Did you know there are breach notification obligations in all 50 states (effective 9/2012), even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)
Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas’s amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota).
The law covers what it defines as "sensitive personal information," which includes (A) an individual’s name in combination with his (i) Social Security number, (ii) state driver’s license number or government issued ID number, or (iii) financial account number along with credentials that would allow access to his financial account, and (B) personally identifying information relating to an individual’s physical or mental health or condition, heath care provided to such individual, or payment therefor.
The law only applies to persons who "conduct business in" Texas, although the law does not elaborate on what that might include.
The amended law also increases the penalties for a failure to notify consumers of a data breach from a maximum of $50,000 (under the old law) to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.
What does this mean for entities that have suffered a data breach? Many companies that suffer nationwide data breaches already elect to notify individuals who reside in states that do not have breach notification laws, simply to avoid negative public relations scrutiny for not doing so. However, for companies that conduct business in Texas, there could now be a price tag of up to $250,000 for not notifying non-Texas residents whose sensitive personal information was subject to a data breach.
Texas’s new law will become effective September 1, 2012.
Texas’s H.B. 300 also amends Texas’ Health and Safety Code to impose privacy and data security requirements that go beyond HIPAA (the Health Information Portability and Accountability Act), and it applies to entities that are neither a "covered entity" nor a "business associate" as defined by HIPAA. Instead, Texas’s definition of "covered entity" would cover any entity that handles PHI (protected health information), with some exceptions. We will blog about these amendments separately.