Texas has updated its data breach notification law. HB 4390 introduces a privacy advisory council and mandates that individual notice in case of a breach is given within 60 days.
All states have data breach notification laws in place and Texas is no exception. Earlier in 2019, Texas voted in a new law, HB 4390, that updated its data breach notification law in several regards.
- The bill no longer mandates anyone who conducts business in the state and owns computerized data that includes sensitive personal information to disclose a breach “as quickly as possible.” A deadline has now been set – the notice is to be provided to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person “without unreasonable delay,” and at any rate within 60 days of determining that the breach occurred.
- The bill mandates that the business notify the Texas Attorney General if at least 250 Texas residents are affected. This notification needs to be provided by the same deadline as the one applicable to notifying the people affected (within 60 days in other words).
- The bill creates the Texas Privacy Protection Advisory Council which is tasked to study data privacy laws in Texas, in other states and in relevant foreign jurisdictions.
The last point mentioned is of no immediate interest to corporate communicators, but the first two legislative changes are. As part of preparations for a potential future crisis, businesses would do well to draft a crisis communications manual and maintain a cyber incident response plan. When you are a business operating in Texas that is vulnerable to a data breach (in other words: any Texas business that processes and stores sensitive personal information), draft notification letters merit a place in both the said manual (see also later) and incident plan.
HB 4390 does not mandate a specific template for the notification letter that is sent to people who are affected by the data loss. For the letter that is destined for the Attorney-General however, there are specific requirements in place. This letter needs to contain the following information:
- A detailed description of the nature of the breach or the use of sensitive personal information acquired as a result of the breach;
- The number of residents affected;
- Measures taken regarding the breach;
- Information regarding whether law enforcement is engaged in investigating the breach.
Documenting notifications given
An apt crisis communications process does not only lay out the processes through which businesses need to comply with notification requirements, it also mandates the logging of when what decisions pertaining to notifications were taken and by whom.
The reason for this is that in the aftermath of a data breach, companies can find themselves in a situation where they need to justify in court how they communicated (or failed to communicate) with different stakeholders in a way that was compliant with legal requirements. The use of templatized logging sheets can be of tremendous help here in making the case that the business took all communication initiatives it had to.
The author thanks Jessica C. Engler, CIPP/US for her assistance in drafting portions of this post.