This week Texas Governor Greg Abbott signed into law HB 3746, which amends the state’s data breach notification statute. Following states like Maine, California, and Washington, HB 3746 requires the Texas Attorney General (AG) to publish a public record on its website of data breaches affecting state residents. What might be considered Texas’ “wall of shame” law follows a growing trend of states strengthening existing privacy laws aimed at protecting consumers.
HB 3746, which was unanimously passed by the Texas Legislature, makes two main changes to Texas’ current breach notification statute. First, the Texas AG will be required to publish on its public-facing website any data breaches that have affected 250 or more Texas residents. The reported incident will remain on the AG’s website for one year. If the reporting entity does not face any new security lapses which require reporting to the Texas AG for the duration of that year, the posting will be removed.
Second, HB 3746 adds an additional content requirement for notifying the Texas AG of a data breach. Entities reporting a data breach are now required to provide the number of Texas residents who were sent a notice, in addition to the other requirements already in the statute:
- a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
- the number of Texas residents affected by the breach at the time of notification;
- the measures taken by the Entity regarding the breach;
- any measures the Entity intends to take regarding the breach after notification; and
- information regarding whether law enforcement is investigating the breach.
Companies that maintain sensitive personal information of Texas residents should review their incident response plans and make all necessary updates and adjustments to ensure compliance with HB 3746 by September 1, 2021. While it remains to be seen whether the passage of HB 3746 signals the Texas Legislature’s appetite for more comprehensive privacy legislation in the future, Bracewell is continuing to monitor privacy legislation developments across the country. Companies are advised to keep data privacy and cybersecurity at the forefront of their business priorities for the foreseeable future—as noncompliance could prove costly.