Data Breach Notification Under Texas Law: What You Must Do When Personal Information Is Compromised
When a business discovers that sensitive personal information in its possession has been accessed by an unauthorized person, two clocks start running simultaneously. Under Texas Business and Commerce Code § 521.053, the business must notify affected individuals within 60 days of determining that the breach occurred. If the breach affects 250 or more Texas residents, the business must notify the Texas Attorney General within 30 days. Missing either deadline exposes the business to civil penalties of $2,000 to $50,000 per violation, additional penalties of up to $250,000 per breach for failure to provide timely notice, and attorney's fees and investigation costs.
For most businesses, a data breach is a statistical probability. Knowing what triggers the notification obligation, who must be notified, what the notification must say, and how to prepare before a breach occurs is as important as any other compliance function.
What Triggers the Notification Obligation
Under § 521.053(a), a "breach of system security" is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person. Several elements of this definition deserve attention.
"Unauthorized acquisition" means someone who shouldn't have the data got it. Accessing, downloading, copying, or exfiltrating the data all qualify. Encryption doesn't automatically eliminate the trigger: if the person who accessed the data also has the encryption key required to decrypt it, the breach qualifies even though the data was encrypted at rest.
"Sensitive personal information" under Chapter 521 is defined as an individual's first name or first initial and last name combined with one or more of the following: Social Security number, driver's license or government-issued ID number, financial account number (including credit card or debit card number) in combination with any required security code, access code, or password, information that identifies an individual as a user of a digital certificate for electronic signatures, and information regarding an individual's physical or mental health condition, or payment for health care. Sensitive personal information also includes data that without the individual's name can be used alone or combined with other information to identify an individual and gain access to the individual's financial accounts.
A "good faith" acquisition by an employee or agent of the business, for the business's purposes, isn't a breach of system security unless the employee or agent uses or discloses the information in an unauthorized manner.
Who Must Be Notified
Individual notification goes to every person whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. "Reasonably believed" means the business can't wait for confirmation that the data was used maliciously. If the data was accessed by an unauthorized person and the business can't confirm the data wasn't compromised, notification is required.
Attorney General notification is required when the breach affects 250 or more Texas residents. Before September 1, 2023, the AG notification deadline was 60 days (the same as individual notification). SB 768 shortened the AG deadline to 30 days after the business determines the breach occurred. Many businesses that established compliance procedures before SB 768 are still operating under the old 60-day timeline without realizing the deadline was cut in half.
AG notification must be submitted electronically through the AG's Data Breach Reporting portal and must include a detailed description of the nature and circumstances of the breach, the number of Texas residents affected at the time of notification, the number of affected residents already notified by direct communication, the measures taken regarding the breach, any measures the business intends to take in response, and whether law enforcement is investigating.
Credit reporting agency notification is required when the breach affects more than 10,000 individuals. In that case, the business must notify each nationwide consumer reporting agency (Equifax, Experian, TransUnion) about the timing, distribution, and content of the notices sent to individuals.
Third-party data custodians (businesses that maintain but don't own the sensitive personal information) must notify the data owner "immediately" after discovering the breach. The 60-day notification clock then starts for the data owner, not the custodian. If your business stores data on behalf of another company and that data is breached, your obligation is to notify the data owner immediately, and the data owner's obligation is to notify the affected individuals within 60 days.
What the Notification Must Say
Texas law doesn't prescribe a specific notification format, but effective breach notifications include a description of the incident (what happened, when it was discovered, and what data was involved), the types of sensitive personal information that were or may have been compromised, steps the business is taking to investigate and remediate the breach, steps the individual can take to protect themselves (monitoring financial accounts, placing fraud alerts or credit freezes, reviewing credit reports), contact information for the business (a dedicated phone line or email for breach-related inquiries), and contact information for the major credit reporting agencies and the FTC's identity theft reporting resources.
How to Deliver the Notification
Notification can be provided by written notice mailed to the individual's last known address, electronic notice consistent with the federal E-SIGN Act (15 U.S.C. § 7001), or telephone notice.
Substitute notice is permitted when direct notice is impracticable because the cost would exceed $250,000, the number of affected individuals exceeds 500,000, or the business doesn't have sufficient contact information. Substitute notice requires a combination of email (if the business has addresses on file), conspicuous posting on the business's website, and publication or broadcast through major statewide media.
A business that maintains its own notification procedures as part of an existing information security policy can follow those procedures instead of the statutory methods, provided the procedures comply with the timing requirements of § 521.053.
Law Enforcement Delay
A business can delay notification at the request of a law enforcement agency that determines notification would impede a criminal investigation. § 521.053(d). The delay lasts until the law enforcement agency determines that notification won't compromise the investigation. If law enforcement requests a delay, document the request, the agency, the date, and the authorization to delay, because the business bears the burden of proving the delay was lawful if the AG later questions the timeline.
Penalties for Non-Compliance
Civil penalties under § 521.151 range from $2,000 to $50,000 per violation. For notification failures specifically, an additional penalty of up to $100 per individual per day applies for each consecutive day the business fails to comply, capped at $250,000 for all individuals affected by a single breach.
Violations can also be pursued under the Deceptive Trade Practices Act (DTPA), which can produce additional penalties and remedies beyond Chapter 521's penalties. Since 2022, the Texas AG's office has secured more than $2.7 billion in privacy-related settlements, and AG Ken Paxton has made data privacy enforcement a stated priority.
Multi-State Breach Notification
Every state and the District of Columbia has its own breach notification statute, and a business with customers in multiple states must comply with each applicable law. A single breach affecting customers in Texas, California, New York, and Florida triggers four separate notification obligations with different definitions of personal information, different notification timelines, different content requirements, and different AG notification thresholds.
Some states have shorter notification windows than Texas (Colorado requires notification within 30 days, Florida within 30 days). Some states define personal information more broadly (California includes medical information, health insurance information, and biometric data). Some states require notification to additional regulators beyond the AG (New York requires notification to the Department of State and the Division of State Police).
Section 521.053(b-1) provides that if the affected individual resides in a state with its own breach notification law, the business can provide notice under either that state's law or Texas law. This doesn't eliminate the obligation to comply with the other state's law, but it allows the business to use one notification to satisfy both requirements if the notification meets the more demanding standard.
Incident Response Planning
A documented incident response plan, prepared before a breach occurs, is the single most effective compliance tool.
An incident response plan should identify the internal response team (IT, legal, management, communications), establish a notification timeline that satisfies the most demanding applicable deadline (if you have customers in Colorado or Florida, 30 days is your effective deadline, not 60), define the escalation process for determining whether a security event constitutes a breach requiring notification, identify outside counsel and forensic investigators who can be engaged on short notice, include template notification letters for individuals and the AG that can be customized to the specific incident, and address the vendor notification chain (if the breach occurs at a vendor, the vendor's immediate notification obligation triggers the business's 60-day clock, and any delay in the vendor's notification compresses the business's response time).
Practical Recommendations
Prepare an incident response plan before you need it. Assembling a response team, retaining forensic investigators, and drafting notification letters during a breach produces delay, mistakes, and missed deadlines. A plan that's reviewed and tested annually puts the team in position to execute on day one.
Know your deadlines. The AG notification deadline is 30 days (not 60). Individual notification is 60 days. Both run from the date the business determines the breach occurred, not from the date the breach began. A breach that started six months ago but was discovered yesterday triggers the deadlines yesterday.
If you maintain data on behalf of another company, notify the data owner immediately upon discovery. Your obligation is immediate notification, and the data owner's notification clock starts when they receive your notice. Delay in your notification compresses their response time and may expose both parties.
Review your vendor contracts for breach notification provisions. If a vendor experiences a breach affecting your customers' data, the vendor's notification timeline determines how much time you have. A vendor contract that allows 30 days for the vendor to notify you leaves you 30 days (or less) for your own investigation and notification. Negotiate vendor breach notification timelines of 48 to 72 hours, not 30 days.
Carry cyber liability insurance that covers breach response costs, including forensic investigation, legal fees, notification expenses, credit monitoring for affected individuals, and regulatory defense. A mid-size breach affecting 5,000 individuals can produce $200,000 or more in response costs before any penalties or litigation.
Related practice area: Privacy Law
Need advice tied to your business issue?
Share the issue. Get direct attorney review. Receive a concrete recommendation.
Submit an Inquiry