Jake Sommer writes:
Texas has never been known as a state that loves to regulate and its current governor has made a name for himself by being staunchly anti-regulation, but its recent Texas Security Breach Bill (HB 300), contains a sneaky provision that turns the Texas Attorney General into one of the nation’s most powerful privacy legislators. HB 300 provides Attorney General Greg Abbott with the power to seek civil penalties against foreign corporations that fail to notify residents of other states of data breaches, as long as they have at least one customer in Texas.
Read more on Law Across the Wire and Into the Cloud.
Now all the residents of Texas need is recourse against their own state, because the state claims that since it cannot be sued for a data breach due to immunity, the state cannot provide its own citizens with state-funded credit protection monitoring in the event of a state agency data breach. Of course, as Jim Harper points out, the state could agreed to be sued, but isn’t this a bit absurd?
So if the Texas AG can seek civil penalties against companies doing business in Texas who don’t notify residents of another state of a data breach because that state doesn’t require notification, maybe some other state will pass a law stating that their state attorney general can seek civil penalties against other states’ agencies that fail to provide sufficient mitigation for breaches if any of those residents affected now reside in their state.
My head is spinning from the possibilities.
“… the state could agreed to be sued, but isn’t this a bit absurd?”
Not so much. I once filed suit in federal court against the city where I live in. The city showed up in court, answered the charges and when it looked like they were going to lose, they sought a declaration of soverign immunity. The judge ruled that because they had not filed for immunity at the outset, they effectively agreed to be sued. Yes, they lost that suit.
If you hire less-than-competent-and-less-than-fully-experienced attorneys and you may find yourself agreeing to things you didn’t intend to.
I meant “isn’t it absurd” in the context of having to rely on the state to decide whether people have recourse against their own government if the state agency is a total cock-up on data security. The liability should attach to the collection of data – if you don’t protect it, you should be held accountable.