A quiet update to Texas state law has changed the rules for any business that holds personal information about customers, employees, or vendors. The Texas Identity Theft Enforcement and Protection Act now requires faster, more specific breach notifications — and the businesses that get caught flat-footed are the small ones who never read the original law to begin with.
If you're operating in La Porte, Pasadena, or anywhere along the Houston Ship Channel where chemical, industrial, and professional-services firms cluster, here's what you need to know.
What changed in 2025-2026
Texas's updates tightened three areas. First, the definition of "personal information" expanded — biometric data and health-related identifiers are now squarely covered. Second, the notification window for affected individuals tightened. Third, the threshold for notifying the Texas Attorney General dropped, meaning more breaches now require state-level notification.
The federal layer hasn't disappeared either. HIPAA, FTC, SEC, and sector-specific rules still apply on top.
Who has to notify whom, and when
If you suffer a breach affecting Texas residents:
- Individuals: notify without unreasonable delay, and in any case within 60 days of discovery. Many sectors operate on a tighter 72-hour internal clock for the discovery-to-decision step.
- Texas Attorney General: required when 250 or more Texas residents are affected. The threshold used to be higher.
- Consumer reporting agencies: when more than 10,000 Texans are affected.
- Federal regulators: per your sector (HHS for healthcare, FTC for many B2C, SEC for public companies and many investment advisors).
If your business contracts with energy operators, you may also have contractual notification obligations to them within 24 hours — check your vendor agreements.
The 72-hour clock breakdown
You discover something at 9am on Monday. What happens next?
- Hour 0–4: contain. Isolate affected systems. Don't power down (that destroys forensic evidence) — disconnect from the network.
- Hour 4–12: assemble the team. Owner, IT, legal counsel, cyber insurer, possibly outside forensics.
- Hour 12–24: scope. What systems? What data? How many records? Whose data?
- Hour 24–48: notify your insurer and any contractually-obligated customers (operators, partners). Begin drafting individual notifications.
- Hour 48–72: finalize legal review. Begin the 60-day notification clock for individuals.
If you don't have a written incident response plan with names and phone numbers, you'll burn the first 24 hours just figuring out who to call.
A 5-step response template
- Detect and contain. Isolate. Preserve evidence. Don't try to "clean it up" before the forensics team sees it.
- Assess. What data was potentially exposed? Whose? Where do those individuals live?
- Notify partners. Insurance carrier first. Then any contractually-bound operators or customers. Then law enforcement if appropriate.
- Notify individuals and regulators. Within the statutory windows, with the language your attorney approves.
- Remediate and document. Close the vulnerability. Document everything. Update the incident response plan based on lessons learned.
What La Porte and Pasadena businesses should do now
Before any breach happens:
- Map what personal information you actually hold, where it lives, and who has access.
- Write the incident response plan. Names, phone numbers, escalation order.
- Verify your cyber insurance covers breach response — not just data loss.
- Implement basic controls that reduce breach probability (MFA, EDR, email filtering, backup).
- Train every employee on what to do if they see something suspicious. The first hour matters.
If any of these are gaps, we help La Porte and Pasadena small businesses close them — without enterprise pricing. Book a free discovery call and we'll walk through your current posture.
Aspendora Technologies is a La Porte-based managed IT services and cybersecurity partner for Houston-area small businesses since 2010.