In a novel approach to data breach notification requirements, Texas has amended its breach notification law (Business & Commerce Code, Section 521.053) to require notification to residents of not only Texas, but to residents of each of the 50 states. The amendment becomes effective September 1, 2012, and applies to “all persons who conduct business in the state,” without further defining what “conducting business” would entail.
The law was amended to require notification of a breach of system security to any individual whose sensitive personal information was, or is reasonable believe to have been, acquired by an unauthorized person. A review of the amendment reflects the legislature’s intent to expand the notification requirement by its deletion of the language “resident of this state” from the current data breach notification law.
This law has obvious far reaching import for residents of the four states which do not currently maintain data breach notification laws (Alabama, Kentucky, New Mexico, and South Dakota). Under Texas’ law, residents of these states whose personal information is owned, licensed or maintained by a business/employer subject to Texas law would now receive notification of a breach of their personal information.
Additionally, Texas’ breach notification law does not include a “risk of harm trigger.” A number of state data breach notification laws only require notification where illegal use of the breached personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person. However, under Texas’ law, notification is required only upon acquisition, without regard to a risk of harm. While Texas’ amended law appears to include some limiting language on its application to states that have their own breach notification laws, as worded, it is unclear whether this would include states whose risk of harm trigger would not require notification. Accordingly, for those entities which conduct business in Texas, notification of those affected may be required even if the individual’s home state would not have required notice in the case of low-risk breaches
The amendment also adds civil penalties for any person who fails to take reasonable actions to comply with the notification requirements. These penalties are compounded by the number of individuals who are not notified and for each consecutive day notification is not provided, resulting in a maximum fine of $250,000. Additionally, the amendment makes a violation a misdemeanor, unless the breached information is protected by HIPAA, which would elevate the violation to a felony.
Companies, especially those that maintain vast amounts of personal information for persons in multiple states, must be aware of the various state laws which potentially impact there business and amendments like those highlighted above. See also recent amendments to the breach notification statutes in California and Illinois.