Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Proposed Texas Privacy Law

Created on June 22, 2020

Demand Generation Manager, Exterro

Why This Privacy Law is Important: Texas is slowly making progress to increase it’s data privacy laws. The bill went into effect January 1, 2020 is the result of amendments made to the state’s data breach notification law. 

Overview/Status of Bill: HB 4390 amended Texas’ former data breach notification law to impose stricter timelines and reporting actions in the event of a possible data breach and created the Texas Privacy Protection Advisory Council. Which has been tasked with studying and developing recommendations regarding data privacy legislation.

Need to Know Information:

Who it Applies To: Any person or entity that conducts business in Texas and owns or licenses computerized data that includes sensitive “Personal Information.” The law also applies to any entity or person outside of Texas that manages, maintains and uses information that is owned or stored in Texas.

What is Covered: HB4390 covers “personal information” which is defined as an individual’s first name or initial and last name in combination with any one or more of the following:

  1. Social Security Number
  2. Driver license number or government-issued ID number
  3. Bank account number
  4. Credit / Debit card number
  5. Security Codes of those Credit / Debit Cards

How to Comply: Businesses must disclose any data breach to individuals whose personal information was or is reasonably suspected to have been involved in a data breach within 60 days of determining that the breach occurred. In addition any data breach involving 250 or more Texas residents must be reported with 60 days to the Texas Attorney General and provide the following:

  1. A detailed description of the breach or the use of sensitive information acquired during the breach
  2. The number of Texas residents affected
  3. Measures taken to date regarding the breach
  4. Any measures that will be taken in the future regarding the breach
  5. An indication of whether law enforcement has been notified.

Potential Penalties: Failure to comply with notification requirements could result in civil penalties of up to $100 per person or $250,000.