Texas Governor Greg Abbott recently signed into law HB 4390 (the “Bill”), which amends the state’s data breach notification law and creates an advisory council tasked with studying and developing recommendations regarding data privacy legislation.

Previously, Texas’ law required businesses to disclose “as quickly as possible” any breach to individuals whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The Bill introduces a timing requirement, mandating that individual notice be provided within 60 days of determining that the breach occurred.

The Bill also adds a requirement to notify the Texas Attorney General if notifying at least 250 Texas residents. Notice to the Attorney General must be provided by the same deadline (within 60 days of determining the breach occurred) and include (1) a detailed description of the nature of the breach or the use of sensitive personal information acquired as a result of the breach, (2) the number of residents affected, (3) measures taken regarding the breach, and (4) information regarding whether law enforcement is engaged in investigating the breach. The Bill’s amendments to the data breach notification law take effect on January 1, 2020.

Separately, Section 2 of the Bill creates the Texas Privacy Protection Advisory Council to study data privacy laws in Texas, other states and in relevant foreign jurisdictions. The council is charged with reporting its findings and recommendations regarding data privacy and protection by September 1, 2020.

The Bill was one of two proposed data privacy bills Texas legislators introduced in March of 2019. The other, HB 4518, has stalled. This Bill was revised multiple times before taking its final form.