Health Care Alert: New Texas Privacy Legislation Enhances Notification Requirements in Case of Data Breach

Texas House Bill 4390 tightens the notification requirements related to a breach of sensitive personal information, requires notification to the Texas Attorney General in certain breaches, and creates an advisory council related to privacy issues.  Governor Greg Abbot signed the legislation on June 14, 2019 and the law is effective January 1, 2020.

Updated Breach Notification Requirements

House Bill 4390 amends the requirements of the Texas Identity Theft Enforcement and Protection Act (the Identify Theft Act). The major change proposed in House Bill 4390 is the addition of the requirement to notify individuals affected by a breach within 60 days. Currently, the Identify Theft Act requires notification only “as quickly as possible.”¹

Additionally, under House Bill 4390, if a breach affects at least 250 Texas residents, the Identity Theft Act would require notification of the Attorney General within the same 60-day time period. This notification would have to include:

• A detailed description of the breach or use of sensitive information acquired during the breach;
• The number of Texas residents affected;
• Measures already taken regarding the breach;
• Any measures intended to be taken regarding the breach; and
• Information as to whether law enforcement is involved

Creation of Texas Privacy Protection Advisory Council

House Bill 4390 also creates the Texas Privacy Protection Advisory Council (the Council). The Council is comprised of lawmakers, professionals from industries often implicated by privacy concerns, a representative from a consumer privacy non-profit, and a professor from a Texas institute of higher education who has published on data privacy. Members are appointed in equal number by the Speaker of the House, the Lieutenant Governor, and the Governor.

The purpose of the Council is to study privacy laws and regulations in the United States and other countries to better understand the effects and consequences of different privacy regimes. The Council would meet on a regular basis and be charged with reporting to the Texas legislature no later than September 1, 2020, with recommended statutory changes to Texas privacy laws. On December 31, 2020, this section of House Bill 4390 would expire, and the Council would be disbanded.

Implications

Any business that operates in Texas and uses sensitive personal information should be aware of these potential changes and how they could affect their organization’s current data breach response plan. With the 60-day deadline to notify affected individuals, learning of a breach and quickly responding takes on increased importance. A detailed, well-communicated privacy policy that encourages swift reporting of breaches, and a clear and concise incident response plan can make compliance with these changes less disruptive.

If you have questions about the Texas Identity Theft Enforcement and Protection Act, the changes announced in this House Bill, or the impact on your organization, please contact Jonathan Ishee, Nita Garg, or your regular Vorys attorney.