Keypoint: The Texas legislature has determined that companies who experience a data breach affecting Texas residents need to have their names in lights—but not in a good way.
House Bill 3746, which passed both the House and the Senate last week and has been sent to Governor Abbott for signature, amends Texas’s breach notification law to require the Attorney General’s office to maintain a publicly accessible page on its website containing every notification of a data breach it has received over the past year.
Section 521.053 of the Texas Business & Commerce Code currently requires a person to report a data breach to the Attorney General if it involves more than 250 Texas residents. The notification must include, among other things, a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach, as well as the measures the person has taken or intends to take regarding the breach. H.B. 3746 adds in a requirement that the notice contain the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication.
H.B. 3746 will now make those notifications available to the public. Per the newly added subsection (j), the attorney general must post a listing of the notifications received, with certain sensitive or confidential information redacted, on its website and update that listing not later than the 30th day after the date it receives notification of a new breach of system security. A notification can come off the web listing a year after it is put on, unless another breach is reported to the attorney general by the person who made the notification.
The amendments will go into effect on September 1 of this year.