Q: Did you know there are breach notification obligations in all 50 states, even though only 46 states have adopted them? How could that be, you ask? Because Texas said so. (Does that surprise you?)
A: Texas recently amended its breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Texas's amended law (H.B. 300) specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification (that is, Alabama, Kentucky, New Mexico and South Dakota).
The law only applies to persons who "conduct business in" Texas, although the law does not elaborate on what that might include.
The amended law also increases the penalties for a failure to notify consumers of a data breach from a maximum of $50,000 (under the old law) to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach.
What does this mean for entities that have suffered a data breach? Many companies that suffer nationwide data breaches already elect to notify individuals who reside in states that do not have breach notification laws, simply to avoid negative public relations scrutiny for not doing so. However, for companies that conduct business in Texas, there could now be a price tag of up to $250,000 for not notifying non-Texas residents whose sensitive personal information was subject to a data breach.
Texas's new law will become effective September 1, 2012. For more information about this new law, see our blog.
Texas's H.B. 300 also amends Texas's Health and Safety Code to impose privacy and data security requirements that go beyond HIPAA. We will blog about these amendments separately.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.