Texas and many other states have recently been passing new data breach protection laws to be sure that consumers receive timely notification after their most sensitive personal information has likely been breached or stolen. In June of 2019, HB 4390 was signed by Governor Greg Abbott. It became effective on January 1, 2020.
What HB 4390 is designed to accomplish – in general terms
Known as the Texas Privacy Protection Act, this legislation amends pertinent portions of the Texas Identity Theft Enforcement and Protection Act (“TITEPA”) set forth in the Texas Business & Commerce Code. In addition, the Texas Privacy Protection Act creates the Texas Privacy Protection Advisory Council that’s currently studying the data privacy laws of other states and countries.
HB 4390 requires this council to report its findings to the legislature by September 1, 2020 – so more comprehensive consumer privacy legislation can be considered during the next session of the Texas Legislature, beginning in January 2021.
New notification duties after suspected data breaches in the future
Now that the Texas Privacy Protection Act has gone into effect, the following new rules must be obeyed by all companies doing business in the state.
- HB 4390 has added a new deadline. Consumers must be timely notified when there’s been a definite or suspected data breach (of sensitive personal information). This notification must be made within 60 days of the date when the apparent breach was discovered.
- As amended by HB 4390, the TITEPA requires businesses to provide notice of certain types of data breaches to the Attorney General of Texas. More specifically, notice is mandatory when a breach has compromised the data of 250 or more Texas residents. This notice to the AG’s Office must also cover the following topics.
- The nature and circumstances of the breach must be described – and information must be provided about how the compromised data has been used (if known);
- There must be a statement about the number of Texas residents who were affected by the breach and when notifications were sent out;
- The reporting party must describe any measures taken to address the consequences of the breach;
- The AG’s Office must also be told whether any additional, corrective measures (regarding the suspected breach) are planned in the future; and
- There must be a statement about whether any law enforcement agency is currently involved in investigating the reported breach.
At present, at least 17 other states have established similar timeframes for reporting data breaches, usually between 30 to 90 days after the breach was discovered.
The Texas Privacy Protection Act also created the TX Privacy Protection Advisory Council
As was briefly noted above, this council will be meeting regularly until it tenders its required report to the Texas legislature by early September 2020. It’s hard to know if the group’s recommendations will be very comprehensive since some legal experts are concerned that Texas is rather hesitant to pass the full panoply of data breach protections that may be necessary. Far stronger measures were rejected – when HB 4390 and another bill were first proposed in Texas.
Better protection for victims of data breaches will likely be affected by the views of those currently sitting on this council. Here’s a look at the membership of this group.
- Three of those who are on the council are members of the current Texas House of Representatives;
- Three others are Texas senators;
- Nine seats on the council were reserved for representatives of a wide number of industries including: consumer banking, technology, internet, medical profession, retail and electronic transactions, telecommunications, cloud data storage and social medial platforms;
- Just two members of the Texas Privacy Protection Advisory Council are either members of a nonprofit organization that regularly evaluates data privacy issues from the viewpoint of consumers – or are professors at a Texas law school (or other higher educational institution) who have had important work published regarding data privacy.
Hopefully, most Texans will be pleased with the legislation that will eventually be passed based on this group’s recommendations.
Please feel free to contact one of our Murray Lobb attorneys if you have any additional questions about how this new legislation may affect your company either before or after you experience a data breach. We’re also available to address any of your other general business law needs — and we can readily draft the contracts and other legal documents you need to run your company each day.