Texas Data Breach Act
The Texas Identity Theft Enforcement And Protection Act (“ITEPA” Or Texas Data Breach Act):[1] ITEPA requires businesses to implement and maintain reasonable safeguards to protect sensitive personal information from unlawful use or disclosure. In the event of a data breach, ITEPA requires the person who owns or licenses the sensitive personal information to provide notice of the breach to affected persons and to report the breach to the Office of the Attorney General.
ITEPA also provides that when a business disposes of records that contain personal information, the disposal process must render the personal information unreadable or indecipherable. ITEPA grants victims of identity theft with certain limited rights including the right to obtain a declaration from a district court that the person is a victim of identity theft. Read the full text of ITEPA.
Overview Of The Identity Theft Enforcement And Protection Act (ITEPA)
This overview is for informational purposes only and is not legal advice. Please consult your attorney if you have specific legal questions. Texas law prohibits the Office of the Attorney General from providing legal advice, opinions, or representation to private individuals.
Businesses That Collect Or Maintain Sensitive Personal Information (SPI) Must Comply With ITEPA’s Requirements, Including By:
- Implementing and maintaining reasonable procedures to protect sensitive personal information from unlawful use or disclosure.
- Sensitive personal information includes an individual’s name in combination with their driver’s license number, Social Security Number, government-issued identification number, financial account information, or health-related information.
- Destroying or arranging for the destruction of records that the business does not want to maintain by shredding, erasing, or modifying the sensitive personal information so that it is unreadable or indecipherable.
- Reporting a data breach that affects 250 or more Texans to the Office of the Texas Attorney General as soon as practicable but no later than 30 days after determining the breach occurred.
- Reports to the AG must be submitted electronically using the Data Breach Reporting Form, must include specific information requested in the form including the number of Texas residents who have been sent a notice of the breach by mail or other direct method of communication – at least as of the time of the report is submitted.
- Providing timely notice of a data breach to affected individuals no later than the 60 days after determining the breach occurred. Notice can be provided to consumers by:
- mailing notice to the last known address of the individual;
- emailing notice (if the business has email addresses for the affected individuals);
- conspicuous posting of the notice on the business’s website;
- by publication or broadcasting on major statewide media; or
- in accordance with procedures described in the company’s previously established information security policy – provided that the timing requirements of Ch 521 are met.
Notice by email, posting on the business’s website, or publication or broadcasting in statewide media is permissible only where the costs of giving notice would exceed $250,000 or the number of affected persons exceeds $500,000 or the business does not have sufficient contact information.
Enforcement:
- The Texas Attorney General is authorized to enforce the Act and to obtain:
- Injunctive and equitable relief;
- Civil penalties of at least $2,000 but not more than $50,000 per violation, additional penalties of up to $250,000 per breach for failing to take reasonable action to provide notice to consumers; and
- Reasonable attorneys’ fees, investigative costs, and court costs.
- If you are a consumer who wants to complain about a data breach or about a businesses’ failure to safeguard your personal information, file a complaint.
- Review the list of data breaches reported to the Office of the Attorney General in the last twelve months.
[1] Tex. Bus. & Com. Code Ann. § 521.001 et seq.