By: Capriglione (Senate Sponsor - Nelson) H.B. No. 3746
         (In the Senate - Received from the House May 3, 2021;
  May 6, 2021, read first time and referred to Committee on Business &
  Commerce; May 20, 2021, reported favorably by the following vote:  
  Yeas 9, Nays 0; May 20, 2021, sent to printer.)
Click here to see the committee vote
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to certain notifications required following a breach of
  security of computerized data.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Section 521.053, Business & Commerce Code, is
  amended by amending Subsection (i) and adding Subsection (j) to
  read as follows:
         (i)  A person who is required to disclose or provide
  notification of a breach of system security under this section
  shall notify the attorney general of that breach not later than the
  60th day after the date on which the person determines that the
  breach occurred if the breach involves at least 250 residents of
  this state. The notification under this subsection must include:
               (1)  a detailed description of the nature and
  circumstances of the breach or the use of sensitive personal
  information acquired as a result of the breach;
               (2)  the number of residents of this state affected by
  the breach at the time of notification;
               (3)  the number of affected residents that have been
  sent a disclosure of the breach by mail or other direct method of
  communication at the time of notification;
               (4)  the measures taken by the person regarding the
  breach;
               (5) [(4)]  any measures the person intends to take
  regarding the breach after the notification under this subsection;
  and
               (6) [(5)]  information regarding whether law
  enforcement is engaged in investigating the breach.
         (j)  The attorney general shall post on the attorney
  general's publicly accessible Internet website a listing of the
  notifications received by the attorney general under Subsection
  (i), excluding any sensitive personal information that may have
  been reported to the attorney general under that subsection, any
  information that may compromise a data system's security, and any
  other information reported to the attorney general that is made
  confidential by law. The attorney general shall:
               (1)  update the listing not later than the 30th day
  after the date the attorney general receives notification of a new
  breach of system security;
               (2)  remove a notification from the listing not later
  than the first anniversary of the date the attorney general added
  the notification to the listing if the person who provided the
  notification has not notified the attorney general of any
  additional breaches under Subsection (i) during that period; and
               (3)  maintain only the most recently updated listing on
  the attorney general's website.
         SECTION 2.  This Act takes effect September 1, 2021.
 
  * * * * *