Texas lawmakers have stepped up how they are handling data breach reporting by amending its breach notification law. The following will discuss the breach notification law and point out how the amendment will broaden its application in the future. The amendment is set to go into effect September 1, 2021.
First step: What does the healthcare organization need to do?
First, the law requires the healthcare provider who is the victim of a data breach to notify the state’s attorney general’s offices within 60 days of discovering the breach. The state’s data breach notification law requires this notification when the breach impacts 250 or more Texans.
When putting together the notice, the business should include a description of the breach, how many patients were impacted by the breach, what the business is currently doing to respond do the breach and any future plans to address the breach after it sends out the notification. The amendment also requires the notification to include the number of affected residents that received a disclosure of the breach. The business that is subject to the breach will also need to inform the attorney general’s office if law enforcement are investigating the breach.
Second step: How will the attorney general’s office use this information?
The new law will require the attorney general’s offices to post any data breach notices to a public website. The posting should exclude any sensitive personal information or information that could further compromise the data systems’ security. The attorney general’s office must publish this posting within 30 days of notification of the breach.
If there are no additional breaches, the amendment requires the attorney general’s office remove the notification from the listing after one year.