On June 14, Texas Gov. Greg Abbott signed into law House Bill 4390 which amends the notification requirements of Texas’ data breach law and creates an advisory council to study data privacy laws generally. The provisions become effective Jan. 1, 2020.

Currently, a person conducting business in Texas who “owns or licenses computerized data that includes sensitive data” must disclose the breach to any affected individual “as quickly as possible.” Tex. Bus. & Com. Code § 521.053(b).

The amendments will require the disclosure “be made without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred,” unless instructed otherwise by law enforcement.

Additionally, if the breach involves at least 200 Texas residents, the attorney general must receive notification within the same time frame that describes:

  1. the nature and circumstances of the breach;
  2. the number of residents affected;
  3. the measures taken prior to notification;
  4. the measures intended to be taken following notification; and
  5. law enforcement involvement, if any.

The Texas Privacy Protection Advisory Council will study privacy laws in Texas and other states and countries and make recommendations to the legislature. The council will be comprised of 15 members with an equal number appointed by the Texas speaker of the house, lieutenant governor and governor. Seven of the members must be from one of 13 specified industries.