Texas recently amended its data breach notification law so that consumer notification obligations apply to any individual regardless of state of residence and regardless of whether a state has enacted a breach notification law. The law became effective June 14, 2013. Presently, any entity that conducts business in Texas must disclose any breach of security to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The amended law allows entities to report a breach under Texas law or under the law of an affected person’s state of residence. 

Texas previously amended its breach notification law in September 2012, and required businesses to provide notice to affected Texas residents and to non-residents if the non-residents lived in a state without a breach notification law. The amended law no longer specifically requires notification to residents of states that have not enacted breach notification laws, and instead applies to “any individual.” Businesses may even have an obligation to notify consumers living outside the United States, as the law does not specifically state that it applies only to U.S. residents.

The reporting obligations apply to any entity that “conducts business” in Texas and owns or licenses computerized data that includes sensitive personal information. The law itself does not provide any guidance on what is considered conducting business in Texas.

Lesson: Under the amended law, entities conducting business in Texas face new risks and extensive reporting requirements. In the event of a data breach, businesses may be required to notify affected residents of all fifty states, and quite possibly, residents of any country. Businesses, particularly those that maintain customer or health information, should be aware of this expansive law and be prepared to implement a nation-wide notification procedure.

Source: The relevant section of the law, entitled “Notification Required Following Breach of Security of Computerized Data,” is available at Section 521.053(b-1) of the Texas Business and Commerce Code.