What You Need to Know About the Texas Consumer Privacy (TXCPA) and Texas Privacy Protection Acts (TXPPA)
In March the Texas House of Representatives introduced two new bills pertaining to consumer privacy and data protection: HB 4518 cited as the Texas Consumer Privacy Act (TXCPA) and HB 4390, cited as the Texas Privacy Protection Act (TXPPA). While the two Texas data breach notification laws are similar, they were designed to improve consumer privacy and data protection.
The bills follow the trend of similar laws recently ratified in California, Washington and Massachusetts. The following is what you need to know about both bills and how to prepare for the Texas data breach notification laws.
What is the Texas Consumer Privacy Act (TXCPA)?
Similar to California’s Consumer Privacy Act, also known as AB375, the Texas data breach notification laws will apply to companies that do business and collect consumer data in Texas and have a gross annual revenue in excess of $25 million. At the same time, companies that buy, sell or receive the personal information of 50,000 or more Texas consumers, households or devices, and/or can attribute 50% or more of annual revenue from selling Texas consumers’ personally identifiable information (PII) must comply.
Like the California data breach notification law, the Texas Consumer Privacy Act empowers the state Attorney General to enforce the requirements as needed. Consumer rights that make up the legislation include:
- The right to request disclosure of the PII businesses are collecting, including the source of information, purpose of collecting and how it is being shared
- The right to have PII deleted with some business exceptions
- The right to know if PII has been sold, to whom it was sold, and to opt out of future sale of personal information
- The requirement of businesses to disclose the type and purpose of PII being collected prior to collection
If passed, the Texas Consumer Privacy Act goes into effect on September 1, 2020. Violations come with a minimum penalty of $2,500 per violation and rise to $7,500 for violations deemed intentional by the Texas Attorney General.
What Is the Texas Privacy Protection Act (TXPPA)?
The Texas Consumer Privacy Act gives consumers control over the collection and use of their personal information. The Privacy Protection Act seeks to govern the processing and retention of PII in an effort to further mitigate consumer risk.
The bills share some similarities. The types of businesses governed by both Texas data breach notification laws are the same, and both bills empower the Texas Attorney General to enforce the requirements as he or she sees fit. Both bills also require businesses to disclose how personal information is collected and used prior to personal information being collected.
Beyond the similarities the Texas Privacy Protection Act includes these unique requirements:
- Protection of data that is collected via the Internet, digital network, or end-user device
- Consent for processing PII from the individual at hand
- Development and implementation of data security and accountability to ensure compliance with all the requirements set forth by the bill
- Ceasing of personal identifying information collection and processing when an individual closes his or her account within 30 days of closure, unless additional retention periods are required by law
If passed, the Texas Privacy Protection Act will take effect on September 1, 2019 and carry a penalty of $10,000 per violation with a maximum penalty of $1 million.
Free Whitepaper: Rapid Breach Detection for Meeting PII Compliance Deadlines
How to be prepared for Texas data breach notification law
Now is the time to prepare for this pair of Texas data breach notification laws. With the Privacy Protection Act likely to take effect later this year, you’ll need to focus first on updating your organization’s current data security and incident response plan to not only make sure you know what precautions and remediation actions to take but also to comply with the compliance requirements set forth by the bills.
However, it is also likely that you will need to make better use, or squeeze more effectiveness out of your network and data security tools, such as firewalls, UEBAs, or IDS. One of the main concerns with not only meeting, but also proving industry compliance regulations with existing security tools, is the complex nature associated with setting them up and managing them. Additionally, most security tools are still largely focused on the perimeter, traffic moving in and out of your network, and endpoint protection.
Looking at the largest and most costly intrusions, such as Saks, Wendy’s or the city of Atlanta, these data breaches originated inside the network and once inside, the malicious actors were able to freely move about exfiltrating data or in other cases, locking out legitimate users.
Considering that 80% of internal network traffic goes unmonitored, as noted in a recent Forrester report, this creates a big blindspot. Therefore, existing security tools are unable to perform effective, or accurate threat detection or prevention.
Our ARIA Software-Defined Software (SDS) solution works with your existing security tools to help make them more effective by directing better, more relevant insights on network traffic. With the ARIA Packeting Intelligence application, all data traffic associated with your critical assets is monitored as it moves through the network, including laterally moving (east-west) traffic. As directed, either programmatically or through security resources, either full packet or unsampled netflow metadata of specified traffic can be directed to the security tool of choosing. Using this enhanced network insights, threat analytic tools can more easily identify and focus on the intrusions that matter.
In addition, for full data protection, ARIA KMS manages and generates encryption keys at up to thousands per minute, enough to handle transactions at a data and application level. This means that data is protected not only while at rest, but also the data used within applications or generated by.
In addition, our Myricom nVoy Series pairs seamlessly with ARIA, and can integrate with existing security tools, like cisco FirePower or Fortigate, and record specified traffic flows, at the packet-level. This data is used conduct breach identification, notification and provide the reporting needed to prove compliance with regulations like this new Texas data breach notification law. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into all conversations between devices, enabled complete analysis of any possible breach and its effect on critical data, such as PII or PHI.
With ourCSPi’s ARIA SDS solution, companies can achieve not only accelerated incident response, enhanced network security but also enterprise-wide data protection. To learn more about how our solutions can help you meet compliance with the Texas data breach notification law, visit www.ariacybersecurity.com.
To learn more about complying with new and emerging state regulations? Please download our Data Privacy Regulations eBook today.
About ARIA Cybersecurity Solutions
ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.