Mandatory Timeframe for Breach Reporting and/or Consumer Notification

As Quickly as Possible
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of Breach and Notification Laws:
- $2,000 up to $50,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Notification to affected residents may only be given by specific methods.
  • Breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is required if more than 10,000 consumer notifications are sent, without unreasonable delay.
  • Texas specifies the meaning of personal information and sensitive personal information.
  • A business must implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business.
  • Texas law has heavy penalties for violations of the laws involving protection of personal information and breach notification, including, but not limited to:
    • Civil penalties from $2,000 to $50,000 per violation
    • $100 for each individual that was due a notification (up to $250,000)
    • Restraining orders
    • Permanent or temporary injunctions
    • Equitable relief as granted by a court
    • Reimbursement of expenses to the state attorney general
  • If a vendor is breached, they must report it to the data owner.  The data owner will be responsible to complete the reporting and consumer notifications.
  • If the breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • TX Business and Commerce Code §§ 521.001 – 521.002 Identity Theft Enforcement and Protection Act
  • TX Business and Commerce Code § 521.051 Unauthorized use or possession of personal identifying information
  • TX Business and Commerce Code § 521.052 Business duty to protect sensitive personal information
  • TX Business and Commerce Code § 521.053 Notification required following breach of security of computerized data
  • TX Business and Commerce Code § 521.151 Civil Penalty; Injunction
  • TX Business and Commerce Code §§ 72.001 – 72.004 Disposal of Certain Business Records
BAck to map