As a reminder, unless it is repealed or delayed in the next six months, a far-reaching amendment to the Texas data security breach notice statute, Tex. Bus. & Comm. Code § 521.001 et seq., is scheduled to take effect on September 1, 2012. The amendment would substantially impact the national legal landscape for security breach notice requirements.
Texas law currently requires companies doing business in Texas to notify affected Texas residents in the event of an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of [those residents’] sensitive personal information,” unless the data are encrypted.
The amendment, H.B. 300, which passed in the last legislative session in Texas, purports to require notice of a data security breach not only to affected Texas residents, but to “any individual” whose “sensitive personal information” has been acquired without authorization. The amendment specifically requires notice to “residents [of Texas] or another state that does not require a [company] to notify the individual of a breach.” (emphasis added). Thus, on its face, the amendment would require companies to notify affected individuals in the four states that currently do not have breach notice laws: Alabama, Kentucky, New Mexico and South Dakota.
In addition, the amendment states that “if the [affected] individual is a resident of a state that requires a person . . . to provide notice of a breach . . . , the notice of the breach . . . provided under that state’s law satisfies the requirements of [the Texas statute.” This suggests that if a company fails to notify affected individuals even in the states with breach notice laws, that company would violate the Texas statute. This requirement would effectively make the Texas law a national requirement.
Finally, the amendment provides for civil penalties for non-compliance, with the penalties assessed on a per individual, per day basis. Specifically, the Texas law would allow penalties of “not more than $100 for each individual to whom notification is due . . . for each consecutive day that the [company] fails to take reasonable action to comply [with the law].” The total civil penalty for a “single breach” would be capped at $250,000.