Texas weighed in on the privacy front this month in the form of two separate privacy bills, H.B. 4518 and H.B. 4390. While the first closely resembles the language of the privacy acts of other states, the second sets itself apart by obligating Texas businesses to develop, implement, and maintain a comprehensive data security program. This includes the maintenance of an accountability program and management of third-party vendors.
Entitled the Texas Privacy Protection Act, H.B. 4390 would apply to any business that does business in Texas, has more than fifty employees, collects the personal identifying information (“PII”) of at least 5000 individuals, and either has gross revenue of over $25 million or derives at least 50% of its revenue from processing of PII.
Specifically, Section 541.053 of H.B. 4390 obligates a business to develop, implement, and maintain a comprehensive data security program that contains administrative, technical, and physical safeguards for PII. Those safeguards must be documented by the business and must be appropriate in consideration of the size and complexity of the business as well as the nature and scope of the business’s activities taking into account the sensitivity of the PII.
The Act further calls for an accountability program to ensure compliance, complete with internal publication of written policies and procedures. That includes a process for identifying, assessing, and mitigating any reasonably foreseeable privacy risk, as well as an annual assessment of said program and its supporting policies and procedures.
Included in the Act is the requirement to implement a cyber incident response program with methods and procedures for responding to data breaches. The use of the term “procedures” in the language is particularly interesting, and warrants further discussion. I have written before about the importance of procedures within an incident response plan.
Businesses must impose the data security obligations on third-party vendors and annually obtain verification that they are in compliance. Third parties also must implement a like accountability program.
Failure to comply with the Act exposes a business to a civil penalty of up to $10,000 per violation and $1 million in the aggregate.
Both privacy bills were introduced on March 8, 2019. H.B. 4518 has a target effect date of September 1, 2020, while H.B. 4390 would start on September 1, 2019.
Each month, dozens of cybersecurity bills are proposed in state legislatures. The writing is clearly on the wall. Companies should carefully consider their information security program in view of the changing landscape.
 See, e.g., Hawaii, Maryland, Massachusetts, Mississippi, New Mexico, New York, North Dakota, Rhode Island, and, of course, California.