On May 31, 2021, the Texas Legislature approved House Bill 3746, which amends the Texas Business and Commerce Code § 521.053 relating to certain notifications required following a data breach involving Texas residents.

The bill includes the existing requirement that any business or entity notify the attorney general of a data breach within 60 days of its occurrence if the breach involves at least 250 Texas residents. The notice must include the nature and circumstances of the breach, the number of residents involved, the number of residents who were sent a notice letter, the measures taken regarding the breach and whether law enforcement is engaged in investigating the breach. In our discussions, with the Texas attorney general’s office, they encourage reporting entities to utilize the online reporting portal.

Notably, the bill allows the attorney general to post on its website a public listing of the data breach notifications received, excluding any sensitive personal information, which will be updated monthly. After one year, the attorney general will remove the posted notification if the entity has not reported any additional breaches during that period.

Once the bill is signed by Texas Gov. Greg Abbott, it will take effect beginning Sept. 1, 2021.