|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to certain notifications required following a breach of |
|
security of computerized data. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Section 521.053, Business & Commerce Code, is |
|
amended by amending Subsection (i) and adding Subsection (j) to |
|
read as follows: |
|
(i) A person who is required to disclose or provide |
|
notification of a breach of system security under this section |
|
shall notify the attorney general of that breach not later than the |
|
60th day after the date on which the person determines that the |
|
breach occurred if the breach involves at least 250 residents of |
|
this state. The notification under this subsection must include: |
|
(1) a detailed description of the nature and |
|
circumstances of the breach or the use of sensitive personal |
|
information acquired as a result of the breach; |
|
(2) the number of residents of this state affected by |
|
the breach at the time of notification; |
|
(3) the number of affected residents that have been |
|
sent a disclosure of the breach by mail or other direct method of |
|
communication at the time of notification; |
|
(4) the measures taken by the person regarding the |
|
breach; |
|
(5) [(4)] any measures the person intends to take |
|
regarding the breach after the notification under this subsection; |
|
and |
|
(6) [(5)] information regarding whether law |
|
enforcement is engaged in investigating the breach. |
|
(j) The attorney general shall post on the attorney |
|
general's publicly accessible Internet website a listing of the |
|
notifications received by the attorney general under Subsection |
|
(i), excluding any sensitive personal information that may have |
|
been reported to the attorney general under that subsection, any |
|
information that may compromise a data system's security, and any |
|
other information reported to the attorney general that is made |
|
confidential by law. The attorney general shall: |
|
(1) update the listing not later than the 30th day |
|
after the date the attorney general receives notification of a new |
|
breach of system security; |
|
(2) remove a notification from the listing not later |
|
than the first anniversary of the date the attorney general added |
|
the notification to the listing if the person who provided the |
|
notification has not notified the attorney general of any |
|
additional breaches under Subsection (i) during that period; and |
|
(3) maintain only the most recently updated listing on |
|
the attorney general's website. |
|
SECTION 2. This Act takes effect September 1, 2021. |