Texas’ Amended Data Breach Notification Law

Texas amended its existing data breach notification law which became effective on September 1, 2012. The relevant section of the law is titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code. The main body of the law provides as follows:

(b)  A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.  The disclosure shall be made as quickly as possible, except as provided by Subsection (d) or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

What is a “breach of system security”?

The law defines “breach of system security” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.”

What is “sensitive personal information”?

The law has a fairly detailed definition of “sensitive personal information” that should be read carefully. A couple of general points will provide an overview of what is and is not protected:

  • Information that is lawfully made available to the public from a federal, state, or local governmental body is not considered sensitive personal information
  • Sensitive personal information does include “an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name in the items are not encrypted:” Social Security number, driver’s license number or other government issued identification number, account or card numbers in combination with the required access or security codes
  • Also included is information that at that identifies an individual and is related to their health condition, provision of healthcare, or payment for healthcare

Who does the law apply to?

The law applies to any person (which includes entities) who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.

Who must be notified?

The law requires notification to “any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.” This is an incredibly broad class of individuals that is certainly not limited to only Texas citizens and, quite possibly, is not even limited to citizens of the United States.

When must the notification be given?

The notification must be given as quickly as possible after it has been determined that an individual’s sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. However, the notification may be delayed as necessary to determine the scope of the breach and restore the reasonable integrity of the data system or at the request of law enforcement to avoid compromising an investigation.

What is the penalty for failure notify?

Section 521.151 of the law provides for a penalty for failing to comply with this notification requirement is a civil penalty of up to $100.00 per individual per day for the delayed time but is not to exceed $250,000 for a single breach.

______________________

Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

11 Comments

  1. John Erickson

    Okay, maybe I’m over-analysing things here, but what happens if a “bad guy” gets your data, but it’s encrypted. Per your statement of “What is ‘a breach of system security’ “, it says that encrypted data is included “if the (bad guy – my term) possesses the key to decryption”. So, if the bad guy gets your data, but doesn’t have the key, is that NOT considered a breach? Thus, the bad guy is NOT guilty of a breach?
    Or am I getting too nit-picky? 🙂

    1. Shawn E. Tuma

      You are correct, if they do not have the encryption key, then while they may have physical possession of it they have no ability to access it or use it so it is not considered to be a data breach that requires breach notification under this law.

      1. John Erickson

        So, basically, if you want to steal data, make sure it’s encrypted, and do your code breaking on another machine. Sounds like a rather large loop-hole. It just scares me, knowing what I do about data security in some large companies. It’s been my experience that often the larger the company, the lazier the encryption, especially around “legacy” mainframe-originated systems.
        Thanks for the interpretation!

      2. Shawn E. Tuma

        It doesn’t give them a license to steal nor does it say that their stealing of the data is not illegal all this is saying is that, by their stealing encrypted data, a breach notification is not required because the data is encrypted and, without the encryption key, it is inaccessible (presumably). The whole focus of this is on data breach notification, there is much more out there on the impropriety of the taking of the data … they wouldn’t want to do that either!

      3. John Erickson

        Good point. It just concerns me, knowing what I do about how some large data processing firms are rather cavalier about security – especially at the internet/mainframe nexus.
        Thanks!

      4. Shawn E. Tuma

        John, you are right but it’s not just large data processing firms that are cavalier about security … seems even the former head of our CIA wasn’t too careful with data either! The lack of respect for data is an epidemic!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s