AUSTIN (Nexstar) — Updated rules have taken effect for Texas businesses to follow in situations when customer information is compromised.
House Bill 4390 requires businesses to notify customers of data breaches within 60 days. Previously, state law only required a notification in a timely manner.
State Rep. Giovanni Capriglione, R-Southlake, authored the bill, which was signed into law this year and took effect Sept. 1.
“What my bill aims to do is to provide a little bit more regulation— a little bit more oversight— into the information that’s being collected on us, about us, every single day, without our knowledge, a lot of times without our permission,” Capriglione said in an April committee hearing when he laid out the bill.
If more than 200 people are affected by a breach, business owners will need to inform the state attorney general’s office.
“This statute and the rules to implement it not only provide for customer privacy, but also to the safeguarding of consumer information,” Stephen Scurlock, Director of Government Relations for the Independent Bankers Association of Texas, said during the hearing.
Capriglione originally wanted the law to include a provision to require companies to “develop, implement, and maintain a comprehensive data security program that contains administrative, technical, and physical safeguards for personal identifying information.” Tech companies pushed back, arguing it would cost some businesses too much to put that in place.
“(Laws like this are) more likely to result in significant compliance costs and stifled innovation, rather than improving consumer safety,” Sarah Matz, senior director of State Government Affairs for the Computing Technology Industry Association, said in that April committee meeting.
The legislation also establishes a Texas Privacy Protection Advisory Council to study the state’s privacy laws and make recommendations to lawmakers.
“There’s laws already in place for lots of internet dealings, yet the breaches still occur, yet people still go unpunished,” Dr. Michael MacLeod, who has more than three decades of experience in information technology and cybersecurity, said.
MacLeod, now a professor at Austin Community College, said vulnerabilities boil down to money.
“My dealings with companies, whether they be state, public, or private, it’s always been the money, not investing the money in the security systems that are necessary to protect the data,” he explained.
MacLeod suggested to delete e-mail if you don’t recognize the sender or subject.
“I can’t tell you the number of emails I’ve gotten saying I won the lottery in Barbados. Never been there,” he joked.
He also recommended shredding physical mail that could have personal information on it.
“How many ads do you get, how many flyers do you get, credit card offers do you get? Don’t just recycle them,” he mentioned. “You have to shred that because I’ve watched people open the envelope and they take the offer out but yet they leave the envelope in the return envelope. All I need is the return envelope (and) because it has the code number on the back of it, I can now open a credit card in that person‘s name. The snail mail is just as dangerous as the email if it is not properly disposed of.”
Reached by phone Thursday, Capriglione said the members of the new advisory council should be selected and announced within a couple of months.