Effective January 1, 2020, the Texas legislature will impose new notification requirements on businesses that maintain personal information of customers. House Bill 4390 amends the Texas Identity Theft Enforcement and Protection Act by requiring that Texas residents be notified of a data security breach within sixty (60) days of the determination that a breach has occurred. A “breach of system security” is defined as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data.” This Amendment marks a substantial departure from section 521.053(b) of the former law, which only required that businesses notify impacted individuals “as quickly as possible” − in effect allowing businesses greater flexibility in reporting a given data security incident.
Additionally, if a breach impacts more than 250 Texas residents, the business responsible for maintaining the sensitive personal information must provide notice of the incident to the Texas Attorney General within the same 60-day time period that governs notification of Texas residents.
The notification to the Texas Attorney General must include the following information:
- A detailed description of the breach or the use of sensitive information acquired during the breach
- The number of Texas residents affected
- Measures taken to date regarding the breach
- Any measures that will be taken in the future regarding the breach
- An indication of whether law enforcement has been notified.
Despite placing increased notification requirements on businesses harboring sensitive personal information, the new bill brings Texas more in line with breach notification laws previously implemented around the country. House Bill 4390 also creates the Texas Privacy Protection Advisory Council, which is tasked with studying various data security laws domestically and abroad to prepare recommendations for statutory changes to the Texas legislature prior to the next legislative session beginning on January 12, 2021.
Given the imposition of a defined notification timeline, all businesses that collect personal information from individuals in Texas should place renewed importance on establishing a clear and concise data security incident response plan that is circulated to the necessary personnel. Failure to comply with notification requirements could result in civil penalties of up to $100 per person or $250,000. Whether this Amendment simultaneously results in an increase of activity at the office of the Texas Attorney General remains to be seen.
Authors
Gregory Bautista, Partner
Gregory Bautista, as co-chair of Wilson Elser’s Cybersecurity & Data Privacy practice and a member of the Information Governance Leadership Committee, has embraced the concept of information governance, which melds the disciplines that exist in all businesses into a powerful enterprise-wide strategy. Greg is an experienced civil litigator with a focus on data breach response and e-discovery matters and has earned the designation of U.S. Certified Information Privacy Professional (CIPP/US) from the International Association of Privacy Professionals (IAPP). He is keenly aware of the growing importance of helping clients to develop and implement data security risk management measures related to the receipt and use of highly sensitive and confidential data.
Amanda N. Harvey, Partner
Amanda Harvey has more than a decade of experience handling complex and diverse litigation, representing individuals, companies and professionals at all levels in the Texas courts. Her practice has been devoted primarily to commercial litigation, catastrophic injury, cyber security, employment and labor, and premises and product liability cases. She is licensed to practice law in Texas and California, and has practiced pro hac vice in numerous jurisdictions where clients seek trial representation.
William Douglas Sanders, Associate
William Sanders practices in all aspects of active litigation and has tried more than 25 cases to verdict. Through his extensive experience, William has become adept at motion practice, depositions and negotiating favorable settlements on behalf of his clients.
During law school, William clerked with the Honorable Judge Craig Smith in the 192nd Civil District Court in Dallas County. He has obtained a number of successful personal injury verdicts brought against defendants, concentrating his practice in personal injury as well as toxic tort matters.