Bill Summary – FastDemocracy

         
            88R3500 MLH-F
         
		By: Capriglione
            H.B. No. 1660
         
               A BILL TO BE ENTITLED
            
               AN ACT
            
            relating to the process for notifying the attorney general of a 
         
            breach of security of computerized data by persons doing business 
         
            in this state.
         
                   BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         
                   SECTION 1.  Sections 521.053(i) and (j), Business & Commerce 
         
            Code, are amended to read as follows:
         
                   (i)  A person who is required to disclose or provide 
         
            notification of a breach of system security under this section 
         
            shall notify the attorney general of that breach as soon as 
         
            practicable and not later than the 30th [60th] day after the date on 
         
            which the person determines that the breach occurred if the breach 
         
            involves at least 250 residents of this state.  The notification 
         
            under this subsection must be submitted electronically using a form 
         
            accessed through the attorney general's Internet website and must
         
            include:
         
                         (1)  a detailed description of the nature and 
         
            circumstances of the breach or the use of sensitive personal 
         
            information acquired as a result of the breach;
         
                         (2)  the number of residents of this state affected by 
         
            the breach at the time of notification;
         
                         (3)  the number of affected residents that have been 
         
            sent a disclosure of the breach by mail or other direct method of 
         
            communication at the time of notification;
         
                         (4)  the measures taken by the person regarding the 
         
            breach;
         
                         (5)  any measures the person intends to take regarding 
         
            the breach after the notification under this subsection; and
         
                         (6)  information regarding whether law enforcement is 
         
            engaged in investigating the breach.
         
                   (j)  The attorney general shall post on the attorney 
         
            general's publicly accessible Internet website:
         
                         (1)  an electronic form for submitting a notification 
         
            under Subsection (i); and
         
                         (2)  a listing of the notifications received by the 
         
            attorney general under Subsection (i), excluding any sensitive 
         
            personal information that may have been reported to the attorney 
         
            general under that subsection, any information that may compromise 
         
            a data system's security, and any other information reported to the 
         
            attorney general that is made confidential by law.  The attorney 
         
            general shall:
         
                               (A) [(1)]  update the listing not later than the 
         
            30th day after the date the attorney general receives notification 
         
            of a new breach of system security;
         
                               (B) [(2)]  remove a notification from the listing 
         
            not later than the first anniversary of the date the attorney 
         
            general added the notification to the listing if the person who 
         
            provided the notification has not notified the attorney general of 
         
            any additional breaches under Subsection (i) during that period; 
         
            and
         
                               (C) [(3)]  maintain only the most recently 
         
            updated listing on the attorney general's website.
         
                   SECTION 2.  This Act takes effect September 1, 2023.
         
Statutes affected: 
Introduced: Commerce Code 521.053 (Commerce Code 521)



	A BILL TO BE ENTITLED
	AN ACT
	relating to the process for notifying the attorney general of a
	breach of security of computerized data by persons doing business
	in this state.
	BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
	SECTION 1. Sections 521.053(i) and (j), Business & Commerce
	Code, are amended to read as follows:
	(i) A person who is required to disclose or provide
	notification of a breach of system security under this section
	shall notify the attorney general of that breach as soon as
	practicable and not later than the 30th [~~60th~~] day after the date on
	which the person determines that the breach occurred if the breach
	involves at least 250 residents of this state. The notification
	under this subsection must be submitted electronically using a form
	accessed through the attorney general's Internet website and must
	include:
	(1) a detailed description of the nature and
	circumstances of the breach or the use of sensitive personal
	information acquired as a result of the breach;
	(2) the number of residents of this state affected by
	the breach at the time of notification;
	(3) the number of affected residents that have been
	sent a disclosure of the breach by mail or other direct method of
	communication at the time of notification;
	(4) the measures taken by the person regarding the
	breach;
	(5) any measures the person intends to take regarding
	the breach after the notification under this subsection; and
	(6) information regarding whether law enforcement is
	engaged in investigating the breach.
	(j) The attorney general shall post on the attorney
	general's publicly accessible Internet website:
	(1) an electronic form for submitting a notification
	under Subsection (i); and
	(2) a listing of the notifications received by the
	attorney general under Subsection (i), excluding any sensitive
	personal information that may have been reported to the attorney
	general under that subsection, any information that may compromise
	a data system's security, and any other information reported to the
	attorney general that is made confidential by law. The attorney
	general shall:
	(A) [~~(1)~~] update the listing not later than the
	30th day after the date the attorney general receives notification
	of a new breach of system security;
	(B) [~~(2)~~] remove a notification from the listing
	not later than the first anniversary of the date the attorney
	general added the notification to the listing if the person who
	provided the notification has not notified the attorney general of
	any additional breaches under Subsection (i) during that period;
	and
	(C) [~~(3)~~] maintain only the most recently
	updated listing on the attorney general's website.
	SECTION 2. This Act takes effect September 1, 2023.