Data Breach Reporting Requirements for Texas Businesses

f

Texas law requires businesses and organizations that experience a data breach of system security that affects 250 or more Texans to report that breach to the Office of the Texas Attorney General as soon as practicably possible and no later than 30 days after the discovery of the breach. Businesses and organizations must also provide notice of the breach to affected consumers.

Effective September 1, 2023, Texas law requires that all reports be submitted to the Texas Attorney General electronically using the Data Breach Report provided by the OAG . The report to the AG must specify the number of Texans that the business or organization has notified of the breach by mail or email.

If you are an individual that has been notified of a data breach, and/or are not an authorized representative of the business or organization experiencing a data breach, please submit your information via a consumer complaint form.

Authorized Representatives

If you are an authorized representative of a business or organization, submit your Data Breach Report.

Data Breach Report

How do I submit the required Data Breach Report to the Texas Attorney General’s Office?

Fill out the Data Breach Report form and submit it electronically.

Before you fill out the report form, here is what you need to know:

• The Data Breach Report webform should be completed ONLY by an authorized agent of the business or organization that experienced the breach. This will usually be the owner, manager, officer, attorney, or representative who can affirm that he or she is authorized to submit the report.
• The system can NOT save your report form, so you need to complete it in one sitting.
• To prepare, you can preview the Data Breach Report form.
• Do NOT hit the “back” button on your browser, or your submission will be cleared.
• Your completed Data Breach Report is potentially an open record. This means that members of the general public may file an open records request to obtain a copy of your completed report form.
• If your business or organization experienced more than one breach, please submit a separate Data Breach Report for each.
• If your business or organization previously reported a breach and is providing supplemental or updated information, be sure that your new report reflects the TOTAL number of affected and notified consumers to date and that it includes ALL types of Personal Information identified as affected in the breach.
• In the event that you receive error messages when attempting to submit your report, please email screen shots of your completed report, as well as the error messages, to [email protected].
• If you are a consumer who wants to report a breach or to provide information about a breach, please do NOT fill out this report form. Instead, submit your information via a complaint form. What happens after I submit my completed Data Breach Report?

You will automatically receive a confirmation email to let you know that your report was successfully submitted. You will also receive a record number. Please retain that email and your assigned record number for your files.

The Consumer Protection Division of the Attorney General’s office will contact you with follow up questions, if any.

The Office of the Attorney General provides a required listing of the data breach reports received by the AG at the AG’s website.

What if I am a consumer with information about a data breach or who received a data breach notice that a company sent to me?

Please submit your information via this complaint form.

What if I am not an agent authorized by the business or organization to report a breach, but have information about a breach and want to provide it to the Office of the Attorney General?

Please provide your information via this complaint form. Do not submit a Data Breach Report unless you are an authorized agent or representative of the business or organization that experienced the breach.

What if I have questions about the Texas Identity Theft Enforcement and Protection Act and its requirements?

For your convenience, review the Texas Identity Theft Enforcement and Protection Act.

If you have questions about how the law applies to you or need interpretations of the law, please consult with your attorney. The Office of the Attorney General may not serve as your lawyer or provide you with legal advice or interpretations of the law.