This website will be unavailable from Thursday, May 30, 2024 at 6:00 p.m. through Monday, June 3, 2024 at 7:00 a.m. due to data center maintenance.

BILL ANALYSIS

 

 

Senate Research Center

S.B. 768

88R3500 MLH-F

By: Parker

 

Business & Commerce

 

3/10/2023

 

As Filed

 

 

 

AUTHOR'S / SPONSOR'S STATEMENT OF INTENT

 

Under current statute, there is a requirement for any person who conducts business using or owning computerized data to disclose the individual the breach of their information no later than 60 days after the incident. However, as cybercrimes such as identity theft have been on the rise, 60 days is too long of a period before notification is required. Also, in instances of a mass data breach.

 

S.B. 768 would require businesses to notify the attorney general of any data breach involving at least 250 Texas residents within 30 days, thereby ensuring prompt notification to consumers.

 

S.B. 768 proposes changes to the Business and Commerce Code in Texas that would require businesses to notify the attorney general within 30 days of a breach involving at least 250 Texas residents, and provide specific information about the breach. The attorney general would post an electronic form for reporting and maintain a publicly accessible listing of reported breaches, while ensuring that sensitive information is not disclosed.

 

As proposed, S.B. 768 amends current law relating to the process for notifying the attorney general of a breach of security of computerized data by persons doing business in this state.

 

RULEMAKING AUTHORITY

 

This bill does not expressly grant any additional rulemaking authority to a state officer, institution, or agency.

 

SECTION BY SECTION ANALYSIS

 

SECTION 1. Amends Sections 521.053(i) and (j), Business and Commerce Code, as follows:

 

(i) Requires a person who is required to disclose or provide notification of a breach of system security under Section 521.053 (Notification Required Following Breach of Security of Computerized Data) to notify the attorney general of that breach as soon as practicable and not later than the 30th day, rather than the 60th day, after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state. Requires that the notification under this subsection be submitted electronically using a form accessed through the attorney general's Internet website and requires that it include:

 

(1)-(6) makes no changes to these subdivisions.

 

(j) Requires the attorney general to post on the attorney general's publicly accessible Internet website:

 

(1) an electronic form for submitting a notification under Subsection (i); and

 

(2) creates this subdivision from existing text. Makes nonsubstantive changes.

 

SECTION 2. Effective date: September 1, 2023.