Texas Business & Commercial Code § 521.053
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"In this section, “breach of system security” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data. Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner."
When is notice required?
Notice is required for all affected residents "as quickly as possible except...as necessary to determine the scope of the breach and restore the reasonable integrity of the data system" or if law enforcement requires delay. Notice may be written, electronic, or via substitute notice, depending on circumstances. There is not requirement for the content of the notice, but if over 10,000 residents are affected then consumer credit agencies must be notified as well.
What are the penalties for non-compliance?
At the moment there are no penalties listed, but there is a business duty to protect sensitive information in § 521.052 and the legislature reserved further sections of the code for expansion.