Tex. Bus. and Com. Code 521.002, 521.053, 521.151-152

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> In lesson 10.3 we are going to
00:00
examine the Texas Data Breach Notification Law.
00:00
We have several learning objectives.
00:00
We're going to talk about the definition
00:00
of personal information.
00:00
We're going to talk about
00:00
the definition of a breach in this case,
00:00
unlike California, Texas refers to
00:00
this type of information
00:00
as sensitive personal information.
00:00
We'll talk about if there is
00:00
a requirement for an analysis of
00:00
risk of harm to Texas residents.
00:00
If there is a safe harbor
00:00
of encrypted personal information,
00:00
or information that's been
00:00
rendered unreadable, unusable, or redacted.
00:00
We'll talk about some of the requirements for
00:00
notifications to individuals, and regulators.
00:00
Then we're going to talk about who enforces this law.
00:00
If they're a private cause
00:00
of action or right to sue in civil court.
00:00
Then some of the penalties that exist for
00:00
noncompliance with this law.
00:00
Now, if you're licensed to operate in
00:00
the state or you have
00:00
a license Texas resident sensitive personal information
00:00
then you have to comply with this law.
00:00
Let's look at how the law defines personal information.
00:00
As I previously stated,
00:00
it refers to this type of personal information,
00:00
it's sensitive personal information.
00:00
It defines it in a way
00:00
that's pretty similar to the California law.
00:00
A first name or first
00:00
initial and last name and combination of
00:00
one or more identifiers
00:00
if that name or the information has not been encrypted.
00:00
We're talking about unencrypted information,
00:00
that can be a social security number,
00:00
a driver's license number,
00:00
or some other type of government issued ID number
00:00
or financial account number or
00:00
credit card or debit card number,
00:00
in combination with some type of
00:00
access information like security code, access code,
00:00
or password that would permit
00:00
access to that resident's financial account.
00:00
Or it can be information that identifies
00:00
that Texas resident and it relates
00:00
to his or her physical or mental health or condition,
00:00
any health care services that they receive,
00:00
or any payments for such health care services.
00:00
How does this law define a breach?
00:00
In this case, it defines it as
00:00
the unauthorized acquisition or computerized or
00:00
electronic sensitive personal information that
00:00
compromises that individual's sense
00:00
of personal information.
00:00
It also in this case,
00:00
unlike the California law,
00:00
says that it also includes
00:00
since the personal information that's been encrypted
00:00
if the individual that gain access to
00:00
that information had compromised the encryption keys.
00:00
Unlike California, the Texas law does have
00:00
an analysis of risk of harm requirement.
00:00
If you are a person or a business that has to
00:00
comply with this law in the state,
00:00
and you own or license
00:00
computerized data, sensitive personal information,
00:00
then you have to disclose that breach of
00:00
your security system to any individual who says
00:00
their personal information or Texas resident was or
00:00
whose information was reasonably believed had been
00:00
acquired by that unauthorized person.
00:00
Much like California, this law also
00:00
has a safe harbor provision
00:00
for information that's been encrypted,
00:00
unreadable, unusable, or
00:00
redacted under certain circumstances.
00:00
Much like California, there is
00:00
a requirement to notify affected persons.
00:00
This law says that,
00:00
those individuals or businesses
00:00
that have to comply with this law have to do that
00:00
without unreasonable delay or not later than
00:00
the 60th day after discovery
00:00
of a breach of sensitive personal information.
00:00
Now, just like California does have
00:00
a law enforcement delay provision that says that
00:00
individuals and companies have to comply with
00:00
this law made later notification
00:00
if it looks as if it
00:00
might compromise criminal investigation.
00:00
But as soon as that investigation is over,
00:00
then those individuals or businesses must
00:00
notify these individuals and
00:00
make notification immediately.
00:00
Now, when it comes to notifying
00:00
>> regulators in this case,
00:00
>> we're talking about the Texas Attorney General,
00:00
that that individual or company
00:00
that has discovered a breach of
00:00
sensitive personal information
00:00
>> must do so not later than
00:00
>> the 60th day after the date
00:00
on which they discovered that the breach occurred,
00:00
if it impacts at least 250 Texas residents.
00:00
It also must give notice to
00:00
consumer reporting agencies of a breach of
00:00
sensitive personal information if
00:00
>> it includes the impact
00:00
>> of more than notification to 10,000 people at one time.
00:00
It is going to be the Texas Attorney General
00:00
that enforces this law.
00:00
There are civil penalties for violations of the law.
00:00
They range from at least $2,000 but
00:00
no more than $50,000 for each violation.
00:00
The Texas Attorney General has
00:00
the right to be able to sue
00:00
in court to recover those penalties, civil penalties.
00:00
If the individuals or
00:00
businesses that have to comply with this law
00:00
don't take the appropriate action
00:00
in compliance with this law,
00:00
then they are also liable for
00:00
civil penalty of no more than $100 for
00:00
each Texas resident that they were supposed to
00:00
notify for each consecutive day
00:00
that they failed to take
00:00
reasonable actions to notify them.
00:00
Now, there's a cap,
00:00
the civil penalties may not exceed
00:00
>> more than 250,000 for
00:00
>> all the individuals that were supposed to be notified
00:00
after a single breach of sensitive
00:00
>> personal information.
00:00
>> Now, if the attorney general determines that,
00:00
the individual or the business
00:00
is in violation of these notification requirements.
00:00
It also is able to be able to bring
00:00
actions against those individuals and
00:00
businesses by requesting or enforcing
00:00
a temporary or permanent restraining order
00:00
or permanent or temporary injunction.
00:00
Let's look at question 1.
00:00
Question 1 ask whether Texas law defines,
00:00
sensitive person information as
00:00
which of the following choices?
00:00
A and B, are the appropriate answers.
00:00
Question 2 is Texas' data
00:00
breach notification law requires
00:00
individuals and businesses that
00:00
have to comply with this law to notify
00:00
the Texas Attorney General breaches
00:00
of sensitive personal information when?
00:00
The appropriate answer is A.
00:00
Summary, we looked at
00:00
the Texas law and we look at these requirements.
00:00
We compared it to the California law.
00:00
We saw that it defines
00:00
personal information as sensitive personal information.
00:00
Pretty similar to that definition
00:00
that we saw under California law.
00:00
The same thing for his definition of a data breach.
00:00
It does have a safe harbor provision that
00:00
allows these individuals or
00:00
businesses that have to comply with this law,
00:00
and the answer is that
00:00
the information is encrypted, unreadable,
00:00
unusable, or redacted in certain circumstances,
00:00
there's no need for notification.
00:00
We also said that
00:00
individuals and companies that have to comply with
00:00
this law do have
00:00
a requirement to conduct an analysis of risk of harm.
00:00
We said that there were
00:00
notification requirements to individuals affected by
00:00
this breach and also
00:00
to individuals to whom they should receive notice
00:00
and a requirement to notify consumer reporting agencies
00:00
if the breach itself required
00:00
notifications to more than
00:00
10,000 individuals at one time.
00:00
We send the notifications to the
00:00
>> Texas Attorney General,
00:00
>> they said that that had their curve
00:00
no later than 60 days after
00:00
the discovery of that breach and
00:00
if it impacted at least 250 residents.
00:00
We said that under this law there are
00:00
enforcement requirements by the Texas Attorney General.
00:00
Individuals or the Attorney General has
00:00
a right to sue under this law,
00:00
and there are requirements for
00:00
delayed notifications and penalties for such.
Up Next