H.B. 3746

By: Capriglione

Business & Industry

Committee Report (Unamended)






Last session, the Texas Legislature enacted legislation requiring entities that experience a security breach affecting at least 250 Texans to notify the attorney general of the breach. Since implementation of the bill, more than 30 million Texans have had their data compromised by a security breach. This number is higher than the U.S. Census Bureau's most recent population estimates for the state, meaning some individuals have had their personal information compromised more than once. H.B. 3746 seeks to make information regarding these breaches more publicly accessible by requiring the attorney general to post a comprehensive list of the security breach notices on the attorney general's website. The bill also revises the required contents of the notice to provide the attorney general a more accurate picture of how many security breach victims are sufficiently notified that their data has been compromised.




It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.




It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.




H.B. 3746 amends the Business & Commerce Code to require the notification of a breach of system security sent to the attorney general following a breach of security of computerized data to include the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification. The bill requires the attorney general to post on the attorney general's publicly accessible website a comprehensive listing of the notifications received by the attorney general, excluding any sensitive personal or confidential information that may have been reported. The bill requires the listing to be updated not later than the 30th day after the date the attorney general receives notification of a new breach of system security.




September 1, 2021.