This week, the much talked-about amendments to Texas’s breach notice statute took effect. We previously blogged about these amendments, which are unprecedented in scope. With the amendments, the Texas statute now requires entities doing business in Texas to notify “any individual” whose “sensitive personal information” is acquired in a breach (unless the information is encrypted). The statute makes clear that the “individuals” who must be notified include not only Texas residents but also “residents . . . [of] another state that does not require [the breached entity] to notify the individual of a breach.” This provision appears intended to require notice to be provided to affected residents of the four states without breach notice laws: Alabama, Kentucky, New Mexico and South Dakota.
No other state breach notice statute purports to require notice to non-state residents. So this feature of the amendments alone renders them unprecedented, but as our previous post noted, the statute might be construed to require notice to non-residents even in states that have breach notice laws.
Connecticut also recently amended its breach notice law. Under the amended version of the statute (which takes effect on October 1, 2012), entities that are required to notify Connecticut residents of a data breach must also notify the Connecticut Attorney General. Notably, the Attorney General must be notified “not later than the time when notice is provided to the resident.” Connecticut joins more than a dozen other states that have regulator notice requirements.