Connect with us

Hi, what are you looking for?



Even Breach Notifications Are Bigger In Texas

If you lose a database with personal information of residents of different states, what state law or laws apply when it comes to notifying those people of the breach?

If you lose a database with personal information of residents of different states, what state law or laws apply when it comes to notifying those people of the breach?

Texas changed its breach notification law last week and those changes shine a light on this question. Texas broadened its breach notice law, making it applicable to any and all persons regardless of state residency. The law even says that if you’re a Texas company and lose a multi-state database of personal information, you’re good if you just notify in accordance with Texas law.

This article describes recent changes in Texas breach notice law, describe what privacy professionals are doing with multi-state breaches, and ultimately answer the question above.

Texas Data Breach Notification LawsOn June 14, 2013, Texas amended its breach notification law (Business Code Sec. 521.053) with Senate Bill 1610. Texas is well known for its extraterritorial breach notification applying to states without breach notification law (Alabama, Kentucky, New Mexico, and South Dakota). The Texas law said that in case of a breach, Texas residents and affected resident of states without a breach notification regulation must receive notification of the breach. Now, for Texas entities, the law has become broader.

The amendment does three things:

1) Removes the qualifier that Texas breach law only applies to Texas residents and affected resident of states without a breach notification regulation. Texas breach notification law now applies to everyone regardless of state of residence and regardless of whether a state has breach notification laws.

2) Gives Texas entities the choice of reporting under Texas law or the law of an affected person’s state of residence. This way a Texas entity need not research other state laws in order to comply with Texas law, and

3) Allows for written notice to the last know address of the affected party with the intent of making notification easier.

To paraphrase, the law now reads: Persons dealing with personal information who conduct business in Texas shall disclose a breach as quickly as possible. If the affected individual is a resident of a state that requires notice of a breach, the notice may be provided under that state’s law or under Texas law.

Advertisement. Scroll to continue reading.

While most state laws apply when its residents have been affected by a breach, Texas law applies to persons dealing with personal information who conduct business in Texas. This amendment highlights that jurisdictional distinction as well as the open discussion of when breach notification laws apply.

The minority view when considering what state laws apply is that complying with your own state breach notifications law, even with a multi-state breach, is adequate so long as you are not incorporated in other states. The basis of this line of thought appears to be the belief that attorney generals from another state won’t come after you.

The majority view is that when dealing with a multi-state breach, the laws of each state must be followed when you have residents of different states affected by the breach. The reason for this state-by-state compliance is that most breach laws are written like the Massachusetts law: “A person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay…” This law says nothing about doing business in Massachusetts.

In addition, states like Massachusetts are very particular about the form of notice required to their residents. Texas does not say what must be in the notice. So complying with Texas law does not mean you are complying with Massachusetts law.

The amendment is designed to make it easier for Texas entities to comply with Texas law by giving those entities the choice of notifying under Texas law or the law of residents of other states. But those Texas entities will still have to comply with the laws of other states if they lose information belonging to residents of other states if they want to be in compliance with the laws of those states. This is the important lesson that we are reminded of with the change to Texas law.

So in the end, Texas still has extraterritorial breach notification if you are a Texas entity. Notifications only need go the last known address under Texas law. And while Texas law says you may notify under Texas law regardless of residency, best practice will remain notifying under the law of the state where the affected party resides.

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...