If 250 or more residents are affected by a breach of security, organizations must also notify the Attorney General with specific details of the breach, including the number of affected residents. Such notification must be completed within 60 days of discovery of the breach. Breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is required if more than 10,000 consumer notifications are sent, without unreasonable delay. Effective 9/1/2021, the Attorney General can post on their website the names of the companies who report a data breaches within 30 days of the date they are notified. The Attorney General will remove the company name from the posted list on their website one year from the original notification date, if no further breaches are reported within that time period. Effective 9/1/2021, the Attorney General can post on their website the names of the companies who report a data breaches within 30 days of he date they are notified. The Attorney General will remove the company name from the posted list on their website one year from the original notification date, if no further breaches are reported within that time period.

If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Organizations must notify any Texas resident whose sensitive personal information was acquired by an unauthorized person within 60 days of discovery of the breach.

A violation of an Organization’s disposal of personal information is subject to a fine of up to $500 for each business record. Texas law has heavy penalties for violations of the regulations involving the protection of personal information and breach notification, including civil penalties from $2,000 to $50,000 per violation and $100 for each individual that failed to receive a notification (up to $250,000). The unauthorized use or possession of a consumer’s personal information is considered a deceptive trade practice. Organizations may be fined or penalized for Vendor violations.

Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications. Organizations (acting as contracted vendors for a state agency) that provide cloud computing services, must be vetted and able to provide documentation showing their certification and compliance with a state risk and authorization management program.