Texas

Browse data breach notification laws in the United States by states or territories. This database currently includes breach statutes for a business that collects personal information. This database is for informational purposes only and may not be up-to-date. Please review our Terms of Service. Report any errors or issues to: webmaster@amp.legal.

Last Updated Texas breach law summary was last updated on 02/22/2023
Statute Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151   [View Source]   [Download PDF]
Covered EntitiesA person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information.
Covered Information"Sensitve Personal Information" includes First Name (or First Initial) and Last Name PLUS one of the following:
  • Social security number
  • Driver's license number or government-issued identification number
  • Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account
OR
  • Information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual.
Form of InformationElectronic
Breach TriggerUnauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
Encryption Safe HarborYes (some circumstances). Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
Risk of Harm AnalysisA person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Consumer NoticeThe disclosure shall be made without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred.
Government Agency NoticeYes. A person who is required to disclose or provide notification of a breach of system security under this section shall notify the attorney general of that breach not later than the 60th day after the date on which the person determines that the breach occurred if the breach involves at least 250 residents of this state. The notification under this subsection must include: (1) a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach; (2) the number of residents of this state affected by the breach at the time of notification; (3) the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification; (4) the measures taken by the person regarding the breach; (5) any measures the person intends to take regarding the breach after the notification under this subsection; and (6) information regarding whether law enforcement is engaged in investigating the breach.
Credit Agency NoticeYes, more than 10,000 persons. If a person is required by this section to notify at one time more than 10,000 persons of a breach of system security, the person shall also notify each consumer reporting agency, as defined by 15 U.S.C. Section 1681a, that maintains files on consumers on a nationwide basis, of the timing, distribution, and content of the notices.
PenaltiesYes, up to $250,000. A person who violates this chapter is liable to this state for a civil penalty of at least $2,000 but not more than $50,000 for each violation. The attorney general may bring an action to recover the civil penalty imposed under this subsection. In addition to penalties assessed under Subsection (a), a person who fails to take reasonable action to comply with Section 521.053(b) is liable to this state for a civil penalty of not more than $100 for each individual to whom notification is due under that subsection for each consecutive day that the person fails to take reasonable action to comply with that subsection. Civil penalties under this section may not exceed $250,000 for all individuals to whom notification is due after a single breach. The attorney general may bring an action to recover the civil penalties imposed under this subsection. (b) If it appears to the attorney general that a person is engaging in, has engaged in, or is about to engage in conduct that violates this chapter, the attorney general may bring an action in the name of the state against the person to restrain the violation by a temporary restraining order or by a permanent or temporary injunction.
Private Cause of ActionNo.