If you thought the 2011 expansion of the Texas security breach notification law was confusing, wait until you see the state's latest move. Texas has once again amended its statute, this time in an apparent attempt to address concerns raised with the law's scope. Unfortunately, Texas Senate Bill 1610, which Gov. Rick Perry signed on June 14, makes the law even broader than it was before -- and certainly no less confusing or problematic.
Some background: Before Sept. 1, 2012, when the last amendment took effect, the Texas breach law resembled those of all other states. Essentially, a person who conducted business in Texas was required to provide notice "to any resident of this state" (i.e., Texas) whose sensitive personal information was involved in a breach incident. The law imposed no obligation on companies if a breach also involved information relating to residents of other states. As a result, through August 2012, the Texas law was in harmony with other state breach laws, which are understood to apply only to information relating to residents of the respective state.
What changed in 2012? In a previous amendment to the Texas breach law, the Texas Legislature struck the critical phrase "to any resident of this state" from its notification requirement and replaced it with "to any individual." This amendment by itself would have extended application of the Texas law to all U.S. residents. Even though this notice provision was broadly drawn, the amended law included a limiting component: For any particular breach, notice to residents of states other than Texas was required under Texas law only when notice would not be required under the laws of those other states.
The amended Texas law was far from a model of clarity, but the intent seemed clear: to require notice to residents of at least some states other than Texas. In this regard, the law stood in stark contrast to typical state breach laws, which don't attempt to reach beyond state borders. For example, if a business experiences a security incident involving information relating to California and New York residents, the business must determine whether the California and New York laws require notice to their respective residents. What the Texas law appeared to say was that if, for example, the California law would not require notice of that breach, the Texas law would apply and notice would be required for affected California residents.
In fact, the Texas law could be read to apply to a breach involving residents of states other than Texas even if the breach did not occur in Texas and did not involve information regarding Texas residents at all.
Not surprisingly, this provision raised constitutional and other concerns. For example, would Texas seek to enforce its "nationwide" notification provision against a company for an incident occurring outside of Texas and involving information regarding residents of states other than Texas, simply because that company conducts business in Texas? Although such an enforcement action may have been unlikely, the amended law seemed inconsistent with the constitutional law principle referred to as the "dormant Commerce Clause" doctrine, which limits the ability of a state to apply its law to commerce that takes place outside of the state's borders. As a result, the Texas law appeared vulnerable to constitutional attack because it attempted to expressly regulate out-of-state conduct.
Texas lawmakers, however, evidently saw the problem differently. On June 14, 2013, Gov. Perry signed into law S.B. 1610 to once again amend the Texas law. S.B. 1610 leaves in place the requirement to notify "any individual" of a breach, regardless of the state of residence of that individual. But the amendment removed the component limiting notice to Texas residents and residents of other states that did not require notice of a particular breach. In its place, the Texas law now clarifies that if a breach involves information regarding a resident of a state other than Texas, and that state's law requires notice of the incident, a person conducting business in Texas may provide notice of the breach "under that state's law" or under the Texas law.
As a result, the Texas law not only retains its broad extraterritorial reach, it now appears to be attempting to pre-empt other state breach laws.
Say a person conducting business in Texas experiences a breach involving information regarding California residents. The Texas law would appear to apply to that incident, but the business may provide notice under the California law or the Texas law. The Texas senator who introduced S.B. 1610 explained that the bill's purpose was to remedy the "unintended consequences" of the previous amendments, which had created "substantive and unnecessary administrative burden[s]." That unintended consequence? Not the potential nationwide reach of the law, but the burden apparently imposed on Texas businesses to "be aware of the breach notification laws of every state and any potential changes to them."
In other words, the diagnosis was that the previous amendment was flawed because it required businesses to be aware of the laws of those states in which they do business.
Now, the fact that 50 U.S. states and jurisdictions (46 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands) have security breach laws can certainly complicate compliance for a nationwide breach incident. S.B. 1610 seems to try to solve this multijurisdictional challenge by telling Texas businesses that they don't have to worry about the laws of other states. Specifically, the bill was intended to eliminate the need "to monitor the [breach-related] legislative developments of other states." Even though a business that maintains information relating to individuals that reside in multiple states must be aware of potential legal obligations that those states may impose with respect to that information, the Texas Legislature does not have the authority under our federal system to pre-empt the security breach laws of other states.
So what are the practical implications?
The Texas law, even as amended, continues to raise troubling issues. Among the questions deserving consideration are:
-- How will your business interpret the application of the Texas "nationwide" notification provision to breach incidents? Will your business provide notice of a breach to residents of a state other than Texas, even though that state's law would not require notice?
-- For any given incident, will it be relevant that the breach occurred outside of Texas or that the incident did not involve information regarding Texas residents?
-- Will your business rely on the Texas law to take the position that it can provide notice of a breach to residents of states other than Texas under the Texas law and not under the laws of other states? And if so, what exactly would it mean to provide notice under the Texas law?
Apparently even legal compliance hurdles are bigger in Texas. While the answers to these questions are far from clear, IT and security teams tasked with handling breaches should consider discussing these issues with counsel.
Adam Fleisher, an associate at Morrison & Foerster focusing on privacy and regulatory issues, contributed to this column.