Emulating federal law, many states now require notice of data breaches to customers or clients. For example, Texas requires a person who conducts business in the state and who owns or licenses computerized data that includes sensitive personal information (“SPI”) to notify any individual whose SPI was, or is reasonably believed to have been acquired by an unauthorized person. If you fail to comply with this notice statute, it can cost you civil penalties of up to $100 per person per day that you delay, to a maximum of $250,000 per data breach.
Texas House Bill 4390 amended this law to remove the “as soon as possible” notice requirement. Now, the statute requires notifications of such a data breach to be made “without unreasonable delay and…not later than the 60th day after the date on which the person determines that the breach occurred.”
This amendment is important, not only because it clearly defines the meaning of “without unreasonable delay,” but also because it starts the clock running from when the actual data breach is determined to have occurred. Typically, such a determination is made only after a cyber-incident has been fully investigated by an IT professional, so this amendment buys some time for the accused to ascertain the facts.
But there is yet another requirement added by the amendment. The statute now requires that if the data breach affects at least 250 Texas residents, the attorney general must be notified during the 60-day time period. Such notice must include 5 described categories of information set out in the statute.
Of course, the real cost of such a breach is not the fines that may hit you if you wait to report, but the loss of customer trust and goodwill when you do follow the law and report the incident. No one wants to be caught having to explain to clients why they dropped the ball and exposed their SPI, especially in an era when there are manifold ways to protect it. And no one wants the liability that would necessarily follow. Any meaningful discussion about how to mitigate that liability begins with a careful appraisal of the law pertaining to breaches of computer security.