Does your business have this digital information about other people?
1. last name + first name or first initial +
social security number, driver’s license number, or other government issued identification, or
account or card numbers + access codes,
or
2. information that identifies an individual + concerns a health condition or healthcare
If you answered “yes” to either of those two questions, your business is at risk of a data breach.
That information is called “Sensitive Personal Information” (SPI) under Texas law. If that SPI is taken, accessed, or its confidentiality or integrity is compromised, your business must give proper notification to all of the individual data subjects whose SPI was compromised. Because that SPI is entrusted to your business for safe keeping, a compromise can be something as simple as one of your employees taking copies of the SPI with her when she leaves to go work for a competitor, since that SPI is no longer secure within your business, but is now disclosed to another business.
The penalty for failing to notify the data subjects of the breach is up to $100.00 per individual per day for the time the notification is delayed but cannot exceed $250,000 for a single breach.
If the SPI is encrypted, however, there is no data breach unless the one who obtains the SPI has access to the decryption key.
You can read more about Texas’ Data Breach Notification Law in this post and the text of the actual statute titled “Notification Required Following Breach of Security of Computerized Data” and is found at Section 521.053 of the Texas Business and Commerce Code..
______________________
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Privacy Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.
