What to Do After a Cyberattack in Texas (2026)

If your business has been hacked, the first few hours are critical. The actions you take immediately after discovering a cyber incident influence how far attackers spread, how much data is lost, how quickly operations recover, and whether legal notification requirements under Texas law apply.

This guide explains what to do after a cyberattack in Texas, including immediate containment steps, reporting options, recovery planning, and Texas’s data breach notification expectations for organizations.

What to Do After a Cyberattack in Texas

Whether your organization is facing ransomware, unauthorized access, business email compromise, or suspected data theft, knowing what to do after a cyberattack in Texas can reduce downtime, protect sensitive information, and limit regulatory exposure.

Follow the structured steps below to regain control quickly and responsibly.

Step 1: Confirm the Incident and Start an Incident Log Immediately

Cyberattacks commonly appear through:

• Ransomware notes, encrypted files, or locked systems
• Unauthorized password resets or suspicious login alerts
• Unexpected multi-factor authentication prompts
• Fraudulent invoices or payment change requests
• Disabled security tools or new administrator accounts
• Unusual outbound network activity

Begin documenting right away:

• Time of discovery
• Systems and users impacted
• Screenshots of alerts or ransom notes
• Employee reports of suspicious activity
• All response actions taken

Accurate documentation supports investigations, cyber insurance claims, and compliance obligations under the Texas Identity Theft Enforcement and Protection Act (TITEPA, Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151) and the Texas Data Privacy and Security Act (TDPSA).

Step 2: Contain the Threat While Preserving Evidence

Recommended actions:

• Disconnect compromised machines from the network
• Disable affected user and administrator accounts
• Block malicious IP addresses and domains
• Preserve logs, suspicious emails, and ransom notes

The ransomware response guidance from the Cybersecurity and Infrastructure Security Agency (CISA) emphasizes isolating systems while keeping forensic artifacts for investigation and recovery.

Avoid wiping systems until the full scope of compromise is confirmed.

Step 3: Secure Backups Before Attackers Reach Them

Immediately:

• Verify backups are isolated or offline
• Pause backup jobs if compromise is suspected
• Rotate backup administrator credentials
• Confirm clean restore points exist

If your organization carries cyber insurance, notify the provider promptly. PivIT Strategy’s Advanced Cybersecurity Services team can help assess backup integrity and ensure recovery options remain protected.

Step 4: Lock Down Email, Identity, and Financial Systems

Email security priorities

• Reset global and delegated administrator accounts
• Enforce multi-factor authentication across all users
• Review forwarding rules and third-party app access
• Remove suspicious sessions and devices

Identity and endpoint protection

• Force password resets organization wide
• Confirm endpoint security tools are active
• Patch exposed systems and remote access services

Financial controls

• Freeze payment instruction changes temporarily
• Verify vendor requests by phone
• Review recent wire and ACH activity

Step 5: Report the Incident and Seek Professional Support

Federal reporting

The FBI encourages cybercrime victims to submit reports through IC3 and advises against paying ransomware demands.

Texas Attorney General – two separate deadlines

Texas has two distinct reporting obligations after a breach:

1. Individual notification — Within 60 days of determining a breach occurred (not just discovery), notify all affected individuals whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person.
2. AG notification — 30-day window — When 250 or more Texas residents are affected, the organization must notify the Texas AG as soon as practicable and no later than 30 days after determining the breach occurred. This AG deadline is separate from and shorter than the 60-day individual notification window. Notification must be submitted electronically using the Texas Data Breach Report form.

Consumer reporting agencies

If more than 10,000 Texas residents are affected, all nationwide consumer reporting agencies must also be notified without unreasonable delay.

At this stage, many Texas organizations engage PivIT Strategy’s Managed IT Services team to manage response, investigation, and restoration.

Step 6: Understand Texas Data Breach Notification Requirements

Key obligations under TITEPA:

• 60-day individual notification deadline — From the date the organization determines the breach occurred (not discovery). Unlike many states, Texas starts the clock at determination, not discovery.
• No harm threshold — Texas has no harm threshold. Any unauthorized acquisition of sensitive personal information triggers notification.
• 30-day AG notification — Separate, shorter deadline for the AG notice when 250+ residents are affected. The AG notice must include: a detailed description of the breach; the number of residents affected at time of filing; measures taken and planned; and whether law enforcement is investigating.
• Consumer reporting agencies at 10,000+ — One of the highest credit bureau notification thresholds in the country.
• Broad PI coverage — Texas’s “sensitive personal information” covers: SSNs, driver’s license numbers, financial account numbers, medical/health information, and information relating to minors.
• Mandatory reasonable safeguards — TITEPA requires organizations to implement and maintain reasonable procedures and practices to protect sensitive personal information from unlawful use or disclosure.
• Data disposal obligation — Texas requires organizations to dispose of records containing personal information in a manner that renders the information unreadable or indecipherable.
• New safe harbor — SB 2610 (2025) — Texas Senate Bill 2610, signed June 2025, provides immunity from exemplary (punitive) damages in data breach lawsuits for organizations that implement a written cybersecurity program aligned with an industry-recognized framework. This makes Texas the 6th state to enact such a safe harbor. Organizations are still liable for actual damages.
• Texas Data Privacy and Security Act (TDPSA) — Texas’s comprehensive privacy law imposes additional obligations for businesses processing personal data of Texas residents, including privacy notices, consumer rights, and data protection assessments.
• Penalties — Up to $50,000 per violation, plus up to $100 per affected individual per day for failure to notify, capped at $250,000 per breach.

For more, see our guide to Texas Cybersecurity Laws You Should Know (2026).

Step 7: Communicate Clearly and Carefully

Internal communication

• Share verified information only
• Provide official password reset instructions
• Warn employees about attacker outreach attempts
• Centralize incident communications

External communication

• Use alternate channels if email is compromised
• Alert vendors of possible fraud risk
• Coordinate customer communications with legal guidance

Step 8: Recover Systems and Strengthen Defenses

Typical recovery efforts include:

• Forensic timeline analysis
• Rebuilding compromised systems
• Organization-wide credential resets
• Multi-factor authentication implementation
• Network segmentation improvements
• Backup isolation enhancements
• Advanced endpoint and email monitoring

Texas’s new SB 2610 safe harbor makes post-incident security investment directly tied to legal protection, organizations with documented, framework-aligned cybersecurity programs gain immunity from punitive damages.

PivIT Strategy’s IT Consulting Services can help Texas organizations build a post-incident security roadmap and document the cybersecurity program needed for safe harbor protection. Our Fractional CIO Services provide executive-level guidance without the cost of a full-time hire.

How PivIT Strategy Helps Texas Businesses After a Cyberattack

Contact us to speak with our team about containment, recovery, and long-term protection.

Final Checklist: What to Do After a Cyberattack in Texas

• Start an incident log
• Isolate affected systems and disable compromised accounts
• Secure backups
• Lock down email, identity, and financial systems
• Report to FBI IC3
• Notify affected individuals within 60 days of determination (no harm threshold)
• Notify the Texas AG within 30 days of determination if 250+ residents are affected (separate deadline)
• Notify consumer reporting agencies if 10,000+ residents are affected
• Document cybersecurity program to establish SB 2610 punitive damages safe harbor
• Recover systems and strengthen security

Frequently Asked Questions

What are Texas’s two separate notification deadlines? 60 days from determination to notify individuals; 30 days from determination to notify the AG (when 250+ residents are affected). These are independent clocks running simultaneously.

Does Texas have a harm threshold? No, any qualifying unauthorized acquisition of sensitive personal information triggers notification.

What is the SB 2610 safe harbor? A 2025 law providing immunity from punitive/exemplary damages in breach lawsuits for organizations with documented, framework-aligned cybersecurity programs.

Should a ransom be paid? Law enforcement discourages paying ransoms because recovery is not guaranteed.

Disclaimer: This article is for informational purposes only and does not constitute legal advice.