On June 14, Texas Governor Greg Abbott signed into law HB 4390 to amend the state’s data breach notification law, and with that Texas joins a growing list of states passing privacy legislation in 2019. In addition to breach notification changes, HB 4390 creates an advisory council to study privacy laws across the U.S. and relevant foreign jurisdictions and to make recommendations to the legislature for future privacy legislation. The amendments to the state’s breach notification requirements go into force January 1, 2020, but Texans will have to wait until the next legislative session in 2021 at the earliest for another shot at comprehensive privacy legislation.
This legislative session saw two competing privacy bills introduced in the Texas legislature. Although HB 4390 was successfully passed by both houses, the bill was significantly amended before landing on Governor Abbott’s desk for his signature. The final text of HB 4390, signed into law last week, is seen as a compromise, by amending the state’s breach notification law to be more in line with other states’ breach notification laws and creating a mechanism to study the legislative trends related to privacy and data protection before making recommendations for future privacy legislation in the state. In its original form, HB 4390 required, among other things, that businesses provide notice to individuals regarding the processing of personal information, implement a data security program, and delete an individual’s personal information in certain instances. The other privacy bill, HB 4518, proposed a comprehensive approach to regulating privacy and essentially mirrored the California Consumer Privacy Act. The Texas CCPA copycat bill, however, failed to make it out of the Texas House Business and Industry Committee.
With respect to data breach notification, HB 4390 amends the Texas Identity Theft Enforcement and Protection Act in two primary ways. First, the law adds a definite deadline by which businesses must provide notice to affected individuals, requiring notice be provided without unreasonable delay but no later than 60 days after determining a breach has occurred. Second, businesses are required to provide notice to the Texas attorney general within the same 60 days after a breach is determined if the breach involves the sensitive personal information of 250 or more Texas residents. Such notice to the attorney general must include:
- A detailed description of the nature and circumstances of the breach, or the use of sensitive personal information acquired as a result of the breach;
- The number of Texas residents affected by the breach at the time of notification;
- The measures that have been taken in response to the breach;
- Any measures the business intends to take after the notification; and
- Whether law enforcement is engaged in investigating the breach.
The new breach notification requirements go into effect on January 1, 2020.
HB 4390 also establishes the Texas Privacy Protection Advisory Council, consisting of 15 appointed members, including lawmakers from both state houses and representatives from industry, academia and nonprofit organizations. Representatives from a cross-section of specified industries will make up more than half of the council, including representatives from the medical, consumer banking, technology, data analytics, telecommunications and retail industries. The council’s initial report and recommendations on specific statutory changes regarding the privacy and protection of personal information are required to be issued to the legislature no later than September 1, 2020. Members must be appointed no later than November 1, 2019, and the council will be abolished December 31, 2020, allowing over a year for the council to complete its work.
Why it matters: Companies doing business in Texas that maintain sensitive personal information of Texas residents should review their incident response plans now and make any necessary updates or adjustments to ensure compliance with the new data breach notification rules by January 1, 2020. In practice, for security incidents affecting individuals in multiple states, the new Texas 60-day timeline should be considered along with the timelines required by all the applicable state laws and any federal notification requirements, as notice requirements may vary between jurisdictions, including some with more stringent timelines. While it remains to be seen whether the creation of this advisory council signals Texas legislators’ appetite for comprehensive privacy legislation in the future, Manatt is tracking privacy legislative developments across the country and on Capitol Hill. Companies are well advised to stay ahead of the conversation and to keep data privacy at the forefront of their business initiatives for the foreseeable future.