The Texas Legislature, which meets every other year, pushed a change to its data breach notification law at the end of the session in late May, and yesterday Governor Greg Abbott signed the bill into law.  It follows a growing trend of changes to privacy and cybersecurity laws at the state level.

Texas House Bill 3746 will amend Texas Business and Commerce Code § 521.053, which requires notifications to individuals and the Texas Attorney General following certain data breaches.  The amendment adds a requirement for the Texas Attorney General to post on its website a listing of data breach notifications received, when a breach involves 250 or more Texas residents. California has a similar requirement, although it is for breaches affecting 500 or more residents.

Specifically, the Texas amendment would require the Texas Attorney General to:

  • Post on the Attorney General’s public website a listing of notifications received, excluding any sensitive personal information, any information that may compromise a data system’s security, and any other information reported to the Attorney General that is made confidential by law;
  • Maintain an updated listing on the website, and update the list no later than every 30 days; and
  • Remove data no later than one year following the date it was added, unless the entity notified the Attorney General of additional incidents.

The amendment also now requires that entities reporting a breach to the Texas Attorney General provide the number of Texas residents receiving notification of the breach, in addition to the current requirements of:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  • The number of residents affected by the breach;
  • The measures taken by the person regarding the breach and any measures the person intends to take regarding the breach after notification; and
  • Information regarding whether law enforcement is engaged in investigating the breach.

The Texas amendment may indicate a growing trend towards increased information sharing in an effort to prevent future data breaches. On the federal level, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has implemented several programs in the past year to promote information sharing and awareness.  “Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the CISA has developed and implemented numerous information sharing programs. Through these programs, CISA develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. CISA also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries”, CISA states. More information on CISA information sharing and awareness programs is available here.

The updated Texas law will take effect September 1, 2021.  With no shortage of large-scale breaches and heightened public awareness across the nation, organizations regardless of jurisdiction are advised to evaluate and enhance their data breach prevention and response capabilities.

 

Tags: cybersecurity information sharing, data breach, data breach notification, data breach notification law, Governor Greg Abbot, HB 3746, personal information, Texas, Texas data breach notification law
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Photo of Jason C. Gavejian Jason C. Gavejian

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy…

Jason C. Gavejian is the office managing principal of the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. and a member of the firm’s Board of Directors. He is also a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

As a Certified Information Privacy Professional (CIPP/US), Jason focuses on the matrix of laws governing privacy, security, and management of data. Jason is co-editor of, and a regular contributor to, the firm’s Privacy blog.

Jason’s work in the area of privacy and data security includes counseling international, national, and regional companies on the vast array of privacy and security mandates, preventive measures, policies, procedures, and best practices. This includes, but is not limited to, the privacy and security requirements under state, federal, and international law (e.g., HIPAA/HITECH, GDPR, California Consumer Privacy Act (CCPA), FTC Act, ECPA, SCA, GLBA etc.). Jason helps companies in all industries to assess information risk and security as part of the development and implementation of comprehensive data security safeguards including written information security programs (WISP). Additionally, Jason assists companies in analyzing issues related to: electronic communications, social media, electronic signatures (ESIGN/UETA), monitoring and recording (GPS, video, audio, etc.), biometrics, and bring your own device (BYOD) and company owned personally enabled device (COPE) programs, including policies and procedures to address same. He regularly advises clients on compliance issues under the Telephone Consumer Protection Act (TCPA) and has represented clients in suits, including class actions, brought in various jurisdictions throughout the country under the TCPA.

Read more about Jason C. Gavejian
Show more Show less
Related Posts
The Hidden Legal Minefield: Compliance Concerns with AI Smart Glasses, Part 3 –Privacy, Surveillance, and Labor Law Violations
December 29, 2025
When Big Doesn’t Mean Bulletproof: The Importance of Third-Party Service Provider Due Diligence
October 22, 2025
California Assembly Bill 45: New Privacy Around Healthcare Facilities
September 29, 2025