Texas Attorney General Greg Abbott recently sued CVS Corp, alleging pharmacy employees dumped credit card numbers, medical information, and other sensitive customer data into a dumpster of a closed store location. Abbott accused CVS of violating the 2005 Identity Theft Enforcement and Protection Act (“ITEPA”). Tex. Bus. & Com. Code §48.001 et seq.
The ITEPA requires businesses to implement reasonable procedures to protect and safeguard sensitive “personal information” collected or maintained by the business in the regular course of business from unlawful use or disclosure. Businesses are required to destroy this information through shredding, erasing, or other means of making the personal information unreadable or undecipherable through any means. Personal information includes an individual’s first name or first initial and last name in combination with any of the following, if the name and the items are not encrypted: (1) social security number; (2) driver’s license number or government-issued identification number; or (3) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; but does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government. Furthermore, if someone gains unauthorized access to computerized data and compromises the security, confidentiality, or integrity of sensitive personal information maintained by the business, the business must disclose the breach of system security.