Texas Privacy Laws

Breach Notification

Mandated Timeframe

Within 60 days

Fines & Penalties

Violations

$2,000 - $5,000

REGULATION LEVELS

Breach Reporting Consumer Notifications
Vendor Management Vendor Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 60 days

Fines & Penalties

Violations

$2,000 - $5,000

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Breach Notification

Mandated Timeframe

Within 60 days

Fines & Penalties

Violations

$2,000 - $5,000

REGULATION LEVELS

Breach
Reporting
Consumer
Notifications
Vendor
Management
Vendor
Contract Required
LEVEL DESCRIPTION
Minimal Basic Comprehensive Extensive
LAWS RELATED TO PERSONAL INFORMATION
Regulated Breach Reporting

Breach Reporting Requirements

Consumer Notification Requirements

Vendor Notification of Breach

Vendor Requirements

Vendor Specific Obligations

Vendor Mandated Contracts

Privacy Program Requirements

Protection/Security

Employee Training

Vendor Protection/Security Program

Personal Information Protection

Data Disposal of Personal Information

Quick Facts

Texas Privacy Law Information

  • Privacy Program

    Organizations must have procedures in place for the protection of sensitive personal information, including processes for responding to potential risks or a breach or suspected breach of security. Organizations must have processes in place for the disposal of customer information no longer needed, by shredding, erasing or otherwise modifying to make it unreadable or indecipherable. Organizations are considered compliant with the state’s disposal regulations if they contract with a data disposal vendor. Data disposal Vendors must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Texas has regulations specific to ...

  • Breach Reporting

    If 250 or more residents are affected by a breach of security, organizations must also notify the Attorney General with specific details of the breach, including the number of affected residents. Such notification must be completed within 60 days of discovery of the breach. Breach reporting to each consumer reporting agency that maintains files on consumers on a nationwide basis is required if more than 10,000 consumer notifications are sent, without unreasonable delay. Effective 9/1/2021, the Attorney General can post on their website the names of the companies who report a data breaches within 30 days of the date they ...

  • Consumer Notification

    If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Organizations must notify any Texas resident whose sensitive personal information was acquired by an unauthorized person within 60 days of discovery of the breach.

  • Vendor/Third Parties

    Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications. Organizations (acting as contracted vendors for a state agency) that provide cloud computing services, must be vetted and able to provide documentation showing their certification and compliance with a state risk and authorization management program.

  • Fines & Penalties

    A violation of an Organization’s disposal of personal information is subject to a fine of up to $500 for each business record. Texas law has heavy penalties for violations of the regulations involving the protection of personal information and breach notification, including civil penalties from $2,000 to $50,000 per violation and $100 for each individual that failed to receive a notification (up to $250,000). The unauthorized use or possession of a consumer’s personal information is considered a deceptive trade practice. Organizations may be fined or penalized for Vendor violations.

Texas

Statutes and Laws

TX BUSINESS AND COMMERCE CODE § 503.001

Capture or use of biometric identifier

TX BUSINESS AND COMMERCE CODE § 521.051

Unauthorized use or possession of personal identifying information

TX BUSINESS AND COMMERCE CODE § 521.052

Business duty to protect sensitive personal information

TX BUSINESS AND COMMERCE CODE § 521.053

Notification required following breach of security of computerized data

TX BUSINESS AND COMMERCE CODE § 521.151

Civil penalty; injunction

TX BUSINESS AND COMMERCE CODE §§ 521.001 – 521.002

Identity Theft Enforcement and Protection Act

TX BUSINESS AND COMMERCE CODE §§ 72.001 – 72.004

Disposal of Certain Business Records

TX Government Code – Chapter 2054 Information Resources § 2054.0593

Cloud Computing State Risk and Authorization Management Program

TX HEALTH AND SAFETY CODE 181

Medical records privacy