88R3500 MLH-F
 
  By: Capriglione H.B. No. 1660
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the process for notifying the attorney general of a
  breach of security of computerized data by persons doing business
  in this state.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Sections 521.053(i) and (j), Business & Commerce
  Code, are amended to read as follows:
         (i)  A person who is required to disclose or provide
  notification of a breach of system security under this section
  shall notify the attorney general of that breach as soon as
  practicable and not later than the 30th [60th] day after the date on
  which the person determines that the breach occurred if the breach
  involves at least 250 residents of this state. The notification
  under this subsection must be submitted electronically using a form
  accessed through the attorney general's Internet website and must
  include:
               (1)  a detailed description of the nature and
  circumstances of the breach or the use of sensitive personal
  information acquired as a result of the breach;
               (2)  the number of residents of this state affected by
  the breach at the time of notification;
               (3)  the number of affected residents that have been
  sent a disclosure of the breach by mail or other direct method of
  communication at the time of notification;
               (4)  the measures taken by the person regarding the
  breach;
               (5)  any measures the person intends to take regarding
  the breach after the notification under this subsection; and
               (6)  information regarding whether law enforcement is
  engaged in investigating the breach.
         (j)  The attorney general shall post on the attorney
  general's publicly accessible Internet website:
               (1)  an electronic form for submitting a notification
  under Subsection (i); and
               (2)  a listing of the notifications received by the
  attorney general under Subsection (i), excluding any sensitive
  personal information that may have been reported to the attorney
  general under that subsection, any information that may compromise
  a data system's security, and any other information reported to the
  attorney general that is made confidential by law.  The attorney
  general shall:
                     (A) [(1)]  update the listing not later than the
  30th day after the date the attorney general receives notification
  of a new breach of system security;
                     (B) [(2)]  remove a notification from the listing
  not later than the first anniversary of the date the attorney
  general added the notification to the listing if the person who
  provided the notification has not notified the attorney general of
  any additional breaches under Subsection (i) during that period;
  and
                     (C) [(3)]  maintain only the most recently
  updated listing on the attorney general's website.
         SECTION 2.  This Act takes effect September 1, 2023.