Texas Now Publicly Posting Names Of Companies That Lose Personal Data In Cyberattack
DALLAS (CBSDFW.COM) - Texas has started publicly publishing online the names of companies who have consumer personal information stolen in cyberattacks.
On September 1, the Texas Attorney General's Office began publishing online data breaches that impact 250 Texans or more.
The company name, type of personal information stolen, and how many Texans affected will be listed on the state website for anyone to see.
According to the new law, notifications must be uploaded to the website within 30 days of being reported to the state.
Listings will remain in place for one year then removed as long as the company does not suffer another data breach.
Under current Texas law, companies have 60 days from detection of a data breach to notify the state Attorney General.
"Companies are not going to be big fans of this," said Gary Davis, CEO of the Plano-based cybersecurity company, Intrusion. "I don't think they legislated it to make it harder for businesses. I think they did it because they want businesses to do the right thing. They want businesses to be responsible custodians of information."
Davis said people should periodically check the state list for companies they do business with.
If they do find a company, they've provided personal information to he suggests they 1.) change their password, 2.) actively monitor bank and credit card accounts, and 3.) freeze their credit with all three credit bureaus.
In the past two years, the Texas Attorney General's Office said more than 31 million Texans have had their data compromised by a security breach.
This number is higher than the 29 million people who live in Texas, according the U.S. Census Bureau – meaning on average every person in the state has had their personal information compromised in the past two years and for many it's happened more than once.
The new state law also requires companies to provide additional information about a data breach to the Texas Attorney General.
That information includes a detailed description of the nature of the breach, measures taken to notify individuals affected, as well as measure taken to make sure it does not happen again.