On March 31, 2021, the Texas legislature passed House Bill 3746 (HB 3746), an update to the state’s breach notification statute. HB 3746 is expected to be signed into law by the Texas governor and become effective on September 1, 2021. The bill makes two primary changes to Texas’ current breach notification statute.
First, the updated breach notification statute will require the Texas attorney general’s office to begin posting on its website “a listing of the notifications” it receives when a breach affects at least 250 Texas residents. The amended statute does not describe what “listing” must be posted; however, the statute prohibits the posting of “any information that may compromise a [business’] data system’s security,” or anything that includes sensitive personal information or is considered confidential under the law.
Unlike similar posting requirements under the laws of other states (California, Massachusetts, etc.), the Texas law provides for a take-down for what might be considered good behavior. If the business does not notify the Texas AG of an additional data breach within the subsequent twelve months, the online posting for that business is to be taken down. In addition, the Texas statute only contemplates publication of one breach – the most recent one. The one-year time period for the listing restarts when each new listing is posted.
Second, HB 3746 adds a content requirement for notice to the Texas AG. Businesses will now be required to specify the number of affected Texas residents who were sent a direct notice in addition to the other notice content requirements already in the statute: (i) “a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach,” (ii) “the number of residents of this state affected by the breach at the time of notification,” (iii) “the measures taken by the [entity] regarding the breach,” (iv) “any measures the [entity] intends to take regarding the breach after the notification under this subsection,” and (v) “information regarding whether law enforcement is engaged in investigating the breach.”
The online posting of breaches is presumably designed to enhance accountability and promote responsible security measures. This Texas law, like similar laws, may increase the potential reputational harm associated with a data breach, and could foster additional litigation. Media and consumer protection advocates commonly review sources like online postings and republish the information. Reactions can be swift and unpredictable. Experienced data breach professionals can assist in careful evaluation of facts, circumstances, nature, and extent of the breach, and applicable legal requirements, all of which should be carefully considered and appropriately addressed before any public statements are made.