The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.
Data Breach Notification Statute
Covered Entities: A person who conducts business in Texas and owns or licenses computerized data that includes sensitive personal information.
Consumer Notification: Notification must be provided to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Regulatory Notification: Notification must be provided to the Texas Attorney General if the breach involves at least 250 Texas residents.
Notification Timeline: Notification shall be made without unreasonable delay, not later than the 60th day after the date on which the person determines that the breach occurred.
Data Format: Electronic.
Citations: Tex. Bus. & Com. Code §§ 521.002, 521.053.
- Breach: Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.
- Sensitive Personal Information (PI): An individual's first name / first initial and last name in combination with any one or more of the following items, if not encrypted:
- Social Security number;
- Driver's license number or government-issued identification number; or
- Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; or
- Information that identifies an individual and relates to:
- the physical or mental health or condition of the individual;
- the provision of health care to the individual; or
- payment for the provision of health care to the individual.
- Medical Information: N/A
- Health Insurance Information: N/A
- Encryption: Notification is not required if the affected data was encrypted and if the person accessing the data does not have the key required to decrypt it.
- Good Faith: Good faith acquisition of sensitive personal information by an employee or agent of the person for the purposes of the person is not a breach of system security unless the person uses or discloses the sensitive personal information in an unauthorized manner.
- Risk of Harm: N/A
- Law Enforcement Delay: A person may delay providing notice as required by Subsection (b) or (c) at the request of a law enforcement agency that determines that the notification will impede a criminal investigation. The notification shall be made as soon as the law enforcement agency determines that the notification will not compromise the investigation.
- Timing: Notification must be provided without unreasonable delay, not later than the 60th day after the date on which the person determines that the breach occurred
- Format: N/A
- Content: N/A
- Method: Notification must be provided via written notice or electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001.
An entity may provide substitute notice if (1) the cost of providing notice would exceed $250,000, (2) the number of affected persons exceeds 500,000, or (3) the person does not have sufficient contact information. The notice may be given by (1) electronic mail, if the person has electronic mail addresses for the affected persons; (2) conspicuous posting of the notice on the person's website; or (3) notice published in or broadcast on major statewide media.
An entity shall notify the Attorney General not later than the 60th day after the date on which the enmity determines that the breach occurred if the breach involves at least 250 Texas residents. The notification under this subsection must include:
- A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
- The number of residents of this state affected by the breach at the time of notification;
- The number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;
- The measures taken by the person regarding the breach;
- Any measures the person intends to take regarding the breach after the notification under this subsection; and
- Information regarding whether law enforcement is engaged in investigating the breach.
Credit Reporting Agencies Notice:
If an entity is required to notify at one time more than 10,000 persons of a breach, the person shall also notify each consumer reporting agency.
Any person who maintains computerized data that includes sensitive personal information not owned by the person shall notify the owner or license holder of the information of any breach of system security immediately after discovering the breach, if the sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
- Tex. Bus. & Com. Code §§ 521.151, 521.152
Comprehensive Data Privacy Law
Texas Data Privacy and Security Act
Tex. Bus. & Com. §§ 541.001-.205
Applies only to a person that:
- Conducts business in Texas or produces a product or service consumed by Texas residents;
- Processes or engages in the sale of personal data; and
- Is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 [Requirements for Small Businesses] applies.
Among other exclusions, the TDPSA excludes state agencies or political subdivisions of Texas; financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH Act); nonprofit organizations; institutions of higher education; and electric utilities. Among other exclusions, the TDPSA also excludes certain types of information, such as protected health information under HIPAA; data subject to the GLBA; and employment-related data.
- Limit the collection of Personal Data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that Personal Data is processed, as disclosed to the Consumer.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the Personal Data at issue for purposes of protecting the confidentiality, integrity, and accessibility of Personal Data.
- Not process Personal Data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purpose for which the Personal Data is processed, as disclosed to the Consumer, unless the Controller obtains the Consumer’s consent.
- Not process Personal Data in violation of state and federal laws that prohibit unlawful discrimination against Consumers.
- Not discriminate against a Consumer for exercising any of the Consumer rights contained in the TDPSA.
- Not process the Sensitive Data of a Consumer without obtaining the Consumer’s consent, or, in the case of processing the Sensitive Data of a known child, without processing that data in accordance with the Children’s Online Privacy Protection Act of 1998.
- Provide Consumers with a reasonably accessible and clear privacy notice that includes: (1) the categories of Personal Data processed by the Controller, including, if applicable, any Sensitive Data processed by the Controller; (2) the purposes for processing Personal Data; (3) how Consumers may exercise their Consumer rights under the TDPSA, including the process by which a consumer may appeal a Controller’s decision with regard to the Consumer’s request; (4) if applicable, the categories of Personal Data that the Controller shares with third parties; (5) if applicable, the categories of third parties with whom the Controller shares Personal Data; (6) a description of the methods required under Section 541.055 through which Consumers can submit requests to exercise their Consumer rights; (7) if applicable, specific disclosures about the sale of Sensitive Data; and (8) if applicable, specific disclosures about the sale of biometric data.
- Execute agreements with Processors that include required provisions, including processing instructions, duration of processing and requirement to return/destroy all Personal Data, the right of the Controller to request documentation of compliance and to audit the Processor.
- Conduct Data Protection Assessments for each of the following processing activities: (1) the processing of Personal Data for targeted advertising; (2) the sale of Personal Data; (3) the processing of Sensitive Data; (4) any processing activities involving Personal Data that present a heightened risk of harm to Consumers; and (5) Profiling that presents a foreseeable risk of:
- Unfair or deceptive treatment of or unlawful disparate impact on Consumers;
- Financial, physical, or reputational injury to Consumers;
- A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, if the intrusion would be offensive to a reasonable person; or
- Other substantial injury to Consumers.
- Respond in a timely manner to Consumer requests to exercise rights under the TDPSA, including appeals by Consumers.
- Small businesses may not engage in the sale of Sensitive Data without receiving prior consent from the Consumer.
Businesses must respond without undue delay and within 45 days to consumer requests regarding the processing of Personal Data and Sensitive Data, including consumers’:
- Right to request deletion of Personal Data;
- Right to access Personal Data;
- Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable;
- Right to correct inaccurate Personal Data;
- Right to opt out of Personal Data sales, targeting advertising, and profiling for decisions producing legal or other significant effects.
- Consumer: An individual who is a Texas resident acting only in an individual or household context. The term does not include an individual acting in a commercial or employment context.
- Controller: An individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.
- Personal Data: Any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual. The term includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual. The term does not include deidentified data or publicly available information.
- Profiling: Any form of solely automated processing performed on personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of Personal Data: The sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by the controller to a third party. The term does not include: (A) the disclosure of personal data to a processor that processes the personal data on the controller’s behalf; (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (C) the disclosure or transfer of personal data to an affiliate of the controller; (D) the disclosure of information that the consumer: (i) intentionally made available to the general public through a mass media channel; and (ii) did not restrict to a specific audience; or (E) the disclosure or transfer of personal data to a third party as an asset that is part of a merger or acquisition.
- Sensitive Personal Data: A category of personal data. The term includes: (A) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, or citizenship or immigration status; (B) genetic or biometric data that is processed for the purpose of uniquely identifying an individual; (C) personal data collected from a known child; or (D) precise geolocation data.
A person who violates the TDPSA following the cure period described by Section 541.154 or who breaches a written statement provided to the Attorney General under that section is liable for a civil penalty in an amount not to exceed $7,500 for each violation.
- Opportunity to Cure: The Attorney General must notify a person, or controller, in writing before bringing an action under this Act. The notification must specify the allegations and allow the controller thirty (30) days to cure the alleged violations.
July 1, 2024. Except Section 541.055(e), requiring recognition of universal opt-out mechanisms, which takes effect January 1, 2025.
Information Security Standard
Covered Entities: Any business, including a nonprofit athletic or sports association.
First Party Security Standard: A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business.
Third-Party Security Standard: N/A
Disposal/Destruction Standard: A business record required to be retained by a law of this state may be destroyed at any time after the third anniversary of the date the business record was created. Such requirement does not apply if a law or rule applicable to the business record prescribes a different retention period or procedure for disposal.
When a business disposes of a business record that contains personal identifying information of a customer of the business, the business shall modify, by shredding, erasing, or other means, the personal identifying information so as to make the information unreadable or undecipherable.
Data Format: Electronic and Paper.
Citations: Tex. Bus. & Com. Code §§ 72.002, 72.004; Tex. Bus. & Com. Code §§ 521.052, 521.151
- Personal Information (PI): Personal identifying information is defined as an individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
- Social Security number or other government-issued identification number;
- Date of birth;
- Mother’s maiden name;
- Unique biometric data, including the individual’s fingerprint, voice data, or retina or iris image;
- Unique electronic identification number, address, or routing code;
- Telecommunication access device; or
- Financial institution account number or any other financial information
- Methods of Compliance: A business is considered to comply with the disposal standard if the business contracts with a person engaged in the business of disposing of records for the modification of personal identifying information on behalf of the business in accordance with that subsection.
- Health Care: N/A
- Financial: These requirements do not apply to a financial institution as defined by 15 U.S.C. Section 6809.
- Other: These requirements do not apply to a covered entity as defined by the Texas Insurance Code.
A business that disposes of a business record without complying is liable for a civil penalty in an amount not to exceed $500 for each business record. The attorney general may bring an action against the business to:
- Recover the civil penalty;
- Obtain any other remedy, including injunctive relief; and
- Recover costs and reasonable attorney’s fees incurred in bringing the action.