What is "Sensitive Personal Information" Under HB 300?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

Texas HB 300, a revision to the Texas Medical Records Privacy Act that became effective in 2012, revised the Texas Business and Commerce Code (TBCC). The Texas Business and Commerce Code contains a law known as the Identity Theft Enforcement and Protection Act (ITEPA). ITEPA was passed in 2009, to protect Texas residents from identity theft, and from breaches of their sensitive personal information (SPI).

What is Sensitive Personal Information (SPI)?
SPI includes a Texas resident's first name or initial and last name in combination with any one or more of the following pieces of information:

a. Social Security number;
b. Driver's license number or government-issued identification number; or
c. Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; o
d. Information that identifies an individual and relates to:
    i. The physical or mental health or condition of the individual;
   ii. The provision of health care to the individual; or
  iii. Payment for the provision of health care to an individual.

What Obligations Do ITEPA and HB 300 Impose?
When it was passed, ITEPA imposed an obligation on persons who conduct business on Texas and who own or license computerized data that includes sensitive personal information. These persons, under ITEPA as originally passed in 2009, must disclose any breach of system security, after discovering or receiving notification of the breach, to any Texas resident whose SPI was, or is reasonably believed to have been, acquired by an unauthorized person. ITEPA provided that the disclosure must generally be made as quickly as possible. In 2012, HB 300 amended this provision to change the word "Texas resident" to "individual," broadening the scope of ITEPA.

What are the Penalties for an ITEPA Violation?
When ITEPA was passed in 2009, the penalty for an ITEPA violation was liability to Texas for a civil penalty of at least $2,000 but no more than $50,000 for each violation. ITEPA provided that the Texas Attorney General could bring a lawsuit to recover this money. In 2012, HB 300 strengthened this provision of ITEPA, providing that, in addition to receiving this civil penalty, a person who fails to take reasonable action to comply with ITEPA is liable to Texas for a civil penalty of up to $100 for each individual to whom notification is due for each consecutive day that the person fals to comply with TITEPA. This amendment to ITEPA also provided that the total civil penalty a person could incur is capped at $250,000, for all individuals to whom notification is due after a single breach. The HB 300 amendment to ITEPA also provided that the Texas attorney general may bring a lawsuit to recover all civil penalties for an ITEPA breach.