Contact Us
Partner Portal
Help Desk

The Texas Data Privacy and Security Act: What You Need to Know

Texas Data Privacy and Security Act

How it affects you even if you’re not a Texan

Recent Data Breaches In Texas

Tyler, TX January 2024: UT Health Tyler announces that a ransomware incident in November 2023 exposed patient contact information, claims information and medical treatment information. A spokesperson said that it was taking steps to improve its cybersecurity.  UT Health East Texas operates ten hospitals, 50 clinics and an ambulance service. It employs 5,700 people and posts $880 million in annual revenue.

San Antonio, TX June 2023: Texas Attorney General is investigating a data breach at USAA that compromised personal data, including bank account info of 2,700 customers. USAA is a San Antonio based banking company. They took steps to block unauthorized access and are monitoring affected accounts.

In January 2022, a data breach at the Texas Department of Insurance exposed personal information on 1.8 million Texans. In this case, an audit discovered a programming error that allowed internet access to a part of the data system that was supposed to be protected. Two years after it was put into production, they fixed the bug, then made a public announcement. They’re not sure if anybody actually accessed the data, but they can’t rule it out.

Dallas-based AT&T announced that an internal investigation revealed that between May and October 2022 data of phone calls and text messages and other data for a “very small” number of customers from Jan 2, 2023 was compromised. AT&T said there are other ways to find a person’s phone number online.  Someone who was not a spokesperson for AT&T put it differently:  private personally identifiable information and SMS records for nearly all AT&T customers were stolen. AT&T acknowledged that the compromised cloud database was protected only by a username and password. They did not acknowledge that the password was “DallasAT&T”.  Got lawsuit?

Everything Is Bigger In Texas, Including Data Breach Impacts

Texas is BIG.  It’s number two in the country in terms of size and population; number three among all states in terms of number of breaches. Along with that comes a lot of businesses and the data they collect. Breaches affected government, healthcare, oil, financial services, food, automotive, airlines all in Texas. Between 2005 and 2020, Texas had reported 819 major data breaches affecting 295 million people.

Overview of the Texas Data Privacy and Security Act (TDPSA)

This year, 2024, the Texas Data Security Act went into effect. It represents a significant shift in how businesses and government entities handle and protect personal data, aiming to bolster cybersecurity and protect citizens’ privacy. This comprehensive legislation, which became law in 2023, aims to regulate how businesses collect, use, and protect the personal data of Texas residents.

As with just about any new law there are some sticking points. Some have expressed concern over enforcement, compliance and costs of implementation.

Enforcement and Penalties

The TDPSA does not allow private individuals to sue. Instead, enforcement is exclusively granted to the Texas Attorney General. Violations of the law can result in civil penalties of up to $7,500 per violation, similar to privacy laws in other states. This approach differs from laws that allow individual consumers to directly sue companies for privacy violations.

Compliance Challenges

Companies have until July 1, 2024, to comply with the TDPSA’s provisions. While businesses subject to other state data privacy laws may be more likely to be in compliance, the TDPSA introduces unique standards that may apply broadly. Ensuring compliance with the Act’s requirements, especially for companies operating across multiple states may require changes to operations, data handling and cybersecurity practices.

Costs and Implementation

Texas will allocate approximately $5.5 million to implement the law initially, followed by just under $2 million annually.  Businesses must invest in privacy infrastructure, staff training, and legal expertise to meet the Act’s obligations.

Key Provisions of the Act

Scope and Applicability of TDPSA

The act covers Texas residents and businesses that process personal data.  It grants rights to residents over their personal and medical data.  It gives Texans more control over their personal data and creates new data protection obligations for businesses whose products or services are used by Texas residents.

TDPSA’s consumer provisions fall chiefly into these categories:

  • Access: Texas residents have the right to know whether a company processes their personal data and can obtain that data in a readable format.
  • Correction: They can correct inaccuracies in their personal data.
  • Deletion: Consumers can request the deletion of personal data provided by or obtained about them.
  • Opt-Out: Residents can opt out of personal data processing for targeted advertising, sale of data, or profiling related to specific services (e.g., financial, housing, education).

Businesses – and the companies they use to process their data – are required to respond to consumer requests to modify or delete their personal data.  They must provide a clear Privacy Notice with the appropriate disclosures and the option to opt-out of data sharing.

Business Obligations and Compliance

The TDPSA applies to any person or entity that meets all of the following criteria:

  • Conducts business in Texas or provides products or services that are “consumed” by residents of Texas: This “consumed” language is unique to this particular data privacy law and may have a broader scope than other, similar state laws.
  • Processes or sells any amount of personal data: Unlike many other state privacy laws, the TDPSA doesn’t have thresholds based on a business’ revenue or the amount of personal data processed.
  • Is not a small business as defined by the U.S. Small Business Administration (SBA): This generally applies to companies with fewer than 500 employees, although the specific SBA definition of “small business” varies widely by industry.

Sensitive Data

You might guess that personal information includes name, address, phone, SSN and the like. This act defines sensitive data as racial or ethnic origin, religious beliefs, healthcare diagnoses, sexuality, citizenship status and genetic or biometric data.

Exceptions

Small businesses, as defined by the Federal Small Business Administration, are generally exempt unless they sell sensitive data. 

Other business exemptions include State agencies or political subdivisions of Texas, financial institutions, entities subject to HIPAA, nonprofit organizations, colleges and universities, and utility companies.

Penalties

If the Texas Attorney General finds a TDPSA violation, businesses have 30 days to cure the violation to avoid penalties. Businesses found in violation of the TDPSA after the 30-day cure period face a fine of up to $7,500 per violation.

Businesses Must Prepare For Consumer Privacy Requests

In spite of the potential objections noted above, this is a good thing.  Texas is one of a handful of states attempting to address the serious issues related to protecting the relatively new commodity of data.  The European Union started implementing the General Data Protection Regulation (GDPR) in 2018. It is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live both within and outside the European Union (EU).  Since then, other countries, including the US have followed suit in proposing new laws and regulations to protect consumer privacy and security.  

Perhaps unsurprisingly, there has been an uptick in companies providing cybersecurity and data services to companies seeking to comply with the new legislation.  

Because businesses could face a wave of requests from consumers to exercise their data privacy rights, they should be aware of the applicable thresholds for the TDPSA and be prepared to respond to those requests. Additionally, since many other states are also enacting data privacy laws, businesses that operate in multiple states should implement a systematic approach to data privacy compliance.

If you represent a business that captures client or patient data be aware that there may be additional requirements if those individuals have a Texas address. I’m not a lawyer. Talk to one who specializes in data security and privacy laws.

Ready to streamline and automate your BI & analytics platforms?
Get A Demo
Solutions
Products
About Us
Resources
Contact
  • Tel:1 (972) 447-9595
  • Toll Free:1 (833) 855-3073
Follow Us
Youtube Linkedin Twitter
© 2024 Motio. All rights reserved
Scroll to Top
As the BI space evolves, organizations must take into account the bottom line of amassing analytics assets.
The more assets you have, the greater the cost to your business. There are the hard costs of keeping redundant assets, i.e., cloud or server capacity. Accumulating multiple versions of the same visualization not only takes up space, but BI vendors are moving to capacity pricing. Companies now pay more if you have more dashboards, apps, and reports. Earlier, we spoke about dependencies. Keeping redundant assets increases the number of dependencies and therefore the complexity. This comes with a price tag.
The implications of asset failures differ, and the business’s repercussions can be minimal or drastic.
Different industries have distinct regulatory requirements to meet. The impact may be minimal if a report for an end-of-year close has a mislabeled column that the sales or marketing department uses, On the other hand, if a healthcare or financial report does not meet the needs of a HIPPA or SOX compliance report, the company and its C-level suite may face severe penalties and reputational damage. Another example is a report that is shared externally. During an update of the report specs, the low-level security was incorrectly applied, which caused people to have access to personal information.
The complexity of assets influences their likelihood of encountering issues.
The last thing a business wants is for a report or app to fail at a crucial moment. If you know the report is complex and has a lot of dependencies, then the probability of failure caused by IT changes is high. That means a change request should be taken into account. Dependency graphs become important. If it is a straightforward sales report that tells notes by salesperson by account, any changes made do not have the same impact on the report, even if it fails. BI operations should treat these reports differently during change.
Not all reports and dashboards fail the same; some reports may lag, definitions might change, or data accuracy and relevance could wane. Understanding these variations aids in better risk anticipation.

Marketing uses several reports for its campaigns – standard analytic assets often delivered through marketing tools. Finance has very complex reports converted from Excel to BI tools while incorporating different consolidation rules. The marketing reports have a different failure mode than the financial reports. They, therefore, need to be managed differently.

It’s time for the company’s monthly business review. The marketing department proceeds to report on leads acquired per salesperson. Unfortunately, half the team has left the organization, and the data fails to load accurately. While this is an inconvenience for the marketing group, it isn’t detrimental to the business. However, a failure in financial reporting for a human resource consulting firm with 1000s contractors that contains critical and complex calculations about sickness, fees, hours, etc, has major implications and needs to be managed differently.

Acknowledging that assets transition through distinct phases allows for effective management decisions at each stage. As new visualizations are released, the information leads to broad use and adoption.
Think back to the start of the pandemic. COVID dashboards were quickly put together and released to the business, showing pertinent information: how the virus spreads, demographics affected the business and risks, etc. At the time, it was relevant and served its purpose. As we moved past the pandemic, COVID-specific information became obsolete, and reporting is integrated into regular HR reporting.
Reports and dashboards are crafted to deliver valuable insights for stakeholders. Over time, though, the worth of assets changes.
When a company opens its first store in a certain area, there are many elements it needs to understand – other stores in the area, traffic patterns, pricing of products, what products to sell, etc. Once the store is operational for some time, specifics are not as important, and it can adopt the standard reporting. The tailor-made analytic assets become irrelevant and no longer add value to the store manager.