Gregory Bautista and William Douglas Sanders of Wilson Elser Moskowitz Edelman & Dicker LLP write:

Effective January 1, 2020, the Texas legislature will impose new notification requirements on businesses that maintain personal information of customers. House Bill 4390 amends the Texas Identity Theft Enforcement and Protection Act by requiring that Texas residents be notified of a data security breach within sixty (60) days of the determination that a breach has occurred. A “breach of system security” is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.” This Amendment marks a substantial departure from section 521.053(b) of the former law, which only required that businesses notify impacted individuals “as quickly as possible” − in effect allowing businesses greater flexibility in reporting a given data security incident.

Read more on The National Law Review.