At this point, everyone has their data breach nightmare story. Perhaps you thought you could leave your laptop in the car and run into the store for just a second, but then came out to find the laptop gone and your window smashed. Maybe the business’ servers went down for a few hours, only to come back online locked by international hackers looking to make a quick buck off the ransom. Or it may be related to a hidden line of installer code that leaks your saved passwords. If you don’t have a horror story yet, you’ve either been in business for less than a year, or you’ve already had a breach and just don’t know it yet.
In all of these scenarios, you may be able to explain away the need to notify your clients and the government of the breach. “The phone and laptop were locked with my biometric PIN!” you exclaim to your attorneys. These kinds of excuses are exactly what Texas is addressing with its updated privacy laws.
To understand the significance of these new Texas privacy laws, we must first review the current legal landscape and answer this question: “What are the required protocols currently in place when I suspect there has been a data breach?”
For a more general overview of data breaches, read "Cybersecurity in an Unsafe Market."
1. Your Duty to Your Clients
In Texas, a business must take reasonable measures to protect their clients' data. “A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.” Section 521.052 of the Texas Business Code.
What does this mean? A business should do what it can, within reason, to assure both their clients and themselves that confidential information is secure. Some common measures taken by businesses to protect their clients' information include:
- creating and maintain policies and procedures related to transferring and disposing of confidential client information
- confidentially shredding documents containing client information
- changing passwords every 30 days
- securing important electronics in secured and locked areas.
These physical and digital protections, among others, go a long way to fulfill your obligation to protect your clients’ information.
2. Is the Data Even Confidential?
More often than not, in the rush to notify clients of the breach, businesses will forget to stop and ask the most important question: "Does the data breach even involve confidential information?" Texas’ Legislature and the Texas Attorney General’s Office have increasingly erred on the side of protecting a person’s private identifying information when in the hands of a business owner. But although companies are collecting more and more personal data, this does not mean ALL information is protected.
To qualify as “sensitive personal information” that a business owner must report after a breach, the information must contain “an individual’s first name or first initial and last name” in combination with any or all of the following pieces of information:
- social security number
- driver’s license number or government identification number
- an account number or credit or debit card number in combination with any requested
- security code
- access code
- password that would permit access to an individual’ financial account.
Thus, if a business lost a list of driver’s license numbers without any associated names, that might not qualify as information that would need to be reported to the Texas government. However, if you lost a spreadsheet with first names, credit card numbers, and security codes, you most likely would need to notify the government.
If you notice a data breach, it is important to have an attorney assess what types of information were lost for government reporting purposes.
3. Notice of the Breach
Once it has been determined that “sensitive personal information” has been lost, and the information has been accessed and acquired by an authorized person, it is now time to notify your clients of the breach. Business owners have a duty to disclose the breach to affected clients “as quickly as possible” once the breach is discovered.
While there are no clear instructions on what the notification must contain, best practices dictate that your client should be made aware of the general circumstances of the incident, what specific information was taken, and the next steps you and the client will take in order to minimize the potential damage done to the client. To that end, there are many free services you can provide to data breach victims, and it is good business practice to offer and assist with such services like credit monitoring and credit reports.
Upcoming Changes to Texas Privacy Laws
Starting January 1, 2020, Texas’ notice requirements will change significantly along with how quickly Texas will be able to react to new privacy threats. Soon, business owners aware of data breaches must notify their affected clients within 60 days of the incident. This is a stark change from “as quickly as possible” and will speed up the notification process for business owners. The clock starts ticking the moment the breach is discovered, which means you have 60 days to find legal analysis, create the notice letter, and procure services to provide to affected clients.
Furthermore, business owners will have to notify the Texas Attorney General’s Office if the breach involves 250 or more Texas residents. Again, this must be done within the new 60 day window. However, the notification to the Attorney General’s office is much different than the one sent to the client as it MUST contain things like:
- a detailed description of the breach
- the number of Texas residents affected
- what the business is doing to resolve the issues
- and what the business owner is doing for its affected clients.
This requirement is brand-new and indicates that the Texas Attorney General’s office may potentially intervene in certain data breaches. After all, Texas has one of the most robust Consumer Protection departments in the United States.
Finally, Texas plans to establish The Texas Privacy Protection Advisory Council. Its role will be to review all of the privacy laws in Texas and make recommendations on how to strengthen the rules and regulations. It’s likely that Texas privacy laws will continue changing at alarming rates and will only increase a business owner’s responsibilities toward their clients in the case of a data breach.