HB-3746, an Update to Data Breach Law in The State of Texas

Texas’s House Bill 3746 or HB 3746 is a data breach notification law that amends previous breach notification statutes within the state of Texas. The aim of HB-3746 is to provide Texas residents with a greater level of protection in relation to personal information that may be leaked in data breaches, as well as change the ways in which they are notified of such breaches. The bill is expected to be signed into law on September 1st, 2021, and makes two primary changes to existing breach notification legislation within the state of Texas.

First, the updated law requires the Texas Attorney General’s office to begin posting “a listing of the notifications” on its website when it receives notifications of data breaches that affect more than 250 residents within the state of Texas. The statute does not specify or describe what form of listing should be posted, but instead prohibits the listing of “ any information that may compromise a business’ data security”, or anything that contains sensitive personal information or confidential information as stated by law.

What are the breach notification requirements under HB-3746?

Second, HB-3746 also requires that certain information and content be included in all data breach notifications that are given to residents within the state of Texas, and that such notifications must also be sent within 60 days of the discovery of said breach. What’s more, breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is also required, if more than 10,000 consumer notifications are sent, without unreasonable delay. Under HB-3746, businesses in the state of Texas will now be required to provide notification concerning the specific number of residents who were affected by a data breach, as well as a variety of other content requirements. These requirements include:

• A detailed description of the nature and circumstances of the data breach, or the use of sensitive personal. information or data that may have been acquired as a result of the breach.
• The measures taken by the business entity who experienced the breach regarding the breach.
• Any measures that a business entity intends to take regarding the breach after the notification in the above section.
• Information regarding whether law enforcement is engaged in investigating the data breach.

Vendors must also provide notice to organizations upon the discovery of a breach or suspected breach. The organization is then responsible for submitting any required regulatory reporting and consumer notifications. Organizations who are acting as contracted vendors for a state agency that provide cloud computing services must also be vetted and able to provide documentation showing their certification and compliance with a state risk and authorization management program. Additionally, HB-3746 also places certain requirements on the Texas Attorney General in relation to data breaches within the state. These requirements include:

• Post a listing of notifications received in relation to a data breaches on the Texas Attorney General’s public website, excluding any personally identifiable information, any information that may compromise the data security system of a business entity, or other forms of information that may be reported to the Attorney General that is made confidential by the law.
• Consistently maintain an updated listing on the Attorney General’s website, and update this website no later than every 30 days.
• Remove data no later than one year following the date the data was added, unless the business entity in question notified the Attorney General of additional incident that took place.

What are the fines and penalties for violating HB-3746?

The state of Texas has steep and heavy penalties for violating the data breach protection and notification statutes contained with HB-3746. These fines and penalties include civil penalties ranging from $2,000 to $50,000 per violation, depending on the scope and severity of said violation. What’s more, there is also a $100 fine for each individual that failed to receive proper notification, with a maximum penalty of $250,000, as well as reimbursement of expenses to the Texas State General. Furthermore, violation of HB-3746 also constitutes a deceptive trade practice under Texas state law.

The passing of HB-3746 is part of a wave of privacy laws that are beginning to gain steam around the U.S. Following states such as California and Virginia, Texas residents are now granted certain rights in regards to data breaches that may disclose their private or personal information without their consent. With the passing of legislation such as HB-4390, the hope is that American consumers can have some form of data protection on a state level in lieu of a federal comprehensive data privacy policy.