Complying with the Texas Identity Theft Enforcement and Protection Act

In today’s interconnected world where you can purchase products and services, interact with businesses, and authorize sensitive banking transactions from the comfort of your own home, it is very easy for people to leave an online footprint wherever they go. With the popularity and practicality of the internet having changed the world in the past few decades, there has been an increasing need for personal information that is shared online to be used and stored safely. One of the ways that the Lone Star State is protecting its citizens’ online information is the Texas Identity Theft Enforcement and Protection Act. RRS Partner Paul Skeith goes over what this Act includes and how your business can safely comply with it. 

The T.I.T.E.P.A. and You

This week, I’m talking about how businesses can comply with the Texas Identity Theft Enforcement and Protection Act. This law requires businesses to implement and maintain reasonable procedures to protect the sensitive personal information of their customers and employees from unauthorized use, disclosure, or destruction.

To help you remain in compliance with this Act, here are a few tips on how to safely remain within the confines of the law and avoid penalties and lawsuits. First, you need to identify what kinds of sensitive personal information your business collects, stores, or transmits. This includes any information that can be used to identify a person, such as their name, address, Social Security number, driver’s license number, bank account number, credit card number, or medical records. You also need to consider any information that can be used to access a person’s financial accounts or online accounts, such as passwords, PINs, security questions, or biometric data. 

Second, you need to implement and maintain reasonable security measures to protect this information from unauthorized access, use, disclosure, or destruction. This means you need to use tools like encryption, firewalls, and antivirus software to safeguard your data. 

Don’t Have Too Many Cooks in the Kitchen

You also need to limit access to this information to those who need it for legitimate business purposes only, and to train these employees on how to handle it properly. It is unlikely that everyone in your company will need to have access to personal customer data, so this information should only be available on a ‘need to know’ basis with the specific employees who require access as part of their duties. This might include management, I.T. professionals, or client services. You should also have a written policy for disposing of this information securely when it’s no longer needed.

Third, you will need to notify all affected individuals if you discover a security breach. The Act states that businesses must notify the affected persons as soon as possible, no later than 60 days after the breach is discovered. Businesses must also notify the Texas Attorney General within the same 60-day timeframe if the breach in question affects at least 250 Texas residents. Information must be provided regarding the nature and extent of the breach, including the measures you have taken to mitigate harm and the contact information for your business, so that customers and officials can follow up for news and updates. 

Protecting Your Customers Also Protects Yourself

The Texas Identity Theft Enforcement and Protection Act is complicated, and these tips don’t necessarily cover all possible scenarios, but they are a good first step towards protecting your customers, your employees, and your business’s reputation. If you need assistance regarding the storage and protection of your customers’ data – or have questions regarding breach enforcement or related legal issues – Richards Rodriguez & Skeith’s Business & Transactional Law team may be able to help you! Contact us today for more information!