AG Reporting Deadline
Residents = AG Report Required
Max Penalty Per Breach
Reduces Punitive Exposure
What Is the Texas Data Breach Notification Law?
Texas's data breach notification law is formally called the Texas Identity Theft Enforcement and Protection Act (Texas Business & Commerce Code, Chapter 521). It requires any business that owns or licenses computerized data containing sensitive personal information of Texas residents to notify those residents — and in some cases the Texas Attorney General — if that data is breached.
The law has been on the books since 2005 and has been amended several times. The most significant recent update added the 72-hour Attorney General reporting requirement for large-scale breaches — making Texas one of the stricter states for breach notification timelines.
Here's the plain-English version: if your business gets hacked and customer or employee data is exposed, you have legal obligations that start ticking immediately. Ignoring them — or moving too slowly — can result in civil penalties on top of everything else you're already dealing with.
Important distinction: The Texas breach notification law and Texas SB 2610 are two separate laws with separate requirements. SB 2610 reduces your civil lawsuit exposure. The notification law governs what you must do after a breach. Both apply simultaneously.
Who Must Send Breach Notifications?
Unlike Texas SB 2610 (which only applies to businesses with fewer than 250 employees), the breach notification law has no size threshold. It applies to any person or business that:
- Owns or licenses computerized data that includes sensitive personal information
- Conducts business in Texas or whose data includes information about Texas residents
- Experiences a breach of system security — meaning unauthorized acquisition of the data
This means a solo-practitioner law firm, a 3-person dental office, a freelance accountant, and a 200-person manufacturer are all equally subject to the law if they hold sensitive personal information about Texas residents.
Third-party service providers who hold data on behalf of another business (like a payroll processor or cloud storage vendor) also have notification obligations — they must notify the business that owns the data, who then notifies the affected individuals.
What Triggers the Notification Requirement?
Not every security incident triggers the notification requirement. The law is triggered when there is a "breach of system security" — defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
The key word is "acquisition." If an attacker accessed your systems but there's no evidence they actually took the data, you may not be required to notify — but you should consult legal counsel before making that determination. When in doubt, notify.
Types of sensitive personal information covered:
Encryption exception: If the sensitive personal information was encrypted and the encryption key was not also compromised, the notification requirement may not apply. This is one of the strongest arguments for encrypting sensitive data at rest — it can eliminate your notification obligation in many breach scenarios.
The 72-Hour Rule — Texas AG Reporting
This is the part most businesses don't know about until it's too late. Texas law requires that if a breach affects 250 or more Texas residents, you must notify the Texas Attorney General within 72 hours of discovering the breach.
Note the trigger: discovering the breach — not completing your investigation. You don't need to know the full scope before reporting. You report what you know, when you know it, and update as your investigation progresses.
Common mistake: Many businesses wait until their forensic investigation is complete before notifying the AG. That's wrong. The 72-hour clock starts when you discover the breach — even if you don't yet know how many people are affected or what data was taken.
Your breach response timeline:
- Contain the incident — isolate affected systems
- Preserve evidence — do not wipe or reimage yet
- Activate your incident response plan
- Notify your IT provider or security team
- Determine what data was accessed or exfiltrated
- Identify which individuals are affected
- Determine if sensitive personal information was involved
- Engage legal counsel and cyber insurance carrier
- If 250+ Texans affected: notify TX Attorney General
- Submit via the AG's online breach reporting portal
- Include breach description, data types, and affected count
- Document the time and method of AG notification
- Send written notice to all affected Texas residents
- Include all required notice elements (see below)
- Use substitute notice if direct contact is impossible
- Document all notifications sent with dates
What Must the Breach Notice Include?
Texas law specifies what information must be included in the notice sent to affected individuals. A notice that omits required elements is not compliant — even if it was sent on time.
Your Identity
Name and contact information of the business that experienced the breach.
Date of the Breach
The date the breach occurred, or the approximate date range if the exact date is unknown.
Types of Data Exposed
A description of the categories of sensitive personal information that were or may have been acquired.
Steps Taken to Protect
A description of the steps the business has taken to protect individuals from further harm.
Contact Information
A toll-free number, email address, or website where affected individuals can get more information.
Credit Monitoring Info
Contact information for the major credit reporting agencies if financial data was involved.
How to deliver the notice: The law requires written notice — which can be delivered by mail, email (if the affected person has consented to electronic communications), or telephone. If you cannot reach affected individuals directly (for example, you don't have current contact information), you can use "substitute notice" — posting a notice on your website and notifying major statewide media.
Document everything. Keep records of when notices were sent, to whom, and by what method. If the AG investigates, you'll need to demonstrate that you notified affected individuals in a timely and complete manner.
When to Report to the Texas Attorney General
The AG reporting requirement applies when a breach affects 250 or more Texas residents. The report must be submitted within 72 hours of discovering the breach through the Texas AG's online breach reporting portal.
If you discover a breach and aren't yet sure how many people are affected, err on the side of reporting. You can submit an initial report with what you know and supplement it as your investigation progresses. Failing to report when required is a separate violation from the underlying breach.
No AG report required. Must still notify affected individuals directly.
Must notify the Texas AG within 72 hours of discovery AND notify affected individuals.
Best practice: report to AG within 72 hours with available information. Update as investigation progresses.
Penalties for Non-Compliance
The Texas Attorney General enforces the breach notification law. Penalties are civil — there is no private right of action, meaning individual consumers cannot sue you directly for notification failures. But the AG can, and does, pursue enforcement actions.
Standard Penalty
Up to $100/day
per affected individual, per day of delay
Maximum Per Breach
$250,000
cap on civil penalties per breach incident
Intentional Violations
Up to $500,000
for knowing or intentional non-compliance
The AG can also seek injunctive relief (a court order requiring you to comply) and attorney's fees. In practice, the AG typically focuses enforcement on businesses that failed to notify at all, notified significantly late, or whose notification was materially incomplete.
These penalties are separate from — and in addition to — any civil lawsuit damages from affected individuals. A breach can simultaneously trigger AG enforcement penalties, class action lawsuits, and regulatory fines from federal agencies like HHS (for HIPAA) or the FTC.
How Texas SB 2610 Changes the Equation
Texas SB 2610 — the "Safe Harbor" law effective September 1, 2025 — doesn't eliminate your breach notification obligations. But it dramatically changes your legal exposure when a breach does occur.
Here's how the two laws interact in a real breach scenario:
Without SB 2610 compliance
- Must notify affected individuals (notification law)
- Must report to AG if 250+ affected (notification law)
- Face AG civil penalties for any notification delays
- Face civil lawsuits from affected individuals
- Exposed to punitive damages — potentially 2–3x actual damages
- No legal defense against the punishment layer of lawsuits
With SB 2610 compliance (documented program in place)
- Must notify affected individuals (notification law — same)
- Must report to AG if 250+ affected (notification law — same)
- Face AG civil penalties for any notification delays (same)
- Face civil lawsuits from affected individuals (same)
- Punitive damages BLOCKED by safe harbor defense
- Documented program demonstrates good-faith security effort
The bottom line: SB 2610 doesn't make a breach less painful — you still have to notify, still face AG scrutiny, still deal with lawsuits. But it removes the most financially devastating layer: the punitive damages that courts award to punish businesses for being reckless.
Want the full SB 2610 picture?
Read our complete plain-English guide to Texas SB 2610 — who qualifies, all three tiers, and what to do right now.
Your Breach Response Action Plan
The best time to build your breach response plan is before you need it. Here's what every Texas business should have in place right now:
Write a written incident response plan
Document who to call, what to do first, and how decisions get made. Include your legal counsel, IT provider, cyber insurance carrier, and PR contact. This plan is also required for SB 2610 compliance at the Tier 1 level.
Know your data inventory
You can't notify the right people if you don't know whose data you hold. Maintain a current inventory of what sensitive personal information you collect, where it's stored, and who has access to it.
Encrypt sensitive data at rest
Encryption can eliminate your notification obligation entirely if the breach involves encrypted data and the key wasn't compromised. This is one of the highest-ROI security investments you can make.
Establish legal counsel relationships now
Don't search for a privacy attorney at 2am after discovering a breach. Identify and retain counsel with data breach experience before you need them. They'll guide your notification decisions and AG communications.
Get cyber insurance
Cyber insurance typically covers breach notification costs, legal fees, credit monitoring for affected individuals, and PR costs. Many policies also include breach response services. Review your policy to understand what's covered.
Implement SB 2610 compliance
A documented cybersecurity program doesn't just reduce your breach risk — it gives you a legal defense against punitive damages if a breach does occur. For businesses with 20–99 employees, that means CIS Controls IG1.
Common Questions
The Bottom Line
Texas's breach notification law is not optional, not size-dependent, and not forgiving of delays. If you hold sensitive personal information about Texas residents — and most businesses do — you have legal obligations that activate the moment you discover a breach.
The 72-hour AG reporting deadline is the part that catches most businesses off guard. It's not 72 hours after your investigation is complete. It's 72 hours after you discover the breach. That means your incident response plan, your legal counsel relationship, and your data inventory all need to be in place before anything goes wrong.
Texas SB 2610 doesn't change your notification obligations — but it does change what happens in the lawsuit that follows. A documented cybersecurity program blocks the punitive damages that can turn a manageable breach into a business-ending event.
The two laws work together: the notification law tells you what to do after a breach. SB 2610 tells you what to do before one. Both matter. Neither is optional.
Reduce Your Breach Exposure Before It Happens
Segler.Net helps Texas small businesses implement the cybersecurity programs required for SB 2610 safe harbor — so when a breach occurs, you're protected from the punitive damages that can turn a bad day into a catastrophe.