The bill would amend the Government Code by adding a chapter that requires state agencies and local governments to notify affected individuals of a computer security breach which discloses “sensitive personal information,” such as an individual’s name and Social Security number, driver’s license number, or financial account information. Notice shall be given as soon as practicable after discovering the breach, unless law enforcement requests a delay due to an ongoing investigation.

Notice may be provided by mail, telephone, or by email, internet posting, or through the media if the cost of the notice exceeds $50,000, the breach affects more than 100,000 people, or there is limited contact information.

Agencies and local governments would be exempt if they use more stringent notification requirements.

The Office of the Attorney General (OAG) reported that its policy has always been to inform affected individuals on any breach of personal data. The OAG has taken necessary precautions to protect sensitive information, but as this bill outlines, there are certain internal factors (i.e., staff and/or contractors) that could compromise the integrity of system information and/or access resulting in the removal of sensitive computer information. Costs to the agency will depend on the number and size of security breaches that could occur in the future.

The Department of Information Resources (DIR) reported that its privacy incident response process and major contracts with outside vendors include provisions for notification to individuals following a privacy breach incident. These documents could be amended to align with the definitions and requirements of the proposed legislation with in-house resources.

It is assumed that the cost for notification by mail would be approximately 50 cents for each affected individual. It is also assumed that, statewide, the number of affected individuals and the frequency of computer security breaches would not be high enough to require enough notifications by mail to create a significant fiscal impact to the State.

The bill would require local governmental entities to notify affected individuals of a computer security breach which discloses “sensitive personal information,” such as an individual’s name and Social Security number, driver’s license number, or financial account information.

The fiscal impact to local governmental entities would vary depending on several factors, including the type of computer technology an entity uses, the number of security breaches, and the method used for notifying individuals.