Identity theft is an umbrella term that can refer to many different crimes. Anyone who uses or possesses another person's identifying information without that person's consent and with the intent to defraud or harm faces severe criminal and civil penalties. Often the source of the identifying information used by criminals is from computer hacking or "dirty" employees who steal the identifying information. When this happens, Texas law requires the business to take certain steps to notify the people whose information was stolen. Failure to do so can lead to stiff penalties.
 Texas Business and Commerce Code § 521.052 imposes a duty upon businesses to protect sensitive personal information. Among other duties, businesses are required to destroy or arrange to destroy customer records that contain sensitive personal information. Unfortunately, sometimes this information is stolen.
A business that owns or licenses computerized data that includes sensitive personal information is required to disclose any breach of system security to any individual whose sensitive personal information was, or is reasonably believed to have been acquired by an unauthorized person. Tex. Bus. & Comm. § 521.053(b). This notice is required to be made "as quickly as possible..." However, a business is allowed to delay notification if requested to do so by a law enforcement agency if that agency determines that notification will impede a criminal investigation. Tex. Bus. & Comm. § 521.053(d).
A business that fails to comply with the requirements set out in the Texas Business and Commerce code may face a civil penalty of $2,000 to $50,000 for each violation. Tex. Bus. & Comm. § 521.151. In addition to this penalty, a business that fails to take reasonable action to comply with these requirements is liable to the state for a civil penalty of up to $100 for each individual to whom notification is due for each consecutive day that the person fails to take reasonable action to comply with these requirements. Tex. Bus. & Comm. § 521.151(a-1). Civil penalties under that section may not exceed $250,000. Id. A non-complying business may also face an injunction. Tex. Bus. & Comm. § 521.151(b).
When he was Chief of the Organized Crime Section of the Harris County District Attorney's Office, Ed McClees spent years prosecuting complex identity theft crimes involving thousands of victims. In doing so, he worked along with many businesses including major hospitals, credit card companies, insurance companies, and other businesses where breaches occurred. He now uses this experience to help guide businesses who have had identifying information stolen. If your business suffered a breach of computer security or had records that contain identifying information stolen, call us to learn more about what we might be able to do to help.