| 1 | 1 | | 88R3500 MLH-F |
|---|
| 2 | 2 | | By: Capriglione H.B. No. 1660 |
|---|
| 3 | 3 | | |
|---|
| 4 | 4 | | |
|---|
| 5 | 5 | | A BILL TO BE ENTITLED |
|---|
| 6 | 6 | | AN ACT |
|---|
| 7 | 7 | | relating to the process for notifying the attorney general of a |
|---|
| 8 | 8 | | breach of security of computerized data by persons doing business |
|---|
| 9 | 9 | | in this state. |
|---|
| 10 | 10 | | BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|---|
| 11 | 11 | | SECTION 1. Sections 521.053(i) and (j), Business & Commerce |
|---|
| 12 | 12 | | Code, are amended to read as follows: |
|---|
| 13 | 13 | | (i) A person who is required to disclose or provide |
|---|
| 14 | 14 | | notification of a breach of system security under this section |
|---|
| 15 | 15 | | shall notify the attorney general of that breach as soon as |
|---|
| 16 | 16 | | practicable and not later than the 30th [60th] day after the date on |
|---|
| 17 | 17 | | which the person determines that the breach occurred if the breach |
|---|
| 18 | 18 | | involves at least 250 residents of this state. The notification |
|---|
| 19 | 19 | | under this subsection must be submitted electronically using a form |
|---|
| 20 | 20 | | accessed through the attorney general's Internet website and must |
|---|
| 21 | 21 | | include: |
|---|
| 22 | 22 | | (1) a detailed description of the nature and |
|---|
| 23 | 23 | | circumstances of the breach or the use of sensitive personal |
|---|
| 24 | 24 | | information acquired as a result of the breach; |
|---|
| 25 | 25 | | (2) the number of residents of this state affected by |
|---|
| 26 | 26 | | the breach at the time of notification; |
|---|
| 27 | 27 | | (3) the number of affected residents that have been |
|---|
| 28 | 28 | | sent a disclosure of the breach by mail or other direct method of |
|---|
| 29 | 29 | | communication at the time of notification; |
|---|
| 30 | 30 | | (4) the measures taken by the person regarding the |
|---|
| 31 | 31 | | breach; |
|---|
| 32 | 32 | | (5) any measures the person intends to take regarding |
|---|
| 33 | 33 | | the breach after the notification under this subsection; and |
|---|
| 34 | 34 | | (6) information regarding whether law enforcement is |
|---|
| 35 | 35 | | engaged in investigating the breach. |
|---|
| 36 | 36 | | (j) The attorney general shall post on the attorney |
|---|
| 37 | 37 | | general's publicly accessible Internet website: |
|---|
| 38 | 38 | | (1) an electronic form for submitting a notification |
|---|
| 39 | 39 | | under Subsection (i); and |
|---|
| 40 | 40 | | (2) a listing of the notifications received by the |
|---|
| 41 | 41 | | attorney general under Subsection (i), excluding any sensitive |
|---|
| 42 | 42 | | personal information that may have been reported to the attorney |
|---|
| 43 | 43 | | general under that subsection, any information that may compromise |
|---|
| 44 | 44 | | a data system's security, and any other information reported to the |
|---|
| 45 | 45 | | attorney general that is made confidential by law. The attorney |
|---|
| 46 | 46 | | general shall: |
|---|
| 47 | 47 | | (A) [(1)] update the listing not later than the |
|---|
| 48 | 48 | | 30th day after the date the attorney general receives notification |
|---|
| 49 | 49 | | of a new breach of system security; |
|---|
| 50 | 50 | | (B) [(2)] remove a notification from the listing |
|---|
| 51 | 51 | | not later than the first anniversary of the date the attorney |
|---|
| 52 | 52 | | general added the notification to the listing if the person who |
|---|
| 53 | 53 | | provided the notification has not notified the attorney general of |
|---|
| 54 | 54 | | any additional breaches under Subsection (i) during that period; |
|---|
| 55 | 55 | | and |
|---|
| 56 | 56 | | (C) [(3)] maintain only the most recently |
|---|
| 57 | 57 | | updated listing on the attorney general's website. |
|---|
| 58 | 58 | | SECTION 2. This Act takes effect September 1, 2023. |
|---|