In Texas, businesses have to “implement and maintain reasonable procedures, including taking any appropriate corrective action” to protect sensitive personal information. However, that law—section 521.052 of the Texas Business and Commerce Code—does not reveal what “reasonable procedures” and “appropriate corrective action” might be. Instead, Texas law provides fragments of statutes scattered across several different codes that, taken together, offer clues to businesses about how they should prevent, or respond to, data breaches. Even those fragments, though, don’t quite add up to a comprehensive and detailed statutory scheme. Indeed, Texas law does not provide businesses all the information they would need in order to develop reliable, legally compliant data breach protection procedures. The federal government and other states, though, do identify practices that could fill in some of the gaps that Texas law currently leaves open. Texas courts might endorse those practices one day, and Texas law might adopt them, but, even if that doesn’t happen, the policies and laws from other states and the federal government do offer businesses examples of what Texas could require, relieving businesses of at least some of the guesswork in developing data breach procedures.
Texas law, federal policy, state statutes, and state court decisions each constitute a link in a chain that businesses can use to secure their data, and lock down their data security procedures. Creating a single, strong chain of data security from all the different links is not a simple matter, though. It is something of an art — the Art of Data Breach Response and Protection.
Perhaps the most important link in businesses’ data security chain is federal law. Several state courts have ruled that federal data privacy laws impose duties on businesses under state law, even when the federal laws do not provide causes of action or create liability under federal law. For example, a Connecticut state court recently found that HIPAA, the federal medical privacy statute, establishes the duty that is owed by a healthcare provider to its patients to protect their medical records from unauthorized disclosure, in a cause of action brought under state law. Byrne v. Avery Center for Obstetrics and Gynecology, 102 A.3d 32, 49 (Conn. 2014). The Connecticut decision followed an Indiana opinion which held that employers can be held responsible, in a lawsuit in state court, for their employees’ HIPAA violations. Walgreen Co. v. Hinchy, No. 49A02-1311-CT-950 (Ind. App. Ct., Nov. 14, 2014).
Federal regulators have also identified data breach prevention practices that businesses should adopt. For example, the Federal Trade Commission has identified dozens of data security practices that businesses could include in their data protection protocols, like declining to store personal information that the businesses don’t really need; limiting remote access and administrative access to sensitive personal data; requiring the use of complex passwords, and restricting ways to bypass passwords; segmenting networks that could transmit sensitive personal data; requiring secure authentication credentials and diligent oversight of third party service providers; and responding to credible security threats.
Similarly, the White House is in the process of developing a framework for identifying cybersecurity best practices in all industries that are connected to “critical infrastructure,” which include electronic networks and systems that, if damaged or destroyed, would threaten national safety, health, and economic security. The framework will require federal agencies to report ineffective data protection procedures to the Office of Management and Budget. Those reports will likely form the bases of regulations that will require businesses in industries that are part of critical national economic infrastructure—like health care, transportation, construction, and information technology—to adopt federal cybersecurity best practices.
States, too, are identifying cybersecurity procedures and activities for businesses. To see what other jurisdictions, take a look at our survey of data breach notification laws in states and U.S. Territories. Perhaps the most important state data protections schemes is that of Massachusetts, which requires businesses need to have an information security plan that requires, among other things, designation of the individuals who will oversee and maintain the security plan; analysis of the reasonably foreseeable risks to personal information; employee training on the security plan; provisions for secure storage of paper materials and electronic records; that virus protection programs are updated regularly; oversight of third-party service providers; annual review of the security plan; and documentation of responses to any data breach.
The Massachusetts statutes is probably the most admired data security legal regime of all states, so its requirements influence the requirements of other states. Toward a Global Cybersecurity Standard of Care? . . . Shaping National and International Cybersecurity Practices, 50 Tex. Int’l L.J. 305, 325-326 (2015). Because Massachusetts data security laws are held in such high esteem by data security experts, they could inform future decisions of Texas regulators and courts, and businesses should seriously consider adopting them.
Then, there’s Texas. Some of the responses businesses should adopte are prudent, but not legally required. Others, though, are legally required, and figuring out what, exactly, Texas law mandates can be challenging. The Business and Commerce Code, of course, requires “reasonable procedures” and “appropriate action.” Title 11 of the Code also imposes highly specific restrictions on the use of social security numbers and drivers’ licenses, biometric identifiers, financial information, vehicle accident information, and even zip codes. Some of those restrictions may look like they wouldn’t apply to sophisticated electronic data breach control systems, but they might. For example, section 502.001 requires bar and restaurant owners to post a sign informing patrons that it is a crime to obtain or use credit card information without consent. A court might reason that the principles underlying the section 502.001 requirement would inform a “reasonable procedure” for businesses that maintain electronic records of credit card information, and require those businesses to inform consumers that their credit card information must not be obtained or used without consent.
On the other hand, some provisions that apply to individuals are expressly inapplicable to businesses. For example, chapter 32 of the Texas Penal Code provides that obtaining the personal identifying information of someone with the intent to harm that person is a felony, and that a person who has the personal identifying information of three or more other people is legally presumed to intend to harm those people, but a business that holds that information about three or more people is not presumed to be intending to harm those people. Also keep in mind that Texas law exempts some businesses from the requirements of certain privacy protection statutes. Section 501.051 of the Business and Commerce Code, for example, specifically provides that the portions of Title 11 that deal with the protection of social security numbers and drivers’ licenses do not apply to businesses that are required to maintain privacy policies under HIPAA. Consequently, businesses should examine fragments of Texas law that have to do with data security even if they are not, like section 521.052 of the Business and Commerce Code, under the heading “Business Duty to Protect Sensitive Personal Information,” but businesses should also be aware that those fragments are not necessarily binding on them.
Nevertheless, like the statutes of other states, and the policies of federal agencies, those pieces of Texas law could help businesses develop practices that are better than what Texas law currently requires and, because they are better, they could help shield businesses from future liability. Businesses, therefore, need to be able and willing to consider joining every link in the chain. They should be aware that not all links—which is to say, not all statutes, regulations, and policies that prescribe a data security practice—are necessary, and that some might weaken the chain, and should be discarded; but that all should be carefully examined. Many of those links could, if joined with the other links, strengthen the chain.