If you lose a database with personal information of residents of different states, what state law or laws apply when it comes to notifying those people of the breach?
Texas changed its breach notification law last week and those changes shine a light on this question. Texas broadened its breach notice law, making it applicable to any and all persons regardless of state residency. The law even says that if you’re a Texas company and lose a multi-state database of personal information, you’re good if you just notify in accordance with Texas law.
This article describes recent changes in Texas breach notice law, describe what privacy professionals are doing with multi-state breaches, and ultimately answer the question above.
The amendment does three things:
1) Removes the qualifier that Texas breach law only applies to Texas residents and affected resident of states without a breach notification regulation. Texas breach notification law now applies to everyone regardless of state of residence and regardless of whether a state has breach notification laws.
2) Gives Texas entities the choice of reporting under Texas law or the law of an affected person’s state of residence. This way a Texas entity need not research other state laws in order to comply with Texas law, and
3) Allows for written notice to the last know address of the affected party with the intent of making notification easier.
To paraphrase, the law now reads: Persons dealing with personal information who conduct business in Texas shall disclose a breach as quickly as possible. If the affected individual is a resident of a state that requires notice of a breach, the notice may be provided under that state’s law or under Texas law.
While most state laws apply when its residents have been affected by a breach, Texas law applies to persons dealing with personal information who conduct business in Texas. This amendment highlights that jurisdictional distinction as well as the open discussion of when breach notification laws apply.
The minority view when considering what state laws apply is that complying with your own state breach notifications law, even with a multi-state breach, is adequate so long as you are not incorporated in other states. The basis of this line of thought appears to be the belief that attorney generals from another state won’t come after you.
The majority view is that when dealing with a multi-state breach, the laws of each state must be followed when you have residents of different states affected by the breach. The reason for this state-by-state compliance is that most breach laws are written like the Massachusetts law: “A person or agency that owns or licenses data that includes personal information about a resident of the commonwealth, shall provide notice, as soon as practicable and without unreasonable delay…” This law says nothing about doing business in Massachusetts.
In addition, states like Massachusetts are very particular about the form of notice required to their residents. Texas does not say what must be in the notice. So complying with Texas law does not mean you are complying with Massachusetts law.
The amendment is designed to make it easier for Texas entities to comply with Texas law by giving those entities the choice of notifying under Texas law or the law of residents of other states. But those Texas entities will still have to comply with the laws of other states if they lose information belonging to residents of other states if they want to be in compliance with the laws of those states. This is the important lesson that we are reminded of with the change to Texas law.
So in the end, Texas still has extraterritorial breach notification if you are a Texas entity. Notifications only need go the last known address under Texas law. And while Texas law says you may notify under Texas law regardless of residency, best practice will remain notifying under the law of the state where the affected party resides.