Texas
Click here to review text of state statute (see Tex. Bus & Com. Code §521.002, et seq.) |
Information Covered / Important Definitions
Information covered:
Personal information of Texas residents.
(Texas uses the defined term “sensitive personal information.”)
Definition also includes: (i) information about physical or mental health or condition, (ii) the provision of health care to the individual, or (iii) the payment for the provision of health care to the individual.
Important definitions:
“Security Breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of sensitive personal information, including data that is encrypted if the person accessing the data has the key required to decrypt the data.
Covered Entities* / Third Party Recipients
Subject to statute:
Any person that conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.
Third party recipients:
A person who maintains computerized data that includes sensitive personal information that the person does not own must notify the owner or license holder of the information of any security breach immediately following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach without unreasonable delay and within 60 days of the breach, unless a law enforcement agency determines that notice will impede an investigation (in which case notification is delayed until authorized by law enforcement).
- Texas statute allows entities from states other than Texas to provide notice to individuals under the other states’ law or under Texas law, provided the other state has regulations that require notification of a breach to affected persons.
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
Other obligations:
Any person that must notify more than 10,000 persons at one time of a security breach is also required to notify without unreasonable delay consumer reporting agencies.
Businesses are required to implement and maintain reasonable procedures and incident response plans to protect personal information.
Businesses are required to have data destruction security procedures for customer records containing personal information that use methods such as shredding, erasing or otherwise modifying the personal information to make it unreadable or indecipherable.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted.
Safe harbor not available if personal data is encrypted but the encryption key is compromised by security breach.
Other exemptions:
Exemption for good faith acquisition of sensitive personal information by an employee or agent of the covered entity for the purposes of the covered entity so long as the sensitive personal information is not used or disclosed in an unauthorized manner.
A person is deemed in compliance with the Texas statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Texas statute.
Notification to Regulator / Waiver
Attorney General must be notified if breach affects at least 250 residents:
Persons required to provide notice of a breach under this section must notify the Attorney General within 30 days (as of September 1, 2023) of discovery of the breach, if the breach affects at least 250 Texas residents. Notification must contain a description of the nature of the breach, number of residents affected, number of residents notified by mail or other direct method of communication at the time of notification, measures taken, future measures the person will take, and information regarding law enforcement investigation of the breach. As of September 1, 2023, the notification to the Attorney General must be electronic via the Attorney General’s website.
Penalties
Civil penalty of at least $2,000 but not more than $50,000 for each violation.
Failure to take reasonable corrective action to comply with the statute can result in additional penalties of $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.
The Attorney General may also seek injunctive and other equitable relief, as well as reasonable expenses, including attorney’s fees, court costs, and investigatory costs.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by Attorney General only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute (see Tex. Bus & Com. Code §521.002, et seq.) |