Texas Data Breach Notification Law: Compliance Requirements and 60-Day Deadline

Overview: Texas Data Breach Notification Requirements

Texas has one of the most actively enforced data breach notification laws in the United States. Under Texas Business & Commerce Code Chapter 521 (Identity Theft Enforcement and Protection Act), any person or business that owns, licenses, or maintains computerized data that includes sensitive personal information must notify affected individuals when a breach occurs. With the Texas Attorney General’s office securing over $2.7 billion in privacy-related settlements in recent years—including the landmark $1.375 billion Google settlement and $1.4 billion Meta settlement—compliance is not optional.

This guide covers everything you need to know about the Texas data breach notification law: who must comply, what triggers notification, the 60-day deadline, AG reporting requirements, penalties, and a practical incident response plan. If your business holds data on Texas residents, use our Privacy Law Calculator to check which state laws apply to you.

Who Must Comply?

The Texas data breach notification law applies broadly to any person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information. Unlike some state privacy laws, there is no minimum revenue or data-processing threshold. If you hold personal data on even one Texas resident, this law applies to you.

The law covers:

Businesses of all sizes—from sole proprietors to multinational corporations
Government entities—state and local agencies have separate notification obligations under Texas Government Code §2054.1125
Data processors—third parties that maintain data on behalf of another entity must notify the data owner within 60 days of discovering the breach
Health-related entities—covered entities under the Texas Medical Privacy Act (THIPA) have additional obligations under Health & Safety Code §181.202

What Triggers a Notification Obligation?

A notification is required when there is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information. Texas law defines “breach of system security” as unauthorized acquisition of computerized data that compromises sensitive personal information maintained by the person.

Covered Personal Information

Under §521.002, “sensitive personal information” means an individual’s first name or initial and last name combined with one or more of the following:

Social Security number
Driver’s license number or government-issued ID number
Account number or credit/debit card number combined with any required security code, access code, or password
Information that identifies an individual and relates to their physical or mental health, health care provision, or health care payment (added by HB 300)

The information must be unencrypted (or encrypted with a compromised key). If the data was encrypted and the encryption key was not breached, notification is generally not required.

The 60-Day Notification Deadline

Texas requires notification as quickly as practicable and without unreasonable delay, but no later than 60 days after discovering the breach. This 60-day deadline was established by HB 4390 (effective September 1, 2023) and replaced the previous “without unreasonable delay” standard that had no hard deadline.

The 60-day clock starts when the entity determines or should have determined that a breach occurred—not when the breach itself happened. Exceptions to the timeline:

Law enforcement delay—notification may be delayed if law enforcement determines it would impede a criminal investigation, but only for the duration of the investigation
Investigation period—the entity may take reasonable time to determine the scope of the breach, but the total time from discovery to notification must not exceed 60 days

Compare this to California’s stricter 30-day deadline under SB 1223, or see our complete state-by-state comparison.

Attorney General Reporting

If a breach affects 250 or more Texas residents, the business must also notify the Texas Attorney General. This AG notification must be submitted through the Texas AG’s online reporting portal and must include:

A detailed description of the nature and circumstances of the breach
The number of Texas residents affected
The measures taken in response to the breach
Any services being offered to affected individuals (e.g., credit monitoring)
Contact information for the reporting entity

Note: Unlike California (which requires AG notification for 500+ residents), Texas has a lower threshold of 250 residents—meaning more breaches trigger AG reporting in Texas.

How to Notify Affected Individuals

Texas provides several acceptable methods of notification:

Written notice sent to the last known address of the individual
Electronic notice if consistent with federal E-SIGN Act requirements
Substitute notice (if the cost exceeds $250,000, more than 500,000 people are affected, or the entity lacks sufficient contact information): requires email notification when available, conspicuous posting on the entity’s website, and notification to major statewide media

The notification must include a description of the breach, the type of personal information involved, and contact information for the entity, credit reporting agencies, and the FTC.

Penalties for Non-Compliance

The Texas Attorney General can bring enforcement actions for failure to comply with the breach notification law. Penalties include:

Civil penalties of $100 to $250,000 per violation (§521.151)
Injunctive relief—the AG can seek court orders to compel compliance
Deceptive trade practices—failure to notify may also constitute a violation of the Texas Deceptive Trade Practices Act, opening additional liability

Beyond breach notification, the Texas AG has demonstrated a willingness to pursue massive privacy enforcement actions. The $1.375 billion settlement with Google over unauthorized biometric data collection and the $1.4 billion settlement with Meta over facial recognition violations show that Texas takes data privacy violations extremely seriously. These settlements were brought under a combination of the TDPSA, CUBI (Capture or Use of Biometric Identifier Act), and the Deceptive Trade Practices Act.

For a complete overview of privacy enforcement penalties by state, see our state privacy law penalties guide or visit our enforcement actions tracker.

Texas vs. Other States: Breach Notification Comparison

Requirement	Texas	California	Florida	New York
Notification Deadline	60 days	30 days (SB 1223)	30 days	“Expedient” (no hard deadline)
AG Notification Threshold	250 residents	500 residents	500 residents	All breaches (any size)
Private Right of Action	No (AG only)	Yes (CCPA §1798.150)	No	No
Maximum Penalty	$250,000/violation	$7,500/violation (AG)	$500,000 total	$5,000/violation
Encryption Safe Harbor	Yes	Yes	Yes	Yes

Use our State Privacy Law Comparison Tool to compare additional dimensions across all 21 comprehensive state privacy laws.

Practical 60-Day Incident Response Plan

When a potential data breach is discovered, follow this timeline to ensure compliance with the Texas 60-day deadline:

Phase 1: Detection and Containment (Days 1–3)

Isolate affected systems to prevent ongoing unauthorized access
Preserve forensic evidence (logs, access records, affected data sets)
Engage your incident response team and outside counsel
Begin documenting the timeline of events

Phase 2: Investigation and Scope Assessment (Days 4–20)

Conduct forensic analysis to determine the extent of the breach
Identify all categories of personal information compromised
Determine the number of Texas residents affected
Assess whether data was encrypted and whether the encryption key was compromised
Evaluate whether law enforcement notification is warranted (may delay consumer notification)

Phase 3: Notification Preparation (Days 21–40)

Draft notification letters with all required content
Prepare the AG notification if 250+ Texas residents are affected
Arrange credit monitoring or identity theft protection services if appropriate
Set up a dedicated call center or FAQ page for affected individuals

Phase 4: Notification Delivery (Days 41–55)

Send individual notifications via mail or email
Submit the AG notification through the Texas AG portal
If using substitute notice, post to website and notify media outlets
Verify delivery and document all notifications sent

Phase 5: Post-Notification and Remediation (Days 56–60+)

Monitor for and respond to inquiries from affected individuals
Implement measures to prevent similar breaches (patch vulnerabilities, update access controls)
Conduct a lessons-learned review and update your incident response plan
Consider engaging a third-party auditor to verify remediation

Interaction with the Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, is a separate comprehensive privacy law that requires businesses to implement reasonable data security practices. While the TDPSA does not have its own breach notification provisions, a data breach may indicate a failure to maintain the “reasonable administrative, technical, and physical data security practices” required under §541.101. This means a single breach event could trigger both:

Notification obligations under Chapter 521 (breach notification law)
Enforcement action under TDPSA for inadequate data security

Use our Texas compliance checklist to ensure you meet both sets of requirements, or generate a customized privacy policy that covers both laws.

Key Steps for Texas Breach Notification Compliance

Inventory your data—know what sensitive personal information you hold on Texas residents and where it’s stored
Encrypt sensitive data—encryption provides a safe harbor from notification requirements
Prepare an incident response plan—have the 60-day timeline, templates, and contact information ready before a breach happens
Know your AG reporting threshold—250 affected Texas residents triggers AG notification
Document everything—maintain records of your investigation, decisions, and notifications in case of AG inquiry
Train employees—ensure staff know how to recognize and report potential breaches immediately
Review vendor contracts—ensure data processors are contractually required to notify you within a timeframe that allows you to meet the 60-day deadline

Frequently Asked Questions

Does the 60-day deadline apply to all businesses?

Yes. Any person or business that conducts business in Texas and owns, licenses, or maintains computerized data containing sensitive personal information of Texas residents must comply with the 60-day deadline. There is no size exemption.

What if I discover a breach but determine no sensitive personal information was compromised?

If the breached data does not include sensitive personal information as defined by §521.002 (e.g., only names without Social Security numbers, financial account data, or health information), notification is not required under Chapter 521. However, you should still document your investigation and determination.

Can I delay notification if law enforcement asks me to?

Yes. If a law enforcement agency determines that notification would impede a criminal investigation, you may delay notification. However, once law enforcement clears you to notify, the 60-day clock resumes. The delay does not restart the deadline—it pauses it.

Are there specific requirements for health-related data breaches?

Yes. If the breach involves protected health information covered by HIPAA or the Texas Medical Privacy Act (THIPA), additional notification requirements apply under Health & Safety Code §181.202, including notifying the Texas AG within 60 days regardless of the number of individuals affected.

What should I do if I’m unsure whether a breach occurred?

The law applies when there is “unauthorized acquisition” of data that “compromises the security, confidentiality, or integrity” of sensitive personal information. If you are unsure, conduct a thorough investigation. The 60-day clock starts from when you knew or should have known the breach occurred. Delaying investigation does not extend the deadline.

Use our DSAR Request Manager to track consumer data requests that may follow a breach, and our Deletion Request Generator to help affected individuals exercise their rights under the Texas TDPSA.

Last updated: April 1, 2026.