Enforcement of data privacy laws across the US is in full force. Most recently, Marriott agreed to a $52 million settlement payment to 50 states, including $3.5 million to the State of Texas, following a data breach of 131 million guest records, including information such as contact information, gender, dates of birth, as well as a limited number of unencrypted passport numbers and unexpired payment card information.
In a press release announcing the Marriott settlement, Texas Attorney General Ken Paxton said "Texas law is clear that companies in possession of Texans' personal information have a duty to safeguard that data. Given the frequency of cyberattacks today, it is simply unreasonable for companies to lack a comprehensive risk-based data security program."
Texas's Data Privacy Law
The newest Texas law Paxton is referring to is the Texas Data Privacy and Security Act (TDPSA). The complexities of the TDPSA can make it difficult to actively achieve healthy compliance, especially as businesses continue to evolve, and given that the law does not require a certain threshold of revenue to be applicable. The best way to comply with Texas' new privacy regulation is to first, understand what the compliance expectations are of a business that relies on customer personal data. Here are a few tips to ensure your business can work towards, and maintain, TDPSA compliance:
- Conduct a TDPSA-Readiness Assessment to evaluate your existing privacy practices and current operating procedures to locate areas in which you may have a compliance gap. Doing so will protect your customers' data and save your business from a potential $7,500 fine per violation. As your business grows, failing to conduct regular privacy "health-checks" could potentially increase the organization's risk of a data breach. Not only could this result in a penalty or costly fine but also potential financial harm to customers whose data has been breached or branding and reputational issues for the business.
- Establish a privacy program designed to identify privacy risks and regulatory compliance gaps, as well as a plan to enhance privacy practices, mitigate risks, and remediate non-compliance. Document the organization's policies, standard operating procedures, and business processes. Doing so provides employees with the convenience of accessing procedural expectations, and management with the ability to cross-reference internal data against TDPSA's requirements. Imperative to the success of an ongoing program, since privacy is not a "one-and-done activity,"' is assigning roles and responsibilities for governance and maintenance.
- Performing data protection assessments (and audits) is a leading practice and under certain circumstances, a mandate of the TDPSA. In part two of our Compliance Countdown Blog Series, "Conducting Data Protection Assessments (DPAs)" we shared scenarios of when a DPA would be required. Specifically, if you participate in:
- The processing for targeted advertising
- The sale of personal data
- The processing of purposes of profiling
- The processing of any sensitive data
Any processing activities that may present a heightened risk of harm to consumers.
It is imperative that a completed DPA explains the organization's internal processing activities relevant to personal data and sensitive information, and how this operation could pose a potential risk to individuals. In particular, the DPA should also outline the steps the business will take to implement controls and mitigate the risk of harm to its customers and consumers.
To safeguard customer information, an organization should routinely manage, enhance, stress-test, and audit its privacy practices for compliance and risk management. To begin assessing how your current lines of business and internal functions comply with the TDPSA, contact Gray Reed Advisory Services. Our team of expert consultants and solutions are designed to assist clients in evaluating their privacy practices, risks, compliance gaps, and developing or refining operational processes to ensure adherence to legal requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.