Since 2005, Texas law has required that businesses who have computer data breaches have a duty to report to consumers about those breaches, but the Texas Identity Theft Enforcement and Protection Act ("Identity Theft Act") (Texas Business and Commerce Code Sec. 521) has been amended in 2007, 2009, and 2011. Effective Sept. 1, 2012, the applicability of the Identity Theft Act has new burdens and consequences for cyber data security breaches.
Starting Sept. 1, 2012, if there is a breach of a security system which has sensitive, personal information, a disclosure to the individual affected "shall be made as quickly as possible" with certain exceptions to determine the scope of the breach. How to provide the means of notice is affected if the cost to give notice exceeds $250,000, the number of affected persons exceeds 500,000, or there is insufficient individual contact information. Also, if more than 10,000 persons are affected by a breach, then there is a requirement to notify consumer reporting agencies.
New remedies under the Identity Theft Act include a civil penalty of $100 for each individual to whom notification is due, but may not exceed $250,000. This is an increase from the old version of the Identity Theft Act which had a maximum penalty of $50,000. As well, the Texas Attorney General may seek civil remedies in a district court in Travis County, in the county where the violation occurred, or in the county where the victim resides.
Under the revised Identity Theft Act, notice of breach of secure computer data applied to any "person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security..." However it is not clear if the computer data must be in Texas and whether the laws apply to businesses in other states that have data of Texas citizens.
The duty to protect sensitive personal information includes this requirement: "A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business." However, the Identity Theft Act does not apply if the business is covered by the Fair Credit Reporting Act, a financial institution, or is a covered entity under the Insurance Code.
"Personal identifying information" is defined to include an individual's: (A) name, social security number, date of birth, or government issued identification number; (B) mother's maiden name; (C) unique biometric data, including the individual's fingerprint, voice print, and retina or iris image; (D) unique electronic identification number, address, or routing code; and (E) telecommunication access device as defined by Sec. 32.51, Penal Code.
Also defined in the Identity Theft Act is "sensitive personal information" which is not otherwise publicly available as follows: (A) an individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted: (i) social security number; (ii) driver's license number or government issued identification number; or (iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or (B) information that identifies an individual and relates to: (i) the physical or mental health or condition of the individual; (ii) the provision of health care to the individual; or (iii) payment for the provision of health care to the individual.