What You Need to Know About the Texas Data Breach Notification Law
In March the Texas House of Representatives introduced two new bills pertaining to consumer privacy and data protection: HB 4518 cited as the Texas Consumer Privacy Act (TXCPA) and HB 4390, cited as the Texas Privacy Protection Act (TXPPA). While the two Texas data breach notification laws are similar, they were designed to improve consumer privacy and data protection.
The bills follow the trend of similar laws recently ratified in California, Washington, and Massachusetts. The following is what you need to know about both bills and how to prepare for the Texas data breach notification laws.
What is the Texas Consumer Privacy Act (TXCPA)?
Similar to California’s Consumer Privacy Act, also known as AB375, the Texas data breach notification laws will apply to companies that do business and collect consumer data in Texas and have a gross annual revenue in excess of $25 million. At the same time, companies that buy, sell or receive the personal information of 50,000 or more Texas consumers, households or devices, and/or can attribute 50% or more of annual revenue from selling Texas consumers’ personally identifiable information (PII) must comply.
Like the California data breach notification law, the Texas Consumer Privacy Act empowers the state Attorney General to enforce the requirements as needed. Consumer rights that make up the legislation include:
- The right to request disclosure of the PII businesses are collecting, including the source of information, the purpose of collecting and how it is being shared
- The right to have PII deleted with some business exceptions
- The right to know if PII has been sold, to whom it was sold, and to opt out of the future sale of personal information
- The requirement of businesses to disclose the type and purpose of PII being collected prior to collection
If passed, the Texas Consumer Privacy Act goes into effect on September 1, 2020. Violations come with a minimum penalty of $2,500 per violation and rise to $7,500 for violations deemed intentional by the Texas Attorney General.
What Is the Texas Privacy Protection Act (TXPPA)?
The Texas Consumer Privacy Act gives consumers control over the collection and use of their personal information. The Privacy Protection Act seeks to govern the processing and retention of PII in an effort to further mitigate consumer risk.
The bills share some similarities. The types of businesses governed by both Texas data breach notification laws are the same, and both bills empower the Texas Attorney General to enforce the requirements as he or she sees fit. Both bills also require businesses to disclose how personal information is collected and used prior to personal information being collected.
Beyond the similarities the Texas Privacy Protection Act includes these unique requirements:
- Protection of data that is collected via the Internet, digital network, or end-user device
- Consent for processing PII from the individual at hand
- Development and implementation of data security and accountability to ensure compliance with all the requirements set forth by the bill
- Ceasing of personal identifying information collection and processing when an individual closes his or her account within 30 days of closure unless additional retention periods are required by law
If passed, the Texas Privacy Protection Act will take effect on September 1, 2019, and carry a penalty of $10,000 per violation with a maximum penalty of $1 million.
Free Whitepaper: Rapid Breach Detection for Meeting PII Compliance Deadlines
How to be prepared for Texas data breach notification law with CSPi
Now is the time to prepare for this pair of Texas data breach notification laws. With the Privacy Protection Act likely to take effect later this year, you’ll need to focus first on updating your organization’s current data security and incident response plan to not only make sure you know what precautions and remediation actions to take but also to comply with the compliance requirements set forth by the bills.
However, it is also likely that you will need to make better use or squeeze more effectiveness out of your network and data security tools, such as firewalls, UEBAs, or IDS. One of the main concerns with not only meeting but also proving industry compliance regulations with existing security tools is the complex nature associated with setting them up and managing them. Additionally, most security tools are still largely focused on the perimeter, traffic moving in and out of your network, and endpoint protection.
Looking at the largest and most costly intrusions, such as Saks, Wendy’s or the city of Atlanta, these data breaches originated inside the network and once inside, the malicious actors were able to freely move about exfiltrating data or in other cases, locking out legitimate users.
Considering that 80% of internal network traffic goes unmonitored, as noted in a recent Forrester report, this creates a big blind spot. Therefore, existing security tools are unable to perform effective, or accurate threat detection or prevention.
Our ARIA Software-Defined Software (SDS) solution works with your existing security tools to help make them more effective by directing better, more relevant insights on network traffic. With ARIA SDS, all data traffic associated with your critical assets is monitored as it moves through the network, including laterally moving (east-west) traffic. As directed, either programmatically or through security resources, either full packet or unsampled netflow metadata of specified traffic can be directed to the security tool of choosing. Using this enhanced network insights, threat analytic tools can more easily identify and focus on the intrusions that matter.
In addition, for full data protection, ARIA KMS manages and generates encryption keys at up to thousands per minute, enough to handle transactions at a data and application level. This means that data is protected not only while at rest, but also the data used within applications or generated by.
In addition, our Myricom nVoy Series pairs seamlessly with ARIA, and can integrate with existing security tools, like cisco FirePower or Fortigate, and record specified traffic flows, at the packet-level. This data is used to conduct breach identification, notification and provide the reporting needed to prove compliance with regulations like this new Texas data breach notification law. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into all conversations between devices, enabled a complete analysis of any possible breach and its effect on critical data, such as PII or PHI.
With CSPi’s ARIA SDS solution companies can achieve not only accelerated incident response, enhanced network security but also enterprise-wide data protection. To learn more about how our solutions can help you meet compliance with the Texas data breach notification law, visit www.cspi.com.
To learn more about complying with new and emerging state regulations? Please download our Data Privacy Regulations eBook today.
CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights.
CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters.