Texas Data Breach Notification Requirements

Texas data breach notification law establishes mandatory obligations for businesses and government entities that collect, store, or process sensitive personal information about Texas residents. The primary statutory framework is codified in Texas Business & Commerce Code, Chapter 521, enforced by the Texas Office of the Attorney General. This page maps the definition, scope, mechanical requirements, classification boundaries, and operational tensions of that framework for professionals, researchers, and entities navigating compliance obligations.

Definition and scope

Texas Business & Commerce Code §521.053 imposes a 60-day notification deadline on any person who conducts business in Texas and owns or licenses computerized data containing sensitive personal information, when a breach of system security is discovered. The statute defines "sensitive personal information" to include a first name or first initial combined with last name, plus one or more of the following: Social Security number, driver's license or government-issued identification number, account or credit/debit card number in combination with a required security code, or information that reveals medical condition or health insurance status (Texas B&C Code §521.002).

"Breach of system security" under §521.053(a) means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information. Accidental internal disclosures that do not result in unauthorized use are typically treated as outside the statutory trigger, though the determination requires factual analysis.

Geographic scope: The statute applies when the person conducting business owns or licenses data containing information about Texas residents. Physical presence in Texas is not strictly required — the operative trigger is the data subject's status as a Texas resident. The statute does not specify a minimum number of affected individuals to activate notification duties.

Scope limitations and boundaries: This page addresses Texas-specific obligations under Chapter 521. Federal overlay requirements — including the Health Insurance Portability and Accountability Act (HIPAA) breach notification rule at 45 CFR Part 164, Subpart D, and the Gramm-Leach-Bliley Act's Safeguards Rule administered by the Federal Trade Commission — apply independently and are not addressed here. Multi-state breach scenarios involving residents of states outside Texas trigger parallel notification obligations under those states' laws, which fall outside this page's coverage. For the broader statutory and regulatory architecture governing Texas cybersecurity obligations, see the Regulatory Context for Texas Cybersecurity reference.

Core mechanics or structure

The Chapter 521 notification mechanism operates in three functional stages: discovery, assessment, and notification delivery.

Discovery trigger: The 60-day clock begins upon discovery of the breach, not upon confirmation of harm. The statute does not define a grace period for internal investigation before the clock starts. The Texas Attorney General's office has not published a formal policy extending the discovery-to-notification window beyond the statutory 60 days.

Notification to affected individuals: The entity must notify each affected Texas resident whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Notification must be provided in the most expedient time possible and without unreasonable delay, subject to the 60-day ceiling (§521.053(b)).

Notification methods: Acceptable methods under §521.053 include written notice by first-class mail, electronic notice (if consistent with 15 U.S.C. §7001, the Electronic Signatures in Global and National Commerce Act), or telephone notification. Substitute notice is permitted when the cost of direct notification exceeds $250,000 or when the affected population exceeds 500,000 individuals — in those circumstances, substitute notice may take the form of conspicuous website posting plus notification to major statewide media (§521.053(d)).

Attorney General notification: When a breach affects 250 or more Texas residents, the entity must also notify the Texas Attorney General no later than the time individual notifications are sent (§521.053(b-1)). The OAG maintains a breach reporting portal at texasattorneygeneral.gov.

Third-party data holders: An entity that maintains but does not own sensitive personal information must notify the owner or licensee of the information of a breach immediately following discovery. The statutory obligation to notify affected individuals then shifts to the data owner.

For incident response workflows in government contexts, see Texas Cybersecurity Incident Response.

Causal relationships or drivers

The Texas Legislature enacted Chapter 521 in 2005 and has amended it through subsequent legislative sessions to respond to shifts in breach volume, data types involved, and enforcement gaps identified by the OAG's Consumer Protection Division. The 60-day window and the 250-person threshold for AG notification were codified amendments that reflect legislative judgment about balancing investigation feasibility against consumer harm exposure.

Breach frequency in Texas correlates with the state's position as home to the largest number of Fortune 500 primary location of any U.S. state. Energy sector infrastructure — a dominant Texas industry — has faced persistent intrusion campaigns documented in CISA advisories, creating concentrated exposure in sectors that also hold large volumes of employee and consumer data. The Texas Cybersecurity Threat Landscape reference addresses sector-specific risk drivers.

Enforcement pressure from the OAG's Consumer Protection Division, which holds civil penalty authority under Chapter 521, creates compliance incentives for covered businesses. The main site index maps adjacent compliance areas including healthcare, financial services, and state agency obligations.

Classification boundaries

Texas Chapter 521 interacts with, but does not displace, parallel frameworks. Understanding the boundaries prevents both under-compliance and duplicated effort.

Texas Government Code Chapter 2054 vs. Chapter 521: Chapter 2054 governs state agencies and institutions of higher education, prescribing incident reporting to the Texas Department of Information Resources (DIR). Chapter 521 governs private-sector businesses. A state agency experiencing a breach may trigger both frameworks simultaneously — Chapter 2054 reporting to DIR and Chapter 521 obligations to affected individuals if sensitive personal information was involved.

HIPAA breach notification vs. Chapter 521: Covered entities and business associates under HIPAA follow a federal notification rule enforced by the U.S. Department of Health and Human Services Office for Civil Rights, with a 60-day notification deadline aligned structurally with Texas law but governed separately. Texas healthcare entities must satisfy both; the more stringent requirement controls in practice.

Texas Privacy Protection Act (SB 2) considerations: Senate Bill 2 from the 88th Legislature (2023) introduced amendments to the Texas Data Privacy and Security Act, creating a separate consumer rights framework. Breach notification obligations under Chapter 521 remain the operative statute for breach response; the privacy act governs data processing practices rather than incident notification.

Encrypted data safe harbor: Chapter 521 excludes from the definition of "sensitive personal information" data that has been rendered unreadable, unusable, or indecipherable through encryption, redaction, or another method — provided the encryption key or decryption tool was not also acquired (§521.053(b)).

Tradeoffs and tensions

Notification speed vs. investigation accuracy: The 60-day window creates pressure to notify before a full forensic investigation is complete. Premature notification may generate consumer alarm over incidents later determined to involve no actual data acquisition; delayed notification pending certainty risks statutory violation.

Substitute notice threshold: The 500,000-person or $250,000-cost threshold for substitute notice was set in statute and has not been adjusted for inflation or for the scale of modern breach events. Entities experiencing large-scale breaches may qualify for substitute notice even when individual notification is technologically feasible, creating tension between legal compliance and consumer protection effectiveness.

Third-party processor liability allocation: The statute places notification responsibility on data owners, but the breach often originates at a third-party processor or managed service provider. Contractual indemnification and data processing agreements become operationally critical in distributing notification obligations, and the statute's silence on breach causation means the data owner bears notification duty regardless of fault.

Federal preemption ambiguity: The Gramm-Leach-Bliley Act's revised Safeguards Rule (effective 2023) requires financial institutions to notify the FTC within 30 days of discovering a breach affecting 500 or more customers (FTC Safeguards Rule, 16 CFR Part 314). This 30-day federal window is shorter than Texas's 60-day state window, creating a de facto stricter requirement for covered financial institutions.

For institutions managing vendor and cloud exposure, Texas Cloud Security Considerations and Texas Supply Chain Cybersecurity address adjacent structural risks.

Common misconceptions

Misconception: Only Texas-based companies are covered.
Correction: Chapter 521 applies to any person who "conducts business" in Texas and handles data about Texas residents, regardless of where the entity is incorporated or headquartered. A company physically located in another state that processes Texas resident data is subject to Chapter 521 if it conducts business in Texas.

Misconception: Encrypted data is always exempt.
Correction: The encryption safe harbor applies only when the encryption key was not also acquired in the breach. If an attacker obtains both encrypted data and the decryption key, the exemption does not apply.

Misconception: The 60-day window begins at the moment of intrusion.
Correction: The statute measures from discovery of the breach, not from the date the breach occurred. Breaches discovered months after they begin are still subject to the 60-day notification period measured from discovery.

Misconception: Notifying the Attorney General satisfies all obligations.
Correction: AG notification (required at 250 or more affected individuals) is a separate and additional requirement — it does not substitute for individual notification to affected residents.

Misconception: Internal human error is always excluded.
Correction: The statute covers unauthorized acquisition, which can include insider misconduct. Accidental disclosures to unauthorized third parties may trigger the statute even if no external attacker was involved.

Checklist or steps (non-advisory)

The following sequence reflects the procedural structure established by Texas Business & Commerce Code §521.053. This is a reference of statutory steps, not legal counsel.

  1. Breach discovery confirmed — Document the date and time of discovery; the 60-day clock begins.
  2. Scope determination — Identify whether compromised data constitutes "sensitive personal information" as defined in §521.002.
  3. Encryption safe harbor assessment — Confirm whether the compromised data was encrypted and whether the decryption key was also acquired.
  4. Affected population count — Determine the number of Texas residents whose sensitive personal information was involved.
  5. Third-party data owner notification — If the entity is a data processor (not owner), notify the data owner immediately.
  6. Individual notification preparation — Draft notification content; select delivery method (mail, electronic, telephone, or substitute notice where thresholds are met).
  7. Attorney General notification — If 250 or more Texas residents are affected, prepare AG notification; this must be sent no later than the time individual notices are dispatched, via the OAG portal.
  8. Notification delivery — Send individual notifications within 60 days of discovery; document delivery.
  9. Recordkeeping — Retain documentation of breach discovery, investigation, notification content, delivery method, and dates.
  10. Federal parallel obligations review — Assess whether HIPAA, GLBA Safeguards Rule, or other federal frameworks impose separate, concurrent notification duties.

For state agency-specific incident reporting workflows, see Texas Cybersecurity for State Agencies and Reporting Cyber Incidents in Texas.

Reference table or matrix

Requirement Threshold Deadline Recipient Governing Provision
Individual notification Any affected Texas resident 60 days from discovery Affected individuals §521.053(b)
Attorney General notification 250 or more affected Texas residents Concurrent with individual notice Texas OAG breach portal §521.053(b-1)
Substitute notice eligibility Cost > $250,000 or population > 500,000 Within 60-day window Website + statewide media §521.053(d)
Third-party processor duty Any breach by a data processor Immediately upon discovery Data owner or licensee §521.053(c)
Encryption safe harbor Encrypted data + key not acquired N/A (exemption) N/A §521.002
State agency DIR reporting State agencies, IHEs Per DIR rules (Chapter 2054) Texas DIR / SOC Texas Gov't Code §2054
HIPAA parallel obligation Covered entities / BAs 60 days from discovery HHS OCR + individuals 45 CFR Part 164, Subpart D
FTC Safeguards Rule (GLBA) Financial institutions, 500+ customers 30 days from discovery FTC 16 CFR Part 314

References

📜 6 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Services & Options Key Dimensions and Scopes of Texas Cybersecurity Regulations & Safety Texas Cybersecurity in Local Context Tools & Calculators Password Strength Calculator FAQ Texas Cybersecurity: Frequently Asked Questions