ATTORNEY PUBLICATIONS
Tex. Bus. & Com. Code §§ 521.002, 521.053
Acts 2007, 80th Leg., ch. 885, § 2.01.
Amended by Acts 2009, 81st Leg., ch. 419, § 3
Effective April 1, 2009
Acts 2011, 82nd Leg., ch. 1126, § 14 (H.B. No. 300)
Effective Sept. 1, 2012
S.B. 1610 (signed into law June 14, 2013)
Effective June 14, 2013
Application. A person (Entity) that conducts business in TX and owns or licenses computerized data that includes sensitive PI.
The provisions governing maintenance of sensitive PI that the Entity does not own appear applicable to any Entity maintaining PI, whether or not the Entity conducts business in TX.
Security Breach Definition. Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive PI maintained by an Entity, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
Good-faith acquisition of sensitive PI by an employee or agent of the Entity for the purposes of the Entity is not a breach of system security unless the sensitive PI is used or disclosed by the person in an unauthorized manner.
Notification Obligation. Any Entity to which the statute applies shall disclose any breach of system security, after discovering or receiving notification of the breach, to any person, including nonresidents, whose sensitive PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Notification to Consumer Reporting Agencies. If an Entity is required by this section to notify at one time more than 10,000 persons of a breach of system security, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers on a nationwide basis of the timing, distribution, and content of the notices.
Third-Party Data Notification. Any Entity that maintains computerized data that includes sensitive PI that the Entity does not own shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Timing of Notification. The disclosure shall be made as quickly as possible, consistent with the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Sensitive Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
Social Security Number;
Driver license number or government-issued ID number; or
Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Sensitive PI also includes information that identifies an individual and relates to:
The physical or mental health or condition of the individual;
The provision of health care to the individual; or
Payment for the provision of health care to the individual.
Sensitive PI does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government.
Notice Required. Notice may be provided by one of the following methods:
Written notice at the last known address of the individual; or
Electronic notice, if the notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
However, if the affected person is a resident of a state that has its own breach notification requirement, the Entity may provide notice under that state’s law or under Texas’s law.
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $250,000, the number of affected persons exceeds 500,000, or the Entity does not have sufficient contact information, the notice may be given by any of the following:
Email notice when the Entity has an email address for the affected persons;
Conspicuous posting of the notice on the Entity’s Web site; or
Notice published in or broadcast on major statewide media.
Exception: Own Notification Policy. An Entity that maintains its own notification procedures as part of an information security policy for the treatment of sensitive PI that complies with the timing requirements for notice under this section complies with this section if the Entity notifies affected persons in accordance with that policy.
Other Key Provisions:
Delay for Law Enforcement. An Entity may delay providing notice as required at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. The required notification shall be made as soon as the law enforcement agency determines that the required notice will not compromise the investigation.
AG Enforcement.Remedies include injunctive relief and civil penalties of at least $2,000 but not more than $50,000 for each violation.
Civil penalties for failure to comply with notification requirements are raised to up to $100 per person to whom notification is due, per day, not to exceed $250,000 per breach.