BREACH NOTIFICATION – Mandated Timeframe
Within 30 days
FINES & PENALTIES – Violations
$2,000 – $50,000
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Texas Privacy Law Information
Organizations must have procedures in place for the protection of sensitive personal information, including processes for responding to potential risks or a breach or suspected breach of security. Organizations must have processes in place for the disposal of customer information no longer needed, by shredding, erasing or otherwise modifying to make it unreadable or indecipherable. Organizations are considered compliant with the state’s disposal regulations if they contract with a data disposal vendor. Data disposal Vendors must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable. Texas has regulations specific to the consent, disclosure, protection and retention of individuals’ biometric identifiers. Organization may not obtain, possess, transfer, or use personal identifying information of another person without the other person’s consent or effective consent. Organizations may not obtain, possess, transfer, or use personal identifying information of another person without the other person’s consent or effective consent. Organizations (acting as contracted vendors for a state agency) that provide cloud computing services, must be vetted and able to provide documentation showing their certification and compliance with a state risk and authorization management program.
If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside. Organizations must notify any Texas resident whose sensitive personal information was acquired by an unauthorized person within 60 days of discovery of the breach.
Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications. Organizations (acting as contracted vendors for a state agency) that provide cloud computing services, must be vetted and able to provide documentation showing their certification and compliance with a state risk and authorization management program.
A violation of an Organization’s disposal of personal information is subject to a fine of up to $500 for each business record. Texas law has heavy penalties for violations of the regulations involving the protection of personal information and breach notification, including civil penalties from $2,000 to $50,000 per violation and $100 for each individual that failed to receive a notification (up to $250,000). The unauthorized use or possession of a consumer’s personal information is considered a deceptive trade practice. Organizations may be fined or penalized for Vendor violations.
Texas Statutes and Laws
Disposal of Certain Business Records
Medical records privacy
Capture or use of biometric identifier
Unauthorized use or possession of personal identifying information
Notification required following breach of security of computerized data
Civil penalty; injunction
Identity Theft Enforcement and Protection Act
Cloud Computing State Risk and Authorization Management Program
The information provided is not legal guidance or recommendations and are for informational purposes only.