Texas Businesses Have to Report Data Breaches Within 60 Days, New Law SaysAugust 31, 2020
Businesses operating in Texas will now have to abide by stricter rules and reporting protocols when data breaches occur. These new requirements have been established by House Bill (HB) 4390, which fully took effect as of 2020.
With this new Texas law, authorities can make businesses accountable for reporting data breaches soon after they are discovered, rather than waiting several months before informing regulators and consumers.
How HB 4390 Enhances Protections for Texas Consumers
According to HB 4390, Texas businesses that own or license digital data containing sensitive personal information must:
- Report data breach within 60 days: Within 60 days of discovering a data breach, a business owner or operator is legally required to report the breach to those whose data has been (or is reasonably suspected to have been) accessed by hackers.
- Notify the attorney general and take additional steps in some cases: If at least 250 Texas consumers have been affected by a data breach, a business owner or operator must also report the incident to the attorney general. This report must include details about the nature and circumstances surrounding the breach, how many Texas consumers were impacted, and whether law enforcement is investigating the breach. As part of this reporting, a business owner or operator must also explain what measures have been—and will be—taken regarding the breach.
While the new data breach reporting rules in Texas may seem insignificant, they are expected to enhance transparency and accountability surrounding these events.
That’s good news for all Texans, especially considering the facts that, in 2019:
- It took businesses an average of 206 days to identify data breaches.
- Once data breaches were discovered, it took an average of 73 days to contain the breaches.
- The data breach lifecycle (of 279 days) has been on the rise, increasing nearly 5%, when compared to 2018.
Often, when businesses experience data breaches, they will prioritize their reputations over the need to inform the public, delaying reports of breaches until they have been contained. With the new Texas data breach law, however, businesses will no longer be able to keep consumers and authorities in the dark about data breaches for long.