Data Breach Laws: Some States' Control Goes Far Beyond Their Borders

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

If you are a company in Alabama, Kentucky, New Mexico or South Dakota and you suffer a data breach in your state that affects residents of your state, you might be tempted to look up your state data breach law, see that your legislature had decided not to pass such a requirement and believe you have complied with the law. But if you "conduct business" in Texas, under a new Texas law, not only must you notify Texas residents (if any) that their data has been breached, but you have to notify residents in states that have no breach disclosure laws—or face the wrath of the Lone Star state.

This means that Texas law would apply to the relationship between a retailer in Tuscaloosa and a consumer in Birmingham, AL, a retailer in Louisville and a consumer on Lexington, KY, a retailer in Albuquerque and a consumer in Santa Fe, NM, or a retailer in Sioux Falls and a consumer in Rapid City, SD.

Starting Sept. 1, 2011, the Texas legislature amended Section 521.053 of the Business and Commerce Code, which previously required companies conducting business in Texas to, in the event of a security breach, provide notice of the breach "to any resident of this state" whose information had been or had believed to have been compromised. Fair 'nuff. But the amendment changed the "resident" requirement to "any individual."

So if a company conducts business in Texas (online, offline or whatever) such that Texas has some jurisdiction over the company, then it must disclose breaches that occur outside of Texas, have no effect on Texas and do not even involve Texas residents. Under a strict reading of this statute, if the computers at Nestlé in Vevey Switzerland are hacked and the hackers obtain personal information about residents of South Korea, Nestlé—which sells candy bars in Dallas—must notify the residents of Seoul under Texas law. It is the "conduct of business" within Texas that gives rise to the jurisdiction.

Sometimes legislatures pass laws that have unintended consequences. But there is every evidence that the folks in Austin intended to have their statute affect the privacy rights of consumers outside the state. The new law also says that if the state where the consumer resides requires data breach notification, then you can comply with Texas law by making the notification under the other state's law. So if there is a breach in California and you notify California residents under California law, under Texas law you are OK. Because there are no such laws in Alabama, Kentucky, New Mexico or South Dakota, you must make the notification under Texas law.

For a state that prides itself on small government and smaller regulation, this is quite a leap. Traditional "long arm" laws (as in, the long arm of the law can reach across borders) allow states to impose their own law to protect their own residents, to regulate companies' activities within their borders or to regulate corporations that are headquartered, domiciled or incorporated in their state. In short, the legislature may regulate by saying, "if you are a Texas company you must..." or "if your actions affect Texas residents you must..." or "while you are in Texas you must..." What the data breach law says is, "if you do other business in Texas, you must comply while out of the state." That's a huge stretch.

Compare this to the Massachusetts data security standards. These apply to any company that owns or licenses data about Massachusetts residents. So if you are in Santa Fe with information about a resident of Sudbury, you have to protect the data of the Sudbury resident under Massachusetts law. That comes under the "protect our residents" theory. The Texas law goes well beyond this, and could even be interpreted to apply internationally (persons are persons no matter where they are). For entities that do business in Texas and are not currently subject to data breach disclosure laws, watch out. The law has changed for you.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.