As the number of identity theft cases continues to rise and those stealing sensitive personal information mount increasingly sophisticated
attacks, legislatures around the nation are attempting to craft solutions that will reduce or eliminate the risk of information loss. One common
feature of these new laws is a broad approach to protection of sensitive personal information.
In particular, many of the new bills and laws aggressively target not only those who wrongfully take and use sensitive information, but also those
who put sensitive information at risk by failing to adequately protect the information. The Texas Legislature is no exception to this trend with
five privacy and security bills already introduced. Like legislation across the country, the Texas bills take aim at both the information thieves
and the businesses that keep and use sensitive information. If you are like most businesses that have learned that the data you accumulate can
be leveraged to enhance customer and partner relationships, you should continue to watch developments.
Anti-Botnets
SB 28, introduced by Senator Judith Zaffirini, makes it illegal to use botnets in Texas. Under the bill, botnets consist of collections of zombie
computers which have been compromised to give unauthorized access or control to some program or person. SB 28 prohibits the knowing creation of,
access to, and use of zombies and botnets for any purpose not authorized by the owner or operator of the computer, including sending spam e-mail,
launching network attacks, and collecting personally identifiable information. In addition, the bill also prohibits the rental, lease, or sale
of a botnet or zombie as well as the knowing provision of assistance to a person violating the anti-botnet provisions. SB 28 creates a cause of
action that may be brought by Internet Service Providers, businesses that incur losses or disruption, or the Texas Attorney General. The bill
allows a generous recovery to plaintiffs, including minimum statutory damages of $100,000 per violation or for each zombie computer used; treble
damages if the violations constitute a "pattern or practice;" and reasonable attorneys' fees, experts' fees, and other litigation costs.
SB 28 is clearly directed towards those who steal sensitive information, rather than those who create a risk of sensitive information loss. For
example, SB 28 does not create liability for individuals who increase the risk of a security compromise by failing to properly maintain and
update their computers. Of potential concern for business owners, SB 28 does not provide a "Good Samaritan" exception for individuals who use a
botnet for purposes of patching security holes and disabling the botnet. Additionally, if your staff has written programs – even with a
valuable business purpose – which collect data from third party sites, there is a concern that such program may violate the law. The law
could also provide added protection to sites that make data available and who desire to prevent third parties from collecting that data and
devaluing the company's efforts.
Payment Card Security Standards
SB 327/HB 345, introduced by Senator Leticia Van de Putte in the Texas Senate and Representative Gary Elkins in the Texas House, seeks to increase
the duty of businesses to protect sensitive personal information. The bill leaves intact the general requirement that businesses must "implement
and maintain reasonable procedures" to protect sensitive personal information from unlawful use or disclosure. In addition to the general
requirement, however, the bill also requires businesses that collect or store sensitive personal information from access devices (i.e. credit
cards, debit cards, or other cards issued by financial institutions) to "comply with the payment card industry data security standards." A
business may be liable if it suffers a security breach and, at the time of the breach, the business was not in compliance with the industry
security standards. As an enforcement mechanism, the bill creates a private cause of action for violations in favor of financial institutions
that suffer losses. The financial institution, if it prevails in the action, recovers actual damages as well as mandatory attorneys fees and
costs. For those businesses who hire third parties to keep sensitive information, SB 327/HB 345 creates a presumption of compliance under certain
circumstances. The presumption applies to businesses that (i) use third parties to collect or store the sensitive personal information, (ii)
require the third parties to offer proof of or attest to compliance with industry standards, and (iii) contractually require compliance with
industry standards.
SB 327/HB 345 aims to force businesses who keep sensitive financial information to elevate their security standards to equal those in the payment
card industry. Liability only arises in the event of actual damages to a financial institution; however, the mandatory award of attorneys' fees
to the prevailing party makes the total liability significant even with small actual damages. As to the presumption of compliance, it is unclear
how much protection will be afforded—if any—when the financial institution can rebut the presumption by showing that the third party
violated the statutory provisions.
Here at Jackson Walker, we regularly assist clients with complying with these standards. Please let us know if we can assist you in interpreting
the payment card industry standards as, while the standards do not provide for clear definition of what is required, we recommend complying if
you want to offer your customers assurance that you are utilizing best practices in the area of securing their data.
Use of Driver's License/Social Security Numbers
HB 521/523, introduced by Representative Helen Giddings, would modify the Texas and Business Commerce code to prohibit the printing of an
individual's driver's license or social security number on a receipt or other payment document provided to an individual. The bill provides that
the state attorney general or a county prosecuting attorney may bring a cause of action for a violation.
Although seemingly insignificant, these new bills have a potentially broad reaching effect. For example, businesses that require a driver's
license number to accept personal checks might fall afoul of the provisions. Although personal checks are not traditionally returned to the
individual after payment, more and more stores are transmitting checks electronically. Electronically transmitted checks are often returned to
the individual at the time of payment. An electronically transmitted check containing the individual’s driver’s license number, which is returned
to the individual after purchase, might violate the proposed statute.
Sale of Consumer Financial Information
SB 163, introduced by Senator Rodney Ellis, adds a new chapter to the Texas Finance Code concerning the sale of a consumer's financial
information. The bill prohibits financial institutions from selling a consumer's financial information to another person unless the sale is
authorized by the consumer as provided in the bill. The bill does permit unauthorized sale to affiliates of the financial institution and to
other financial institutions when notification of the sale occurs under the Gramm-Leach-Bliley Act. Under SB 163, financial institutions must
provide notice to consumers of the financial information sale restriction unless the financial institution does not sell consumer financial
information to other persons. Consumers may grant and withdraw permission at any time. For joint consumers, the financial institution may send
notice to only one of the joint consumers, and an authorization from one consumer serves as authorization for all consumers as to the joint
financial product. Under the bill, financial institutions cannot require authorization from consumers as a prerequisite for doing business.
SB 163 creates a consumer cause of action for intentional violations, with minimum liability of $1,000.
SB 163 institutes an "opt-in" rule in Texas to protect consumer financial information from unauthorized sale to other persons. Under an opt-in
rule, the sale of financial information may not occur unless the consumer provides consent. Although the use of an opt-in rule is novel in Texas,
SB 163 is not the first piece of legislation to address the sale of consumer financial information. In particular, the Fair Credit Reporting Act
and the Gramm-Leach-Bliley Act both address some of the issues as SB 163, and these federal Acts may actually pre-empt some of the provisions in
SB 163.
Transmission of Sensitive Personal Information
SB 962, also introduced by Senator Rodney Ellis, amends the Business & Commerce Code to prohibit businesses from electronically transmitting
customers' sensitive personal information outside the businesses' secure "computer-based information system" without encryption. SB 962 does not
specify the exact level of encryption required, but calls for an "algorithmic process...to convert data into a form in which meaning cannot be
assigned without the use of a key or other confidential process." SB 962 does not include a definition for sensitive personal information, but
is defined in the Code to mean an individual's first name or first initial and last name in combination with their social security number,
driver's license number, or government-issued identification number or account number or credit or debit card number when transmitted with their
security code, access code, or password.
SB 962 takes aim at businesses putting information at risk by broadly prohibiting the transmission of unencrypted sensitive personal information.
A likely source of violations will be documents transmitted via email, since email is commonly used to transmit documents but generally lacks
encryption. Thus, the new law could affect large numbers of businesses that might email unencrypted documents containing sensitive personal
information to clients and customers. For example, will and trust documents from lawyers and tax documents from accountants could all contain
sensitive personal information and retail stores may transmit this type of information in response to billing inquiries. If these documents were
transmitted via email without encryption, the business would likely be in violation of SB 962.
If you have interest in the status of any of the currently proposed legislation or if you would like assistance with establishing best practices
in securing your customers' information or in addressing concerns about privacy issues in the marketplace, please do not hesitate to contact
Stephanie Chandler, who serves on the Privacy and Security subcommittee of the
eCommerce committee of the State Bar of Texas, or Jason Whitney.
Stephanie Chandler – 210.978.7704 – schandler@jw.com
Jason Whitney – 210.978.7784 – jwhitney@jw.com
If you wish to be added to this e-Alert listing, please
CLICK HERE
to sign up. If you wish to be removed, please reply to this e-mail with REMOVE in the subject line and include your first and last name.
