BNA INSIGHTS: Texas Amendments Purport to Apply Breach Notification Law to Cover 50 States, And to Expand Health Care Privacy Law’s Requirements and Scope of Applicability
By Kristen J. Mathews, Proskauer, New York
In a bill quietly passed by the Texas Legislature at the end of May, the state made quite a change for businesses countrywide. One, Texas expanded the scope of its information security breach notification law to protect residents of all 50 states. Two, it imposed privacy and data security requirements relating to personal health information that go beyond the federal Health Insurance Portability and Accountability Act (“HIPAA”) and imposed these requirements on entities that are not covered by HIPAA.
Texas’s Breach Notification Law Amendments
As most privacy practitioners know, to date, 46 states plus the District of Columbia, the U.S. Virgin Islands and Puerto Rico have enacted laws that require businesses to notify individuals when there has been a breach of their sensitive personal information. What many don’t know, is that one of those state laws, Texas’s, was just amended to cover the remaining four states, Alabama, Kentucky, New Mexico and South Dakota. Specifically, on June 17, Texas Governor Rick Perry signed House Bill 300 (“H.B. 300”) into law, which amended the state’s breach notification law so that its consumer notification obligations apply not only to residents of Texas, but to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person, regardless of their state of residence. Texas’s amended law specifically requires notification of data breaches to residents of states that have not enacted their own law requiring such notification. This amendment purports to add an obligation to notify individuals who would otherwise not be required to be notified under any law, and provides for penalties (which would be paid to Texas) if such non-Texas residents are not notified of an information security breach suffered by an entity that “conducts business in” Texas.
The amended law also allows the state to impose additional penalties (far exceeding the maximum of $50,000 “for each violation” under the old law) for a failure to notify individuals of a data breach. In particular, in addition to the penalties available under the old law, the amended law provides for statutory penalties of up to $100 per individual per day of failed or delayed notification, not to exceed $250,000 for a single breach. The attorney general may also recover its reasonable enforcement expenses. This means that the maximum penalty per data breach under the amended Texas law is $300,000 plus expenses. Relative to other state breach notification laws, the $250,000 cap is on the high end of the range (although it is not the highest). Nonetheless, the Texas law’s application to residents of other states that do have their own laws, but whose laws’ penalties are lower, effectively increases the liability exposure resulting from a failure to notify individuals in those states.
Finally, the Texas law’s definition of sensitive personal information (the breach of which triggers its notification obligations) is broader than the definition in many other state breach notification laws. In addition to including the “standard” three data points (name combined with Social Security number, government ID card number and financial account number), the Texas law’s definition of “sensitive personal information” also includes personally identifying information relating to an individual’s physical or mental health or condition, health care provided to such individual, or payment for such care. Only three other states plus Puerto Rico have laws that apply to this sort of information. The broader scope of Texas’s law, combined with the fact that it purports to cover non-Texas residents, also serves to increase the liability exposure for those who fail to notify non-Texas residents.
The reasonable person’s first reaction to the new Texas law’s application to residents of other states is to question how Texas law can protect residents of other states, and whether Texas authorities have the jurisdiction necessary to enforce the state’s laws for the benefit of non-Texas residents. Texas’s likely first response would lie in the fact that Texas’s law, by its express terms, only applies to businesses that “conduct business in” Texas. That nexus, Texas would argue, is how its law can apply to protect non-Texas residents. However, the law itself does not elaborate on what it means to “conduct business in Texas.” For example, does a company that ships products to consumers in Texas “conduct business in” Texas? Does a business that processes data on behalf of a Texas client “conduct business in” Texas?
To find out, Texas’s amended law would have to be challenged. A business that suffers a data breach and is aware of the purported breadth of Texas’s law would probably sooner simply notify residents of all 50 states than incur the potential cost of litigating the scope of Texas’s law. 19 Many companies that suffer nationwide data breaches already elect to notify individuals who reside in states that do not have breach notification laws, simply to avoid negative public relations scrutiny for not doing so. But a business that suffers a data breach and is not aware of the purported breadth of Texas’s law, and who does not notify residents of all 50 states, could find itself exposed to a price tag of up to $300,000 plus enforcement expenses for a single data breach. In addition to a financial penalty, the business would also likely suffer negative publicity from an action taken by the Texas Attorney General. If the Texas Office of the Attorney General were to enforce the new law against such a company in a manner that asserts penalties relating to non-Texas residents, that company would potentially be willing to challenge the purported scope of Texas’s amended breach notification law. And for that reason, we might not see Texas regulators actually attempt this breadth of enforcement…Tweet this!