Mandatory Timeframe for Breach Reporting and/or Consumer Notification

Within 60 days
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of Breach Notification Laws:

- $2,000 up to $50,000

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • Organizations must notify any Texas resident whose sensitive personal information was acquired by an unauthorized person within 60 days of discovery of the breach.
  • If 250 or more residents are affected by a breach of security, organizations must also notify the Attorney General with specific details of the breach. Such notification must be completed within 60 days of discovery of the breach.
  • Breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is required if more than 10,000 consumer notifications are sent, without unreasonable delay.
  • Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.
  • If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations must have procedures in place for the protection of sensitive personal information, including processes for responding to potential risks or a breach or suspected breach of security.
  • Organizations must have processes in place for the disposal of customer information no longer needed, by shredding, erasing or otherwise modifying to make it unreadable or indecipherable.
  • Organizations are considered compliant with the state’s disposal regulations if they contract with a data disposal vendor.
  • Data disposal Vendors must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
  • A violation of an Organization’s disposal of personal information is subject to a fine up to $500 for each business record.
  • Texas law has heavy penalties for violations of the regulations involving protection of personal information and breach notification, including, but not limited to:
    • Civil penalties from $2,000 to $50,000 per violation
    • $100 for each individual that failed to receive a notification (up to $250,000)
    • Reimbursement of expenses to the state Attorney General
  • The unauthorized use or possession of a consumer’s personal information is considered a deceptive trade practice.
  • Texas has regulations specific to the consent, disclosure, protection and retention of individuals’ biometric identifiers.
  • Organizations may be fined or penalized for Vendor violations.
Statutes and Laws
  • TX Business and Commerce Code §§ 521.001 – 521.002 Identity Theft Enforcement and Protection Act
  • TX Business and Commerce Code § 521.051 Unauthorized use or possession of personal identifying information
  • TX Business and Commerce Code § 521.052 Business duty to protect sensitive personal information
  • TX Business and Commerce Code § 521.053 Notification required following breach of security of computerized data
  • TX Business and Commerce Code § 521.151 Civil Penalty; Injunction
  • TX Business and Commerce Code §§ 72.001 – 72.004 Disposal of Certain Business Records
  • TX Business and Commerce Code § 503.001 Capture or Use of Biometric Identifier
  • TX Health and Safety Code 181 Medical Records Privacy
BAck to map