Data Breach? Your Obligations under the Texas Identity Theft Enforcement and Protection Act

Illustration by attorney Christopher Elam

For any business – big or small – customer confidence is critical for success in today’s competitive marketplace.  But in the event your company’s security is breached and consumer information is stolen, you may have a legal obligation to notify your customers.  Admitting a data breach can be embarrassing, but failure to comply with the law can be devastating to your reputation and your bottom line. 

The Texas Identity Theft Enforcement and Protection Act

The Texas Identity Theft Enforcement and Protection Act (Tex. Bus. Com. Code §§521.001 et seq.) applies to anyone who conducts business in Texas and “owns or licenses computerized data that includes sensitive personal information.”  Texas businesses are required under the Act to protect the sensitive personal information of their staff and customers.   As used in the Act, the term “sensitive personal information” includes unencrypted identifying information, such as an individual’s name in combination with other information, such as a social security number, driver’s license number, or credit card information.  The term also includes an individual’s health care information.

The Act requires you to notify the affected individuals as soon as possible after you discover or reasonably believe that there has been a data breach.  A data breach isn’t just limited to your computer systems being hacked – the Act’s notification requirements could also be triggered if, for example, an unscrupulous employee steals a customer’s credit card information, or if a customer using your website receives another customer’s information as a result of a coding error.  If the data breach affects more than 10,000 individuals, you must also report the incident to consumer reporting agencies.

The Penalties

The penalties for not complying with the notification requirements can be steep.  For each violation, the State of Texas can impose a civil penalty of anywhere between $2,000 and $50,000.  Plus, for every person that should have received notification of the data breach but did not, there’s an additional penalty of up to $100 per person.  If you fail to react appropriately to an extensive data breach, you could be on the hook for up to $250,000 in fines alone.  Although individuals themselves cannot bring a lawsuit to enforce the law, the Texas Attorney General may bring an action to recover the penalties and may even seek an injunction.  The Attorney General is also entitled to recover reasonable expenses, including attorney’s fees, court costs, and investigatory costs.

If your business collects or maintains the sensitive personal information of its customers such as credit card information or healthcare information, you need to take extra precautions to collect, store, and secure that data properly.  If you have experienced a data breach, or even if you suspect one has occurred, we strongly recommend seeking the advice of an experienced attorney to help you avoid the perils of an inadequate response.


Christopher Elam is a senior associate attorney at Farrow-Gillespie Heath Witter LLP. Mr. Elam has experience in business transactions, corporate governance, trademarks and real estate transactions, as well as mergers and acquisitions. He graduated from SMU Dedman School of Law in 2010.

Copyright 2018 Farrow-Gillespie Heath Witter LLP