M-F 8:00AM TO 5:30PM CST
Better coverage. Better price.

Texas Data Breach Laws: Fines and Notification Requirements

Texas's Identity Theft Enforcement and Protection Act requires any entity conducting business in the Lone Star state to inform its customers when their data is compromised in a data breach. Businesses can be fined up to $250,000 for data breaches. For larger data breaches (those involving more than 10,000 consumers), a business has to inform consumer reporting agencies as well.

Name of Law / Statute

Identity Theft Enforcement and Protection Act

Definition of Protected Information

Combination of (1) name or other identifying info, PLUS (2) one or more of these "data" elements: SSN; driver's license number; or account number, credit card number, debit card number if accompanied by PIN, password, or access codes, PLUS + mother’s maiden name, telecommunication access device and unique biometric data, health and medical info (incl. mental condition), and health payment history

Who Is Subject to Law?

Any person or business conducting business in the state who licenses or owns PI

Notification of Consumers?


By what means?

Written or electronic; if >10k residents, must notify consumer reporting agencies

Substitute Notice Threshold?

If cost of notice >$250,000 or involves >500k residents

Notification of authorities / regulators required?


By what means?


Regulatory Fines

$100/person/day, up to $250k/breach

Credit monitoring requirement?


Private lawsuits allowed?


Private damages cap?


Regulatory actions allowed?


HIPAA Compliance exemption?


Other  (e.g., timeframe)

Law does not apply if PI was encrypted (unless encryption was compromised)

Link to complete law

Texas' data breach law

Read the full text of Texas’s data breach law to learn more.

70% of businesses raise prices or cut hiring when sued