Mandatory Timeframe for Breach Reporting and/or Consumer Notification
Within 60 days
Laws related specifically to personal information
Breach Reporting & Consumer Notification
Protect Personal Information
Program for Protection/Security
Vendor Specific Obligations
Vendor Mandated Contracts
Requests for Information
Fines & Penalties
Violations of Breach Notification Laws:
- $2,000 up to $50,000
None to minimal
Businesses must notify any resident of Texas whose sensitive personal information was acquired by an unauthorized person within 60 days of discovery of the breach.
If 250 or more residents are affected by a breach of security, businesses must also notify the Attorney General with specific details of the breach. Such notification must be completed within 60 days of discovery of the breach.
Breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is required if more than 10,000 consumer notifications are sent, without unreasonable delay.
If a vendor is breached, they must notify the data owner. The data owner will be responsible to complete any required regulatory and consumer breach notifications.
If a breach affects residents of other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
Businesses must have procedures in place for the protection of sensitive personal information, including processes for responding to potential risks or a breach or suspected breach of security.
Businesses must have processes in place for the disposal of customer information no longer needed, by shredding, erasing or otherwise modifying to make it unreadable or indecipherable.
Businesses are considered compliant with the state’s disposal regulations if they contract with a data disposal vendor.
Texas law has heavy penalties for violations of the regulations involving protection of personal information and breach notification, including, but not limited to:
Civil penalties from $2,000 to $50,000 per violation
$100 for each individual that failed to receive a notification (up to $250,000)
Reimbursement of expenses to the state Attorney General
The unauthorized use or possession of a consumer’s personal information is considered a deceptive trade practice.
Texas has regulations specific to the consent, disclosure, protection and retention of individuals’ biometric identifiers.
Sector-specific regulations (health, education) provide for an individual’s right to access their personal information.
Statutes and Laws
TX Business and Commerce Code §§ 521.001 – 521.002 Identity Theft Enforcement and Protection Act
TX Business and Commerce Code § 521.051 Unauthorized use or possession of personal identifying information
TX Business and Commerce Code § 521.052 Business duty to protect sensitive personal information
TX Business and Commerce Code § 521.053 Notification required following breach of security of computerized data
TX Business and Commerce Code § 521.151 Civil Penalty; Injunction
TX Business and Commerce Code §§ 72.001 – 72.004 Disposal of Certain Business Records
TX Business and Commerce Code § 503.001 Capture or Use of Biometric Identifier
TX Health and Safety Code 181 Medical Records Privacy