88R14400 SHH-D
 
  By: Lalani H.B. No. 4761
 
 
 
A BILL TO BE ENTITLED
 
AN ACT
  relating to the notification required following a breach of
  security of computerized data.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Sections 521.053(b) and (i), Business & Commerce
  Code, are amended to read as follows:
         (b)  A person who conducts business in this state and owns or
  licenses computerized data that includes sensitive personal
  information shall disclose any breach of system security, after
  discovering or receiving notification of the breach, to any
  individual whose sensitive personal information was, or is
  reasonably believed to have been, acquired by an unauthorized
  person. The disclosure shall be made without unreasonable delay
  and in each case not later than the 30th [60th] day after the date on
  which the person determines that the breach occurred, except as
  provided by Subsection (d) or as necessary to determine the scope of
  the breach and restore the reasonable integrity of the data system.
         (i)  A person who is required to disclose or provide
  notification of a breach of system security under this section
  shall notify the attorney general of that breach not later than the
  30th [60th] day after the date on which the person determines that
  the breach occurred if the breach involves at least 250 residents of
  this state. The notification under this subsection must include:
               (1)  a detailed description of the nature and
  circumstances of the breach or the use of sensitive personal
  information acquired as a result of the breach;
               (2)  the number of residents of this state affected by
  the breach at the time of notification;
               (3)  the number of affected residents that have been
  sent a disclosure of the breach by mail or other direct method of
  communication at the time of notification;
               (4)  the measures taken by the person regarding the
  breach;
               (5)  any measures the person intends to take regarding
  the breach after the notification under this subsection; and
               (6)  information regarding whether law enforcement is
  engaged in investigating the breach.
         SECTION 2.  This Act takes effect September 1, 2023.