|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the process for notifying the attorney general of a |
|
breach of security of computerized data by persons doing business |
|
in this state. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Sections 521.053(i) and (j), Business & Commerce |
|
Code, are amended to read as follows: |
|
(i) A person who is required to disclose or provide |
|
notification of a breach of system security under this section |
|
shall notify the attorney general of that breach as soon as |
|
practicable and not later than the 30th [60th] day after the date on |
|
which the person determines that the breach occurred if the breach |
|
involves at least 250 residents of this state. The notification |
|
under this subsection must be submitted electronically using a form |
|
accessed through the attorney general's Internet website and must |
|
include: |
|
(1) a detailed description of the nature and |
|
circumstances of the breach or the use of sensitive personal |
|
information acquired as a result of the breach; |
|
(2) the number of residents of this state affected by |
|
the breach at the time of notification; |
|
(3) the number of affected residents that have been |
|
sent a disclosure of the breach by mail or other direct method of |
|
communication at the time of notification; |
|
(4) the measures taken by the person regarding the |
|
breach; |
|
(5) any measures the person intends to take regarding |
|
the breach after the notification under this subsection; and |
|
(6) information regarding whether law enforcement is |
|
engaged in investigating the breach. |
|
(j) The attorney general shall post on the attorney |
|
general's publicly accessible Internet website: |
|
(1) an electronic form for submitting a notification |
|
under Subsection (i); and |
|
(2) a listing of the notifications received by the |
|
attorney general under Subsection (i), excluding any sensitive |
|
personal information that may have been reported to the attorney |
|
general under that subsection, any information that may compromise |
|
a data system's security, and any other information reported to the |
|
attorney general that is made confidential by law. The attorney |
|
general shall: |
|
(A) [(1)] update the listing not later than the |
|
30th day after the date the attorney general receives notification |
|
of a new breach of system security; |
|
(B) [(2)] remove a notification from the listing |
|
not later than the first anniversary of the date the attorney |
|
general added the notification to the listing if the person who |
|
provided the notification has not notified the attorney general of |
|
any additional breaches under Subsection (i) during that period; |
|
and |
|
(C) [(3)] maintain only the most recently |
|
updated listing on the attorney general's website. |
|
SECTION 2. This Act takes effect September 1, 2023. |