Contact Us for a Free Consultation (713) 229-0862

Useful Information

What duties do businesses have under Texas law when identifying information has been hacked or stolen?

Posted by Ed McClees | Feb 01, 2018

Identity theft is an umbrella term that can refer to many different crimes.  Anyone who uses or possesses another person's identifying information without that person's consent and with the intent to defraud or harm faces severe criminal and civil penalties. Often the source of the identifying information used by criminals is from computer hacking or "dirty" employees who steal the identifying information.  When this happens, Texas law requires the business to take certain steps to notify the people whose information was stolen.  Failure to do so can lead to stiff penalties.

 Texas Business and Commerce Code § 521.052 imposes a duty upon businesses to protect sensitive personal information.  Among other duties, businesses are required to destroy or arrange to destroy customer records that contain sensitive personal information.  Unfortunately, sometimes this information is stolen.

A business that owns or licenses computerized data that includes sensitive personal information is required to disclose any breach of system security to any individual whose sensitive personal information was, or is reasonably believed to have been acquired by an unauthorized person. Tex. Bus. & Comm. § 521.053(b).  This notice is required to be made "as quickly as possible..."  However, a business is allowed to delay notification if requested to do so by a law enforcement agency if that agency determines that notification will impede a criminal investigation.  Tex. Bus. & Comm. § 521.053(d).

A business that fails to comply with the requirements set out in the Texas Business and Commerce code may face a civil penalty of $2,000 to $50,000 for each violation.  Tex. Bus. & Comm. § 521.151.  In addition to this penalty, a business that fails to take reasonable action to comply with these requirements is liable to the state for a civil penalty of up to $100 for each individual to whom notification is due for each consecutive day that the person fails to take reasonable action to comply with these requirements.  Tex. Bus. & Comm. § 521.151(a-1).  Civil penalties under that section may not exceed $250,000.  Id.  A non-complying business may also face an injunction. Tex. Bus. & Comm. § 521.151(b).

When he was Chief of the Organized Crime Section of the Harris County District Attorney's Office, Ed McClees spent years prosecuting complex identity theft crimes involving thousands of victims.  In doing so, he worked along with many businesses including major hospitals, credit card companies, insurance companies, and other businesses where breaches occurred.  He now uses this experience to help guide businesses who have had identifying information stolen.  If your business suffered a breach of computer security or had records that contain identifying information stolen, call us to learn more about what we might be able to do to help.

About the Author

Ed McClees

Ed is a criminal trial lawyer who is Board Certified in Criminal Law by the Texas Board of Legal Specialization.  He is a former Harris County District Attorney where he served as chief of the Organized Crime Section, prosecuting cases involving complex organized criminal activities, including Fr...

Contact Us Today

If you have been charged with a crime or are concerned that you are being investigated for a crime, call us immediately. Please provide a personal email and a cell phone number so that we can immediately reach you. We will put our years of experience and proven results to work for you.