Amendments to TITEPA: Breach Notification and Privacy in Texas

by Sarah Harvey / November 15th, 2019

Organizations are experiencing increasing commercial pressure from their business customers and individual consumers to provide timely, clear, and adequate breach notification. Now, organizations are facing increasing regulatory pressure to provide timely, clear, and adequate breach notification. One of the most recent regulatory changes apply to the Texas Identity Theft Enforcement and Protection Act (TITEPA). These changes create additional regulatory requirements and force businesses to disclose certain security breaches directly to the state which could lead to regulatory enforcement in response to the breaches.

What is TITEPA?

In March 2019, Texas legislators proposed two data privacy bills that enhance consumers’ data rights and require businesses to responsibly maintain personal information. One bill stalled and one has passed, HB 4390, which was intended to be a consumer privacy bill known as the Texas Privacy Protection Act. Instead, it updates the breach notification requirements in the TITEPA.

HB 4390 aims to protect personally identifiable information that poses privacy risks to consumers. This data could be anything from a Social Security number to cardholder security codes, unique biometric data, physical or mental health information, private communications of users that’s not publicly available, geolocation data, and unique genetic information. Wondering what constitutes a privacy risk under HB 4390? The bill state that a privacy risk is, “Any potential adverse consequences to an individual or society at large arising from the processing of personally identifying information.” These consequences could be financial loss, physical harm, psychological harm, reputational harm, discrimination, etc.

Failure to comply with TITEPA and its amendments will result in civil penalties. These updates to TITEPA took effect on September 3, 2019, with the exception of a few new amendments to take effect on January 1, 2020. Let’s discuss their impact to your organization.

3 Important Updates

The first amendment to HB 4390 requires that Texas residents must be notified of a data breach within 60 days of when the breach occurred. This amendment is significant because it gives a specific time period, instead of the vague, flexible requirement before it, which required businesses notified the impacted individuals “as quickly as possible.”

The second amendment stipulates that if a data breach impacts 250 or more Texas residents, then the business that experienced the breach must provide notice to the Texas Attorney General within the same 60-day notification period of Texas residents. This regulatory notification provides oversight and accountability, and must include a detailed description of the data breach, plus information about how many Texas residents were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified.

Both of these amendments highlight the importance of an incident response plan. If your organization doesn’t know what to do in the face of a data breach, how can you expect to give proper breach notification to impacted individuals and the Attorney General?

HB 4390 also establishes the Texas Privacy Protection Advisory Council, which will study data security laws to prepare recommendations for changes to the Texas Legislature by September 2020, prior to the legislative session beginning in January 2021. The updates to HB 4390 stipulate who will make up the council and how they will be appointed.

Is Privacy Legislation Coming to Texas?

Because HB 4390 is an update to TITEPA instead of the Texas Privacy Protection Act, we’ll still be waiting to see if comprehensive privacy legislation is passed in Texas in the near future. The passage of HB 4390 is a win, though, for making updates to the state’s breached notification law and establishing the Texas Privacy Protection Advisory Council. The recommendations found by the Council (and reported in September 2020) will likely for the basis for privacy legislation in the future – maybe even when the Texas Legislature session begins in January 20201.

Does HB 4390 Apply to You?

HB 4390 applies to businesses who do business in Texas, have more than 50 employees, and collects personal information of more than 5,000 individuals, households, or devices. The applicability of HB 4390 also depends on if the business has an annual gross revenue that exceeds $25 million or derives more than 50% of their annual revenue from processing personal information.

If you complete an audit with us, our auditors are trained to determine if state laws like these apply to your organization and impact your compliance. You may be in compliance and not know it, or you may have some gaps to close before you’re fully there. Hiring an auditing firm that shows you the full scope of your compliance obligations is crucial to becoming a security-conscious organization.

Ready to partner with an auditor who provides you with clear, comprehensive guidance? Let’s talk.