Texas β municipal breach notification
Texas HB 4390 sets a 60-day clock and requires AG notification for breaches affecting 250+ residents.
60 days to affected residents and AG (if >250 affected).
- Texas applies its statute to any entity holding Texas-resident data, regardless of where the entity is located.
- Notification must include the categories of information involved and the date range of the breach.
What this means for a Texas municipality
Small and mid-sized municipalities in Texas sit at the intersection of federal frameworks (CIRCIA, HIPAA where EMS or public-health clinics are in scope, CJIS for police records) and the state breach-notification statute enforced by the Texas Attorney General. The clock starts when your team has a reasonable belief that resident PII was acquired by an unauthorized party β not when the investigation finishes.
For a town under 100,000 residents, the practical question is rarely "do we have to notify?" β it's "what's the cleanest path that satisfies Texas Attorney General, our cyber-insurance carrier, and our open-meeting obligations, in that order." The HackFirstAid triage walks through that decision tree; the matching playbooks include first-hour scripts that have already been screened against Texas's statute.
If you're a Texas clerk, CAO, IT director, or council member reading this during a live incident, open the free triage first. If you're reading it on a quiet Tuesday, it's also a tabletop exercise β most municipalities run it once before they need it, then once for real, six months later.
Tax, permits, utility billing, and court scheduling encrypted on the same morning.
Fraudulent wire instructions on a vendor payment or payroll change.
Vital records, property assessments, or business licenses exposed or altered.