By Michelle Johnston, CIPM, CIPP/US – Compliance Privacy Officer at CSR Privacy Solutions, Inc.
After several rounds of revisions Texas finally passes HB 4390. The legislation revises the notification requirements of the Texas Identity Theft Enforcement and Protection Act § 521.053, Business & Commerce Code and creates the Texas Privacy Protection Advisory Council.
The Texas Privacy Protection Act’s (HB 4360) amendments apply to:
Texas businesses must be aware of the updated disclosure time frame and low threshold for reporting to the Attorney General.
Currently, the Texas Identity Theft Enforcement and Protection Act requires that notice be provided “as quickly as possible” to individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person.
HB 4390 revises this timing requirement and states that persons conducting business in Texas and owns computerized data are required to provide consumer notification, after discovering or receiving notification of the breach, where the individual’s sensitive personal information is reasonably believed to have been acquired by an unauthorized person without unreasonable delay and no later than the 60th day after the date it is determined a breach has occurred.
Furthermore, notification of the breach must be provided to the attorney general if the breach involves at least 250 Texas residents and no later than the 60th day after the date it is determined a breach has occurred. The contents of the notification to the attorney general must include:
This potion of the bill goes into effect January 1, 2020.
Under section 2 of HB 4390, the Texas Privacy Protection Advisory Council is created to study and develop recommendations for future Texas data privacy laws, as well as study and evaluate privacy laws of other states and foreign jurisdictions. The Council’s purpose is to make recommendations to members of the legislature relating to changes in Texas’ laws governing privacy and protection of information including Chapter 521, Business & Commerce Code or to the Penal Code, by September 1, 2020.
The fifteen members of the Council must be selected by September 1, 2019. The Council will consist of appointed industry representatives who live in Texas, members of the Texas House of Representatives, senators, and a representative of a nonprofit organization that studies or evaluates data privacy laws or a professor who has published writings on data privacy. The Council will be abolished and this section will expire on December 31, 2020.