New Texas Data Breach Law to Come Into Effect on September 1, 2021

Last updated August 18, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Texas is pushing a new legislature forward that comes as an amendment to the Texas Business and Commerce Code § 521.053 - and basically adds provisions to enforce the notification of the authorities when a company based in the state suffers a data breach. More specifically, the bill dictates that any entity that suffers a data breach that involves at least 250 Texas residents should notify the Texas attorney general of the fact.

The reported incident will be posted on a “wall of shame” on the attorney general office website and will be kept there for a year. If the breached entity doesn’t have any new security lapses during the year that passed, the entry will be removed. In addition to that, the companies will be obliged to inform the public of how many Texas residents have been impacted by a breach and then notify them personally by sending an alert via email.

This is similar to how things work in other American states like California, for example. There, the Attorney General's office maintains a dedicated portal where all reported data breaches and their corresponding notices of a breach are posted.

The two states have been peculiarly linked in the aftermath of the pandemic that pushed the workforce to work from home and companies to reconsider their approach and relocate to places that offer more lax taxation and regulatory policies. There’s an ongoing wave of migration of companies and employees from California to Texas, and of course, there are many factors that play a role in that. The result is a boom taking place in Texas right now, and letting tech firms that handle troves of data hide breaches under the rug isn’t a good idea anymore.

There’s also the national effort to create a stronger data breach and notification system that involves private, public, federal, and all critical entities in the country, so everything advocates towards the passing of new regulatory obligations that underpin data protection and reporting.

The new law, named “House Bill 3746”, has already been approved by the Texas Legislature and now awaits the signature of Governor Greg Abbott. We see no reason for this not to happen, so we expect the new requirements to come into effect beginning September 1, 2021.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: