Texas Data Breach Notification Laws: What Are Your Obligations?
For any business, regardless of the size, consumer confidence is vital for success in today's competitive world. However, what happens if your security is breached and personal and confidential information is stolen? You may have a legal obligation to provide your customers with a notification.
Admitting that your business has experienced a data breach can be embarrassing, but failing to notify your customers can be damaging to your reputation and your business's bottom line.
Texas recently joined California and Nevada as states to pass privacy legislation in an attempt to manage the data of its residents. Governor Greg Abbott signed the legislation, House Bill 4390, an amendment to the Texas Identity Theft Enforcement and Protection Act.
Texas and Data Breaches
Texas has been hit by over 600 data breaches since 2008 and ranks third among states with the most data breaches. The data breaches exposed nearly 300 million records, and the majority of the exposed records were from the Epsilon breach that occurred in 2011. It is not a surprise that a huge state like Texas with a significant number of internet and technology companies is ranked third in breaches. Notwithstanding, the state of Texas does consider consumer privacy a very serious matter.
Texas Identity Theft Enforcement and Protection Act
The Texas Identity Theft Enforcement and Protection Act (Code 521.001) applies to any person in the state who conducts business and ''owns or licenses computerized data that holds sensitive personal information.'' Sensitive personal information includes unencrypted identifying information, and this includes the following:
- The customer's name
- Social Security Number
- Driver's License number
- Financial information(ex: credit card information)
- Health care information
When changes to the Texas data breach notification law went into effect, any business that operates will have 60 days to disclose a data breach if the personal and confidential information of 250 or more Texas residents were impacted. In the past, the laws in Texas required a business to disclose any data breach to individuals whose confidential information was possibly acquired by an unauthorized person ''as soon as possible''.
A data breach is not just limited to your computers and devices being hacked, the notifications that are required in the Act can also be triggered if a customer's financial information was stolen by an employee. The Act can also trigger the notification requirements if Customer A receives Customer B's information as a result of an error with coding. If the data breach impacts over 10,000 individuals, the breach will need to be reported to consumer reporting agencies.
Data Breach Notifications
Businesses will need to be prepared to include a variety of information in their notification:
- A thorough description of the nature and circumstances of the breach, or the use of sensitive information that was obtained during the breach
- The number of residents impacted by the data breach
- The measures that were taken after the data breach
- The measures your business plans to take after the notification
- Any information regarding whether law enforcement officials will be engaged in the investigation process
Under the HB 4390 bill, an advisory council was created to study and develop data privacy legislation recommendations. The 2019 changes to data privacy legislation in the Lone Star State will likely impact the incident response plans of your Texas business that will be operating in 2021.
Texas Privacy Protection Advisory Council
The HB 4390 Bill also creates a Texas Privacy Protection Advisory Council. The advisory council is tasked with researching global data privacy laws and sharing recommendations for the Texas legislature to consider the next time the legislature convenes. The advisory council consists of a diverse group of 15 members with experience in a variety of disciplines and industries. The Advisory Council section of the law took effect in September 2019.
Penalties
Given the demand for creating a detailed notification timeline, any business in Texas that collects personal information should place high importance on creating a concise data security incident response plan. The penalties for failing to comply with the notification requirements can be steep. For every violation, Texas can inflict a civil penalty of up to $50,000. In addition to the civil penalties, every person that did not receive a notification will hold a penalty of up to $100 per individual.
If you do not react properly to the data breach, you can expect to pay up to $250,000 in fines. While each individual may not be able to file a lawsuit in order to enforce the law and hold the business accountable, the Texas Attorney General can take steps to bring action to recover any penalties. The Attorney General can also seek an injunction and recover expenses, including:
- Court costs
- Fees for an attorney
- Investigatory costs
Taking Extra Precaution
If your business is responsible for safely holding the personal information of customers such as identifying information and financial information, it is critical that you take the extra precautions to ensure the data is secured at all times. Data protection and compliance have become a necessity for many businesses, regardless of the size. Compliance will only grow in importance in the future.
With so many factors to consider, it is important to take precautions and implement a security compliance strategy. Velocity IT can assist you in this transition. We have managed IT services, network monitoring, cybersecurity services, and more that we provide small businesses. If you ever experience a data breach or if you suspect that one may have occurred but you are not sure what measures to take, we strongly recommend seeking the advice of an experienced MSP to help you avoid the downfalls of insufficient responses.
Customers in a range of industries depend on you each and every day to properly handle their personal and confidential information. With a proven track record in providing IT services and a number of other technology services, we remain committed to leading the way in ensuring your business will be protected from data breaches.
Connect with Velocity IT today by calling us at (972) 996-6600 or completing our online form to have an experienced consultant contact you.