/pdf/HB04390F.pdf#navpanes=0
