Texas Breach Law Will Change in 2020, To Require Attorney General Notification
Posted on June 25, 2019
New requirements to the Texas data breach statute, including a requirement to notify the Texas attorney general of a breach, are set to go into effect January 1, 2020. The legislation, signed by Texas Governor, Greg Abbot, on June 14, 2019, requires that the Texas attorney general be notified of a breach within 60 days. The AG notification is required only if 250 or more Texas residents are affected. The notification to the attorney general must include a description of the breach, number of residents affected, measures taken in response to the breach, measures planned to be taken after notification and whether law enforcement has been engaged with the investigation. The legislation also adds a 60 day timing requirement for notice, from the current “as quickly as possible” standard.
In an unusual step for breach notice laws, the legislation also creates a “Texas Privacy Protection Advisory Council.” This Council is tasked with studying both Texas and other privacy laws, both domestic and foreign. Members of the Council will be in-state residents, and are to include someone from a nonprofit organization that looks at privacy from the consumer perspective, as well as a law school professor. The Council is tasked with making recommendations to the legislature in Texas on privacy law changes that “appear necessary from the results of the council’s study.” This development is interesting in light of the two Texas privacy bills that were recently introduced, the Texas Consumer Privacy Act and the Texas Privacy Protection Act. The Council’s findings and recommendations are due September 1, 2020.
PUTTING IT INTO PRACTICE: Companies with nationwide breach notice plans should work in the new requirement to notify the Texas attorney general prior to the January 1, 2020 effective date. We will continue to monitor the developments that result from this new Council, in the meantime.
New Jersey Breach Notice Law Expands To Cover Online Account Breaches
Posted on May 16, 2019
New Jersey joins a growing list of states that include user name, email address or any other identifier in combination with any password or security question and answer would permit access to an online account as personal information that, if breached, would give rise to a duty to notify. Other states that include these identifiers as “triggering” of their states’ breach notice statutes include Alabama, Arizona, California, Colorado, Delaware, Florida, Nebraska, Nevada, Puerto Rico, South Dakota and Wyoming. This legislation was recently signed by Governor Phil Murphy and will be effective September 1, 2019.
Should a company find that online account credentials have been breached, it can provide notice to the impacted individuals through an electronic notice or other format that directs the individual to update their password and security question or answer, as well as advising the individual to take other appropriate steps to protect their online accounts. If an email account has been breached, notice must be provided in a form of communication other than by email to the impacted email account.
PUTTING IT INTO PRACTICE: Companies should keep in mind that beginning September 1, breaches to online account credentials (username or email address and password) will require notice in New Jersey.
         23 Eye on Privacy 2019 Year in Review