Current Texas Cybersecurity and Data Privacy Laws
The Texas Legislature passed new cybersecurity laws in 2017 and 2019, while the 2021 legislative session appears unlikely to produce any significant new legislation.
What does Texas’ current cybersecurity framework look like now, as the 2021 session draws closer to its May 31 end? This post provides a high-level overview.
Data breaches continue to impose a high cost on Texas businesses. In its Cost of a Data Breach Report (2020), IBM Security summarized costs incurred in addressing a breach:
- U.S. data breaches had an average cost of $8.64 million in 2020.
- Customers’ personally identifiable information (PII) was the most frequently compromised type of record and the costliest, averaging $150 per record.
- The average time to identify and contain a data breach in 2020 was 280 days.
The pandemic-induced shift to working at home has likely increased breaches’ risks and their attendant costs.
Faced with these threats, Texas has passed a series of laws aimed at protecting data privacy and mitigating breach risk.
Texas Privacy Protection Act. (2019)
In June 2019, Texas enacted House Bill 4390, the Texas Privacy Protection Act. Many of the law’s provisions went into effect in 2020. The Privacy Protection Act made several changes to the state’s earlier data breach notification laws, including:
- Businesses must provide data breach notices to affected individuals within 60 days following the determination that a breach of system security occurred involving sensitive personal information and must include additional content in notifications;
- Businesses that experience a data breach affecting 250 or more Texans must provide notice to the Office of the Texas Attorney General; and
- Texas created a Privacy Protection Advisory Court to advise the legislature on changes to existing privacy laws.
As enacted, the law was diluted from the original bill in significant ways—it is not the comprehensive data privacy legislation some consumer groups had pushed for.
Texas Cybercrime Act (2017)
The Cybercrime Act created new criminal offenses for Denial of Service attacks, ransomware installation, and intentional deceptive data alteration.
Student Data Privacy Act (2017)
This act prohibits the sale of students’ personal data, bans advertisements to students based on their data shared with educational institutions or vendors, and broadly prohibits disclosure of student data, with some limited exceptions.
Medical Records Privacy Act (2012)
This law provides privacy protections that complement and, in some cases, exceed HIPAA requirements. It requires employee training, provision of electronic health records at customer request, breach notification, and customer authorization to disclose certain health-related information.
Biometric Privacy Act (2009)
Originally enacted in 2009 and since amended several times, the Biometric Privacy Act prohibits the capture, sale, or disclosure of a person’s biometric identifier—e.g., iris scan, fingerprint, or face geometry—without consent.
Identity Theft Enforcement and Protection Act (2007)
This law, also amended since its enactment, prohibits identity theft—i.e., the use of a person’s identifying information to obtain goods, services, or credit in that person’s name. It also requires businesses to take “reasonable procedures” to protect customers’ data from unlawful use.