Texas Data Breach Notification Laws: Reporting Rules & Timelines (2026)
Texas operates one of the most actively enforced data breach notification frameworks in the country. The state's breach notification law, part of the Identity Theft Enforcement and Protection Act, requires businesses to notify affected Texans and, in many cases, the Attorney General after a security incident exposes sensitive personal information.
What sets Texas apart from most states is the dual-timeline structure. Businesses face a 60-day deadline for individual notifications and a shorter 30-day deadline for reporting to the AG. Combined with an attorney general's office that has secured more than $2.7 billion in privacy-related settlements since 2022, these reporting rules carry real consequences for non-compliance.
This article breaks down the full notification framework, including who must report, what triggers the obligation, how penalties work, and what defenses are available under Texas law.
Who Must Comply With Texas Breach Notification Law
The notification obligation under Section 521.053 applies to any person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information. The statute does not define "conducts business" narrowly, meaning out-of-state companies that handle data belonging to Texas residents are subject to the law.
State agencies and local governments face additional requirements under Government Code Section 2054.1125, which requires them to report security incidents (including suspected breaches and ransomware events) to the Department of Information Resources.
Third-party data custodians have a separate obligation. Under Section 521.053(c), any person who maintains data that it does not own must notify the data owner immediately after discovering a breach. The 60-day clock then starts for the owner, not the custodian.
What Qualifies as a Breach Under Texas Law
A "breach of system security" is defined under Section 521.053(a) as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person.
The key word is "acquisition." Unauthorized access alone may not trigger the notification requirement. Texas requires that data was actually acquired, not merely accessed or viewed, in a way that compromises its security.
One important caveat: even encrypted data can qualify as a breach if the unauthorized person also obtained the encryption key. The statute explicitly includes "data that is encrypted if the person accessing the data has the key required to decrypt the data."
What Data Triggers the Notification Obligation
Section 521.002 defines "sensitive personal information" in two categories.
Category One: Name Plus Identifier
An individual's first name (or first initial) and last name combined with one or more of the following unencrypted elements:
- Social Security number
- Driver's license number or government-issued identification number
- Account number, credit card number, or debit card number combined with any required security code, access code, or password that would permit access to the individual's financial account
Category Two: Health Information
Information that identifies an individual and relates to:
- The individual's physical or mental health condition
- The provision of health care to the individual
- Payment for health care provided to the individual
What Is Excluded
Sensitive personal information does not include publicly available information that is lawfully made available to the public from the federal government or a state or local government.
The Encryption Safe Harbor
Texas provides a meaningful encryption safe harbor. The definition of sensitive personal information under Section 521.002 excludes data that has been "rendered unreadable, unusable, or indecipherable through encryption, redaction, or another method." If the compromised data was properly encrypted and the encryption key was not also acquired, the notification obligation does not apply.
This safe harbor has limits. The encryption must have been in place at the time of the breach. Businesses cannot encrypt data after the fact and claim the exemption. And if an attacker obtains both the encrypted data and the decryption key, the safe harbor vanishes.
Dual-Timeline Notification Requirements
Texas is one of a handful of states that impose separate deadlines for individual and government notification, with the government deadline being shorter.
60-Day Deadline: Individual Notification
Under Section 521.053(b), a business must disclose the breach to each affected individual "without unreasonable delay and in each case not later than the 60th day after the date on which the person determines that the breach occurred."
The clock starts when the business determines a breach occurred, not when it first suspects one. However, the "without unreasonable delay" language means that a business cannot deliberately slow its investigation to push notifications closer to the 60-day limit.
30-Day Deadline: Attorney General Notification
Under Section 521.053(b-1), when a breach affects 250 or more Texas residents, the business must notify the Texas Attorney General "as soon as practicable and not later than the 30th day after the date on which the person determines that the breach occurred."
Effective September 1, 2023 (following SB 768), all AG notifications must be submitted electronically through the AG's official Data Breach Report form. The report must include:
- A detailed description of the nature and circumstances of the breach
- The number of Texas residents affected at the time of notification
- The number of affected residents who have already been sent direct notification
- Measures taken in response to the breach
- Measures the business intends to take after notification
- Whether law enforcement is investigating the breach
The AG publishes reported breaches on a publicly accessible website, creating both transparency and reputational incentive for compliance.
Methods of Notification
Section 521.053(e) permits several notification methods:
- Written notice sent to the individual's last known address
- Electronic notice that complies with the federal Electronic Signatures in Global and National Commerce Act (E-SIGN Act)
- Alternative notice under the substitute notification rules
Substitute Notification
Section 521.053(f) allows substitute notification when:
- The cost of direct notification would exceed $250,000
- The number of affected persons exceeds 500,000
- The business lacks sufficient contact information for direct notification
Substitute notification requires all three of the following: email notification where possible, conspicuous posting on the business's website, and publication in or broadcast through major statewide media.
Consumer Reporting Agency Notice
Under Section 521.053(h), when a breach requires notification to 10,000 or more individuals at one time, the business must also notify all nationwide consumer reporting agencies (the three major credit bureaus) of the timing, distribution, and content of the notification sent to individuals.
Law Enforcement Delay
Section 521.053(d) permits a delay in notification if a law enforcement agency determines that the notification would impede a criminal investigation. The notification must be made as soon as the law enforcement agency determines it will no longer interfere with the investigation.
Penalties and Enforcement
Texas enforces breach notification requirements through both direct civil penalties and the Deceptive Trade Practices Act.
Civil Penalties Under Chapter 521
Under Section 521.151, a person who violates Chapter 521 is liable for a civil penalty of at least $2,000 but not more than $50,000 for each violation.
For notification failures specifically, an additional penalty structure applies: up to $100 per individual per day for each consecutive day the business fails to comply with the notification requirements. These penalties are capped at $250,000 for all individuals affected by a single breach.
Deceptive Trade Practices Act Enforcement
The Texas Attorney General can also pursue violations under the Deceptive Trade Practices Act (DTPA), codified at Chapter 17 of the Business and Commerce Code. The DTPA provides additional remedies including:
- Temporary restraining orders and injunctions
- Recovery of reasonable expenses, court costs, and attorney's fees
- Civil penalties for DTPA violations
Private Right of Action
Unlike many state breach notification laws, Texas provides consumers with an indirect private right of action through the DTPA. A violation of Chapter 521 can constitute a deceptive trade practice, allowing affected individuals to bring their own lawsuits.
Under the DTPA, consumers who prove a "knowing" violation may recover up to three times their economic damages plus damages for mental anguish. Prevailing plaintiffs are also entitled to court costs and reasonable attorney's fees.
This makes Texas one of the more plaintiff-friendly states for data breach litigation, even though the private right of action comes through the DTPA rather than Chapter 521 itself.
AG Enforcement Track Record
The Texas Attorney General's office has demonstrated an aggressive enforcement posture on data privacy. While the $1.4 billion Meta settlement and $1.375 billion Google settlement involved biometric privacy rather than breach notification, they signal the AG's willingness to pursue maximum penalties.
For breach notification specifically, the AG settled investigations with Experian and T-Mobile for over $1.5 million combined. The AG's Data Privacy and Security Initiative, launched in 2024, has investigated the data practices of more than 200 companies.
The Cybersecurity Safe Harbor (SB 2610)
Texas Senate Bill 2610, effective September 1, 2025, created a cybersecurity safe harbor for qualifying businesses. This is a significant development for companies defending against breach-related litigation.
Who Qualifies
The safe harbor applies to businesses operating in Texas with fewer than 250 employees, organized into three tiers:
| Tier | Employee Count | Requirements |
|---|---|---|
| Tier 1 | Under 20 | Basic cybersecurity program |
| Tier 2 | 20 to 99 | Moderate program aligned to recognized framework |
| Tier 3 | 100 to 249 | Comprehensive program with regular assessments |
Recognized Frameworks
The law recognizes compliance with established cybersecurity frameworks, including the NIST Cybersecurity Framework and the HITRUST CSF, as meeting the safe harbor requirements.
What the Safe Harbor Provides
A qualifying business that implemented and maintained a compliant cybersecurity program at the time of a breach is shielded from punitive damages in breach-related litigation. The safe harbor does not eliminate liability entirely. Businesses can still face compensatory damages, AG enforcement, and statutory civil penalties.
The Catch
The business must demonstrate it had the cybersecurity program in place before the breach occurred. Implementing a program after the fact provides no protection. Documentation of compliance, regular risk assessments, and evidence of program maintenance are critical.
How TDPSA Interacts With Breach Notification
The Texas Data Privacy and Security Act (TDPSA), which took effect July 1, 2024, does not create its own breach notification requirements. The existing framework under Chapter 521 remains the sole breach notification statute.
However, the TDPSA intersects with breach notification in two practical ways. First, the TDPSA's data security requirements under Chapter 541 may establish the standard of care for what constitutes "reasonable" security practices, which affects both the likelihood of breaches and the available defenses. Second, TDPSA violations carry penalties of up to $7,500 per violation, adding another layer of exposure for companies that suffer breaches due to inadequate data protection.
A company that violates TDPSA data security requirements and then suffers a breach could face both TDPSA penalties for the security failure and Chapter 521 penalties for any notification deficiencies.
More Texas Laws
- Texas Recording Laws
- Texas Recording Laws
- Texas Recording Laws
- Texas Dog Bite Laws
- Texas Data Privacy Laws
- Texas Recording Laws
- Texas Recording Laws
- Texas Recording Laws
This article provides general legal information about Texas data breach notification requirements. It is not legal advice. If you need guidance about a specific breach incident, compliance obligations, or potential liability, consult an attorney licensed in Texas.
Related: Texas Data Privacy Laws | Data Privacy Laws by State | Data Breach Notification Laws
Sources and References
- Tex. Bus. & Com. Code 521.053 - Notification Required Following Breach of Security(statutes.capitol.texas.gov).gov
- Tex. Bus. & Com. Code 521.002 - Definitions (Sensitive Personal Information)(statutes.capitol.texas.gov).gov
- Tex. Bus. & Com. Code 521.151 - Civil Penalty; Injunction(statutes.capitol.texas.gov).gov
- Texas AG Data Breach Reporting Portal(texasattorneygeneral.gov).gov
- Texas Identity Theft Enforcement and Protection Act(texasattorneygeneral.gov).gov
- SB 768 - AG Electronic Notification Requirements (88th Legislature)(capitol.texas.gov).gov
- SB 2610 - Cybersecurity Safe Harbor for Small Businesses (89th Legislature)(capitol.texas.gov).gov
- Texas Deceptive Trade Practices Act (Chapter 17)(statutes.capitol.texas.gov).gov
- Texas AG $1.4B Meta Biometric Settlement(texasattorneygeneral.gov).gov
- Texas AG $1.375B Google Privacy Settlement(texasattorneygeneral.gov).gov
- Texas AG Experian and T-Mobile Breach Settlements(texasattorneygeneral.gov).gov
- Texas Data Privacy and Security Act (TDPSA)(texasattorneygeneral.gov).gov
- Texas Government Code Chapter 2054 - Information Resources (State Agency Requirements)(statutes.capitol.texas.gov).gov