The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

How Texas’ New Data Breach Law Will Affect Businesses

by Chris Brook on Wednesday June 26, 2019

Contact Us
Free Demo
Chat

Recent changes to data privacy legislation in the Lone Star State will likely affect the incident response plan of any company that does business in the state.

When changes to Texas' data breach notification law go into effect in 2020, companies that do business in the state will have 60 days to disclose a data breach.

The state recently joined what’s becoming a crowded slate of states to pass privacy legislation, joining California and Nevada, in attempts to better regulate the data of its residents.

Governor Greg Abbot signed the legislation, House Bill 4390, an amendment to the Texas Identity Theft Enforcement and Protection Act, on June 14, 2019.

The law requires businesses to contact the Texas Attorney General within 60 days if the personal information of 250 or more Texans are affected. Businesses will be asked to include the following in their notification:

  • A detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
  • The number of Texas residents affected by the breach at the time of notification;
  • The measures that have been taken in response to the breach;
  • Any measures the business intends to take after the notification; and
  • Information regarding whether law enforcement is engaged in investigating the breach.

The law clarifies a previous portion of the statute that instructed companies to notify data breach victims "as quickly as possible."

HB 4390, known as the Texas Privacy Protection Act, would also create the Texas Privacy Protection Advisory Council, a consortium that’d be tasked with researching data privacy laws not just in the U.S., but worldwide, and making recommendations for the Texas legislature to consider the next time the Texas Legislature reconvenes.

The council is aiming to have a diverse roster of 15, including:

  • Five members of the house of representatives appointed by the speaker of the house of representatives;
  • Five senators appointed by the lieutenant governor;
  • Five members of industry who are residents of this state appointed by the governor as follows:

• One member representing the retail and electronic transaction industry;

• One member representing the telecommunications industry;

• One member representing the consumer data analytics industry;

• One member representing the advertising industry; and

• One member representing the Internet service provider industry.

HB 4390 is one of two privacy bills introduced by legislators in Texas this year. The other, the Texas Consumer Privacy Act, bore more similarities to the California Consumer Protection Act (CCPA) and the EU's General Data Protection Regulation (GDPR) in tone but stalled in the Texas House of Representatives in favor of HB-4390.

The legislation, also known as House Bill 4518, would have granted consumers the right to know what information about them is being collected, distributed, and sold, the right to opt out of the sale of that data, and the right to delete that data.

Texas has been hit by 661 data breaches since 2008, the third among states with the most data breaches since 2008, according to Comparitech, a website that analyzed data compiled by the Privacy Rights Clearinghouse and Identity Theft Resource Center. New York came in second, with 729 data breaches exposing 293 million records; California led the charge with 1,493 data breaches exposing 5.59 billion records.

Tags: Compliance, Data Protection

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.