BILL ANALYSIS

 

 

 

S.B. 768

By: Parker

Business & Industry

Committee Report (Unamended)

 

 

 

BACKGROUND AND PURPOSE

 

Entities that experience a data breach are required to report the breach to the Office of the Attorney General (OAG) within 60 days of discovery; the OAG is required to maintain a public website with a listing of those breaches and to update that listing not later than the 30th day after the OAG receives a data breach notice. However, current law does not specify the method or means by which that report must be provided to the OAG. Approximately one-third of the data breach notices the OAG receives are submitted in the form of narrative letters with attachments. Processing notices submitted in letter form requires more significant staff time than that required to process notices received electronically, since staff must review and extract the necessary information from each letter and physically scan and save these hard copy notices. S.B. 768 seeks to address this issue by revising the submission requirements for a notice of a data breach.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

S.B. 768 amends the Business & Commerce Code to change the deadline by which a person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information is required to disclose to or notify the attorney general of a breach of system security that involves at least 250 Texas residents from not later than the 60th day after the date on which the person determines that the breach occurred to as soon as practicable and not later than the 30th day after that date. The bill requires the attorney general to post on the attorney general's publicly accessible website an electronic form for submitting the required breach of system security notification and requires the notification to be submitted electronically using that form.

 

EFFECTIVE DATE

 

September 1, 2023.