Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach Notification Laws:
- $2,000 up to $50,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Businesses must notify any resident of Texas whose sensitive personal information was acquired by an unauthorized person within 60 days of discovery of the breach.
  • If 250 or more residents are affected by a breach of security, businesses must also notify the Attorney General with specific details of the breach. Such notification must be completed within 60 days of discovery of the breach.
  • Breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is required if more than 10,000 consumer notifications are sent, without unreasonable delay.
  • If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
  • If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Businesses must have procedures in place for the protection of sensitive personal information, including processes for responding to potential risks or a breach or suspected breach of security.
  • Businesses must have processes in place for the disposal of customer information no longer needed, by shredding, erasing or otherwise modifying to make it unreadable or indecipherable.
  • Businesses are considered compliant with the state’s disposal regulations if they contract with a data disposal vendor.
  • Texas law has heavy penalties for violations of the regulations involving protection of personal information and breach notification, including, but not limited to:
    • Civil penalties from $2,000 to $50,000 per violation
    • $100 for each individual that failed to receive a notification (up to $250,000)
    • Reimbursement of expenses to the state Attorney General
  • The unauthorized use or possession of a consumer’s personal information is considered a deceptive trade practice.
  • Texas has regulations specific to the consent, disclosure, protection and retention of individuals’ biometric identifiers.
  • Sector-specific regulations (health, education) provide for an individual’s right to access their personal information.
Statutes and Laws
  • TX Business and Commerce Code §§ 521.001 – 521.002 Identity Theft Enforcement and Protection Act
  • TX Business and Commerce Code § 521.051 Unauthorized use or possession of personal identifying information
  • TX Business and Commerce Code § 521.052 Business duty to protect sensitive personal information
  • TX Business and Commerce Code § 521.053 Notification required following breach of security of computerized data
  • TX Business and Commerce Code § 521.151 Civil Penalty; Injunction
  • TX Business and Commerce Code §§ 72.001 – 72.004 Disposal of Certain Business Records
  • TX Business and Commerce Code § 503.001 Capture or Use of Biometric Identifier
  • TX Health and Safety Code 181 Medical Records Privacy
BAck to map