By Seth Jaffe
Last month, the Texas Legislature enacted H.B. 4390, which modified the Texas data breach notification law, narrowing the notification from “as quickly as possible,” to “without unreasonable delay” but in no case longer than 60 days. Texas is not alone in imposing a time limit; about 20 other states have done this as well.
What is more concerning for security practitioners is H.B. 4390’s requirement to notify the Texas Attorney General if the breach involves at least 250 residents. More specifically, a company suffering a breach must disclose to the Attorney General a detailed description of the nature and circumstances of the breach, the measures taken by the company regarding the breach, and any future measures the company intends to take regarding the breach.
Experienced cyber crisis management professionals will note the imposition this puts on an incident response team. Not only must one quickly determine the cause of the incident, but all post-breach actions taken in advance of Attorney General notification come under the microscope, the sufficiency of which is relative. And on top of that, the notifying company must predict its forward action plan, which also will be reviewed and judged by regulators.
As the goal posts narrow between learning of a breach and notifying a state regulator or data subject, companies may want to consider dusting off and beefing up their incident response plans, making the transition from policy-based plans to executable plans. At the very least, your plan should include procedures designed to walk team members through incident response steps in a logical and pre-thought out manner. With a little bit of advanced planning, new regulatory obligations such as the ones in H.B. 4390 won’t seem as onerous.
 Other states are not standing still with their respective data breach notification laws either. In 2019, eight other states amended their laws in the area of cybersecurity and data privacy. See Illinois S.B. 1624, Maine L.D. 946, Maryland H.B. 1154, Massachusetts H.B. 4806, New Jersey S. 52, New York S.B. 5575B, Oregon S.B. 684, Washington H.B. 1071.