By Elizabeth Jepson and Beth Anne Jackson
On June 14, 2019, Texas Governor Greg Abbott signed into law House Bill 4390 (HB 4390), which is bipartisan legislation amending the Texas state breach notification law. HB 4390 places a strict deadline on the breach notification requirements set forth in the Texas Identity Theft Enforcement and Protection Act (TITEPA), requires notification of the Texas Attorney General of a breach affecting more than 250 Texas residents, and creates the Texas Privacy Protection Advisory Council. Like legislators in many states seeking to enhance consumer privacy, sponsors in the Texas House of Representatives originally introduced two comprehensive bills addressing data privacy, but only one bill passed and did so in a significantly altered form.
TITEPA requires a “person who conducts business in [the] state and owns or licenses computerized data that includes sensitive personal information” to disclose any breach of system security to an individual whose sensitive personal information is reasonably believed to have been acquired by an unauthorized person. “Sensitive personal information” includes either an individual’s first name or an individual’s first initial and last name in combination with any one or more of the following items, if the name/initial and other item(s) are not encrypted: Social Security number, driver’s license number or government-issued identification number or financial account information. It also includes individually identifiable health care information (known under the Health Insurance Portability and Accountability Act (HIPAA) as Protected Health Information (PHI)). A “breach of system security” occurs when there is an “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information.” Notification of affected individuals under TITEPA was previously required to be made “as quickly as possible.” HB 4390, however, amends TITEPA to implement a requirement that disclosure of any breach of system security must be made within 60 days of determining that the breach occurred. This aligns TITEPA with the HIPAA breach notification 60-day timeframe.
HB 4390 also amends TITEPA to require organizations to notify the Texas Attorney General in the event of a breach of system security affecting 250 or more Texas residents. Such notification must be made no later than 60 days following the date the breach is determined to have occurred. For health care entities, this imposes a much lower threshold than HIPAA for prompt reporting of breaches: under HIPAA, the Secretary of Health and Human Services (Secretary) must be notified within 60 days only if 500 or more individuals are affected by a breach (although all breaches affecting fewer than 500 must be reported on an annual basis). The TITEPA notification must include: (1) a detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach; (2) the number of Texas residents affected by the breach at the time of notification; (3) the measures taken by the person or entity regarding the breach; (4) any measures the person or entity intends to take regarding the breach after the notification; and (5) information regarding whether law enforcement is engaged in investigating the breach. The two updates to the TITEPA’s breach notification provisions will go into effect on January 1, 2020.
In addition to the amendments to TITEPA, HB 4390 creates the Texas Privacy Protection Advisory Council (Advisory Council). The Advisory Council’s purpose is to study, develop, and make recommendations to the Texas Legislature regarding data privacy laws based on its research of privacy laws in other states and relevant foreign jurisdictions. The Advisory Council will be made up of 15 members comprised of individuals from a variety of professions and industries. The Advisory Council must be convened by November 1, 2019, and make its recommendations on data privacy laws no later than September 1, 2020. Importantly, the Advisory Council will be abolished on December 31, 2020. Thus, it is possible that the Advisory Council’s recommendations could form the basis for new comprehensive consumer privacy legislation in the legislature’s next session, which begins in January 2021.
In light of these updates, Texas health care providers and others who maintain sensitive personal information should update their current data breach response plans accordingly. TITEPA’s new requirement to notify individuals of a breach within 60 days corresponds with HIPAA timeframes and necessitates adjustments to current response plans to ensure that the proper timeframe is adhered to for non-PHI sensitive personal data. Additionally, entities should pay close attention to the number of individuals’ sensitive personal information involved in the breach: only 250 Texas residents have to be affected in order to trigger the requirement to notify the Texas Attorney General, while reporting to the Secretary is required under HIPAA only if the PHI of 500 or more individuals is affected. Such reports must be made within 60 days of discovery or determination that a breach occurred. Of course, preventing rather than responding to breaches is always the best path. Continued investment of effort and resources in security programs designed to keep up with the ever-changing challenges to data security become more important as stricter laws are passed and potential liability increases.