Privacy & Information Security Law Blog

On June 14, 2021, Texas Governor Greg Abbott signed HB 3746, a bill amending Texas’s data breach notification law. Texas’s breach notification law requires notice to affected residents in the event of a data breach affecting certain sensitive personal data, including Social Security numbers, driver’s license or other government-issued ID numbers, account numbers or payment card numbers in combination with any required security code, access code or password, or certain information about an individual’s health or medical condition or treatment. The law also requires businesses to notify the Texas Attorney General of any data breach affecting at least 250 Texas residents.

HB 3746 amends the content requirements for breach notifications to the Attorney General to include a requirement that businesses report “the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of [AG] notification.” This requirement is in addition to a requirement in the law to report the number of Texas residents affected by the breach.

Separately, HB 3746 also creates a new public notification requirement for the Attorney General, who is now charged with maintaining a publicly accessible list of breach notifications submitted to the Attorney General’s Office. Under the amended law, the Attorney General must update its public list within 30 days of receiving a breach notification report, and must remove a business from the list after one year from the notice date (assuming the business has not submitted any updated or additional breach notifications since that time).

The amendments in HB 3746 take effect September 1, 2021.