General

Is Texas the New Federal Government? Nationwide Breach Notification Law Signed by Governor Perry Suggests So

Published: Sep. 13, 2011

Updated: Oct. 05, 2020

Texas has never been known as a state that loves to regulate and its current governor has made a name for himself by being staunchly anti-regulation, but its recent Texas Security Breach Bill (HB 300), contains a sneaky provision that turns the Texas Attorney General into one of the nation’s most powerful privacy legislators.  HB 300 provides Attorney General Greg Abbott with the power to seek civil penalties against foreign corporations that fail to notify residents of other states of data breaches, as long as they have at least one customer in Texas.

HB 300 appears, at first glance, to be a relatively unobjectionable healthcare privacy bill.  But Section 14 of that Bill, if put to use, is a startling power grab by Texas and, frankly, an assault on other states’ rights not to pass legislation requiring breach notification.  The first part of HB 300’s Section 14 requires  “A person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information shall disclose any breach of system security, after discovering or receiving notification of the breach, to any individual whose sensitive personal information was, or is reasonably believed to have been, acquired by an unauthorized person…”  Section (b)(1), resolves any ambiguity about who qualifies as “any individual” by making it clear that Texas really means any individual any where:

“Notwithstanding Subsection (b) [breach notice requirements], the requirements of Subsection (b) apply only if the individual whose sensitive personal information was or is reasonably believed to have been acquired by an unauthorized person is a resident of this state or another state that does not require a person described by Subsection (b) to notify the individual of a breach of system security.  If the individual is a resident of a state that requires a person described by Subsection (b) to provide notice of a breach of system security, the notice of the breach of system security provided under that state’s law satisfies the requirements of Subsection (b).”

 In two sentences then, Texas imposes its will on any company that conducts business in Texas not only as to residents of Texas, but as to individuals anywhere in the United States.

Texas definitely appears to be acting against type by attempting to impose substantial civil penalties (up to $250,000 per breach) on companies whose conduct has no connection to Texas or effect on Texas residents.  As a result, civil procedure professors are sure to have a field day with the vexing questions this poses:  How does Texas have jurisdiction to enforce a Texas breach notification law against an out of state company with regard to a failure to notify non-Texas residents?  Particularly where the failure to notify non-Texas residents would not have any foreseeable consequences in Texas?  And why would Texas want to do so in the first place?

Tex. Penal Code Ann. § 1.04 (Vernon), would appear to provide some support if the penalties were criminal in nature, stating that “An offense based on an omission to perform a duty imposed on an actor by a statute of this state is committed inside this state regardless of the location of the actor at the time of the offense.”  But as far as we are aware, this has not been applied outside of the child support context, and doing so here would be novel because even in those cases the child support was due to a Texas resident.  See, e.g., Ex parte Boetscher, 812 S.W.2d 600, 603 (Tex. Crim. App. 1991); State v. Paiz, 817 S.W.2d 84, 85 (Tex. Crim. App. 1991).  Texas’s long arm statute itself, which would be applicable to a civil case, provides little guidance as to whether the Attorney General may civilly prosecute acts occurring outside of Texas, even if the defendant could be haled into court there.  Tex. Civ. Prac. & Rem. Code Ann. § 17.042 (Vernon) (governing suits related to business transactions or tort and providing that a nonresident corporation does business in Texas if it contracts with a Texas resident and either party is to perform the contract in whole or in part in the state, commits a tort in Texas, or recruits Texas residents for employment inside or outside of Texas).

If Texas takes action based on out of state conduct, the results could definitely be one for the civil procedure record books—and, surprisingly, it will be Texas seeking to expand the reach of government regulation.