Texas Personal Information Data Privacy Notification And Encryption Laws: Business and Commerce Code Chapter 521.
Under the Texas Identity Theft Enforcement and Protection Act (a link is provided at the end of this post), notification to customers is required if there is an information security breach of the customers’ computerized data. The notification must be done as quickly as possible. Safe harbor is provided if the sensitive data is protected with encryption, like AlertBoot’s endpoint security systems.
The newly amended law is effective from April 1, 2009.
Let’s start by exploring the penalties, to see what the ramifications of a data breach happen to be. (BTW, I’m not a lawyer, and this is not legal advice…but the law happens to be pretty clear.)
Penalties For Violating Texas’s Data Privacy Law
Subchapter D, which deals with remedies, states that there is a “civil penalty of at least $2,000 but not more than $50,000 for each violation.”
A company also has to deal with the fact that people affected by a breach must be notified (which could be viewed as a financial penalty; it certainly would be cheaper not to do so…not that I’m advocating it) which leads us to our next section.
When Must Texas Residents Be Notified?
Businesses in Texas must contact their clients of a data breach if it’s reasonable to assume that clients’ sensitive personal information was acquired by an unauthorized person (read: thief). This must be done as quickly as possible.
Delays can be introduced if it’s determined by law enforcement that such a notice will impeded with a legal investigation.
Texas Breach Notification Requirements
Notice of a breach must in the form of a written notice (or electronic notice if it’s in accordance with 15 U.S.C. Section 7001).
If the cost of notification exceeds $250,000 or 500,000 people, e-mail can be used (assuming you’ve got their addresses), a conspicuous notice can be made on the company’s website, or make an announcement on major statewide media.
Also, if more than 10,000 people were affected by the breach, consumer reporting agencies must be notified as well.
There are no statutes on what must be included as part of a breach notification letter, so I guess it’s up to the company, it’s lawyers, and it’s PR department.
Safe Harbor And Personal Information Defined According To Texas Encryption Law – Business and Commerce Code Chapter 521
Under Section 521.002,
“Sensitive personal information” means, subject to Subsection (b), an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted” [my emphasis]
Social Security number
Government-issued identification number (including driver’s license)
Account or credit card numbers (including debit cards) with its security code or any other access codes
Does not extend to publicly available information, or information obtained legally
There is something to note here. If sensitive personal information, as defined above, happens to be encrypted–for example, a list of SSNs and names were saved on a computer that featured whole disk encryption–then technically it’s not sensitive information anymore.
I’ve noticed that many states provide safe harbor for encrypted data in this roundabout manner, where encrypted information is, from a legal perspective, excluded from the definition of sensitive information; hence, losing encrypted data is not a data breach, meaning notification is not necessary.
Also, note that losing names or just SSNs, for example, is not a breach. Of course, losing a list of SSNs without their corresponding names almost never happens, so it might be a moot point. However, by definition, the loss of credit card numbers without a list of names is also not a breach. Even if their passwords were included!
It’s the perfect opportunity for people who create fake credit cards and deplete bank ATMs: they’ve got fake cards with real numbers and passwords. Maybe the law should get updated on that…
Related Articles and Sites: