Target. Equifax. Facebook. Capital One. For us, a data breach is a reminder that the sensitive information we routinely entrust to organizations has inherent value and can be subject to nefarious attacks. For organizations, it is a reminder of the great responsibility accepted because of the great power received from valuable information. For states across the country, it is a reminder that more needs to be done in the fight for privacy and protection of sensitive information. With the passage of House Bill 4390 (“HB 4390”), Texas shows how it plans to address the privacy of personal identifying information.
Signed into law on June 14, 2019, HB 4390 amends Texas’s privacy breach notification law—Texas Business and Commerce Code Chapter 521, Identity Theft Enforcement and Protection Act—by specifying a time frame for when notice of a breach is required and creating a notification requirement to state regulators. Beginning January 1, 2020, if a breach occurs and disclosure is required, the disclosure must be made “without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.” Previously the disclosure only needed to be made “as quickly as possible.” What is important to understand is that the 60-day time frame doesn’t create a window for compliance, so organizations should not feel comfortable simply getting disclosures out by the 60th day to comply. Instead, organizations are first responsible to provide disclosure “without unreasonable delay” which, depending on the circumstances, could be well short of the 60 days. If the circumstances support a reasonable delay approaching 60 days, an organization will then need to ensure that disclosure is provided before the deadline.
Also beginning January 1, 2020, HB 4390 requires notification to the attorney general for breaches involving at least 250 Texas residents. The notice will need to include (1) a detailed description of breach; (2) the number of residents affected; (3) the current and planned mitigation efforts; and (4) any law enforcement involvement. All organizations subject to Texas’s breach notification law should begin reviewing and updating their breach notification policies in preparation for the new rules in 2020.
In addition to the current changes to the Texas privacy breach notification law, HB 4390 signals Texas is not done addressing privacy with the creation of the Texas Privacy Protection Advisory Council. The purpose of the council will be to study various privacy laws and make recommendations to the Texas legislature on specific changes regarding privacy and protection of sensitive information.
If you have any questions or want to discuss the impact of the changes to Texas’s breach notification law, please schedule a consult at info@byrdadatto.com.