By Kiala Ellingson, Feb. 20, 2024, 5:25 P.M.

Data breaches are becoming increasingly common, especially with the rapid advancement of technology and AI. According to a 2022 study by Forrester, nearly 75% of surveyed organizations were victims of a data breach. Equally alarming is that in the first nine months of 2023 data breaches increased in the U.S. by nearly 20% compared to the 12 months prior. Because the risk is progressively high, it is important for Texas business owners and executives to be prepared.

A data breach is a security violation in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, altered, or used by an individual unauthorized to do so. This situation can result in disastrous consequences, such as lost business revenue, plummeting stock prices, organizational disruption, and damaging personal exposure. Another unpleasant and unexpected consequence can be civil penalties for failure to properly report the breach.

Certain types of data breaches must be reported under Texas’ data breach notification statute, i.e., Section 521.053 of the Texas Business & Commerce Code. Specifically, the statute covers the unauthorized access, use, or disclosure of “sensitive personal information” — such as one’s Social Security number, driver’s license number, credit card number, bank account number, or health information. If such a breach occurs in your business (“business” can include for-profit, nonprofit, and even governmental entities), you must report the breach to any affected parties. Failure to properly report is no trivial matter, possibly resulting in civil penalties of up to $50,000 per violation.

Thus, it is critical that you understand what to do (and especially what is required by law) in the event of a data breach.

Knowledge of Texas’ statutory deadlines is key. In general, a Texas business must notify affected individuals within 60 days of a breach. This deadline may be delayed or modified under certain circumstances, as provided in the statute.

Additionally, if the data breach involves at least 250 Texas residents, a Texas business must notify the Attorney General within 30 days of breach. The Attorney General’s website provides specific instructions on how to give notice. Businesses are typically reluctant to self-report to the Attorney General, but due to the risk of onerous penalties, proper reporting is a high priority.

To ensure compliance with the statute, I would recommend implementing a security policy that tracks the requirements of the statute and addresses how, when, and to whom notice should be given in the event of a data breach.

Such a policy would be especially helpful if you conduct business in multiple states. All 50 states, the District of Columbia, and U.S. territories have their own data breach notification statutes, and many of them have different deadlines and other requirements. This means your business may have to comply with multiple state statutes. You can be prepared with a comprehensive security policy that keeps track of important requirements, such as deadlines.

For example, if your business operates in Texas, Oklahoma, and New Mexico, your policy must account for the fact that New Mexico has a shorter, 45-day deadline (as opposed to Texas’ 60-day deadline) to notify individuals. A helpful summary of each state’s statutory requirements can be found here.

You’ve heard the saying, “a best defense is a good offense.” Savvy businesses should take this opportunity to be proactive by taking not only prevention measures, such as investing in a good security software and IT services, but also anticipatory measures — that is, having a clear policy and procedure in place when all else fails.

###

Kiala E. Ellingson is an associate attorney at Decker Jones, P.C., where she focuses on commercial litigation and intellectual property. She joined the firm recently in 2023, bringing with her a strong background in STEM that informs her unique interdisciplinary approach practicing law.

https://fortworthinc.com/commentary/data-breach-state-laws-require-notification-of-affected-part/