in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Texas Data Breach Law Amended To Include All US Residents

It looks like it's time to make an update to my Texas data breach law post from a couple of years ago.  According to many sources, the Texas legislature amended Business and Commerce Code Section, 521.053.  This section originally required the notification of data breaches to Texas residents (and safe harbor was extended with the use of drive encryption such as AlertBoot).  Now, due to the amendment, it applies to breaches of anyone in the US, possibly the world.

H.B. 300 Makes Amendments

The amendment in question can be found in HB 300.  According to a copy stored at the Texas legislature site,

Notice in the above how the words "resident of this state" are purposefully crossed out and substituted by the word "individual."

Among other things, this change means that companies operating from one of the four US states without data breach notification laws (Alabama, Kentucky, New Mexico, and South Dakota) could be in breach of this Texas law.  As attorney Mark Rasch notes in storefrontbacktalk.com:

...if you "conduct business" in Texas, under a new Texas law, not only must you notify Texas residents (if any) that their data has been breached, but you have to notify residents in states that have no breach disclosure laws—or face the wrath of the Lone Star state.

This means that Texas law would apply to the relationship between a retailer in Tuscaloosa and a consumer in Birmingham, AL, a retailer in Louisville and a consumer on Lexington, KY, a retailer in Albuquerque and a consumer in Santa Fe, NM, or a retailer in Sioux Falls and a consumer in Rapid City, SD.

See what he did in the last paragraph?  Stores where breaches take place and affected clients exist in the four states without breach notification laws, and are not directly related to the Lone Star State except for the fact that the stores do business in Texas in one way or another.

In fact, Rasch goes on to point out that the new law is worded broadly enough that its effects could be global:

Under a strict reading of this statute, if the computers at Nestlé in Vevey Switzerland are hacked and the hackers obtain personal information about residents of South Korea, Nestlé—which sells candy bars in Dallas—must notify the residents of Seoul under Texas law. It is the "conduct of business" within Texas that gives rise to the jurisdiction

No Harm Threshold Trigger

Covering the same Texas amendment, workplaceprivacyreport.com notes that "resident of this state" was not the only thing that was rubbed off in the new version of the Business & Commerce Code, Section 521.053.

Apparently, the harm threshold that existed before was also excised:

A number of state data breach notification laws only require notification where illegal use of the breached personal information has occurred, or is reasonably likely to occur and that creates a risk of harm to a person.  However, under Texas’ law, notification is required only upon acquisition, without regard to a risk of harm.

A review of my previous entry on the Texas notification law shows that this is actually the case.  Two years ago, I noticed that Texas residents needed to be notified "if it's reasonable to assume that clients' sensitive personal information was acquired by an unauthorized person."

As it's often pointed out, this is like putting the fox in charge of the chicken coop.  After all, wouldn't it be in the interest of the breached entity to claim that the risk is not there?  It's good to see that Texas law has caught up to the failure in logic that is represented by the availability of the harm threshold.

Use of Encryption Software Still Encouraged

Some things haven't changed, though.  There are no amendments eliminating safe harbor provided by the use of strong encryption software.  In fact, if you read the rest of the bill, it looks like there is extra emphasis placed on the use of encryption, although it relates to health data protection issues.


Related Articles and Sites:
http://storefrontbacktalk.com/securityfraud/data-breach-laws-some-states-control-goes-far-beyond-their-borders/
http://www.workplaceprivacyreport.com/tags/personal-information/

 
<Previous Next>

Drive Encryption Software: Correction on Fairview, North Memorial Laptop Theft

Medical Data Encryption Software: Tricare/SAIC Backup Tape Theft Affects 4.9 Million

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.