Does your business have this digital information about other people?
1. last name + first name or first initial +
social security number, driver’s license number, or other government issued identification, or
account or card numbers + access codes,
2. information that identifies an individual + concerns a health condition or healthcare
If you answered “yes” to either of those two questions, your business is at risk of a data breach.
That information is called “Sensitive Personal Information” (SPI) under Texas law. If that SPI is taken, accessed, or its confidentiality or integrity is compromised, your business must give proper notification to all of the individual data subjects whose SPI was compromised. Because that SPI is entrusted to your business for safe keeping, a compromise can be something as simple as one of your employees taking copies of the SPI with her when she leaves to go work for a competitor, since that SPI is no longer secure within your business, but is now disclosed to another business.
The penalty for failing to notify the data subjects of the breach is up to $100.00 per individual per day for the time the notification is delayed but cannot exceed $250,000 for a single breach.
If the SPI is encrypted, however, there is no data breach unless the one who obtains the SPI has access to the decryption key.
You can read more about Texas’ Data Breach Notification Law in this post and the text of the actual statute titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code.
About the author
Shawn Tuma is a lawyer who is experienced in advising clients on digital business risk which includes complex digital information law and intellectual property issues. This includes things such as trade secrets litigation and misappropriation of trade secrets (under common law and the Texas Uniform Trade Secrets Act), unfair competition, and cyber crimes such as the Computer Fraud and Abuse Act; helping companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. Shawn is a partner at BrittonTuma, a boutique business law firm with offices near the boarder of Frisco and Plano, Texas which is located minutes from the District Courts of Collin County, Texas and the Plano Court of the United States District Court, Eastern District of Texas. He represents clients in lawsuits across the Dallas / Fort Worth Metroplex including state and federal courts in Collin County, Denton County, Dallas County, and Tarrant County, which are all courts in which he regularly handles cases (as well as throughout the nation pro hac vice). Tuma regularly serves as a consultant to other lawyers on issues within his area of expertise and also serves as local counsel for attorneys with cases in the District Courts of Collin County, Texas, the United States District Court, Eastern District of Texas, and the United States District Court, Northern District of Texas.