Texas Wall of Shame: What The New Laws Mean to Your Organization
Since 2009, the Department of Health and Human Services has published breaches involving Protected Health Information on its infamous breach portal. This list comprises breach details and the names of every healthcare provider who has fallen victim to a breach affecting more than 500 individuals for consumer awareness.
The publication offers insights into the date of the breach, how many individuals were affected, the corrective measures taken, any imposed fines, and the categorical nature of the attack. This information lends accountability to the breach victims and helps individuals better understand the perils of sharing private data.
Texas State legislature recently sanctioned House Bill 3746, a statute centered around publishing data breach information on a state-run platform. Governor Greg Abbott penned the bill into law in June 2021, amending the previous data breach notification law. The law is referred to as TITEPA or the Texas Identity Theft and Enforcement Protection Act.
Like HHS’ breach portal, the state attorney general will post an incident notification on a public site, focusing on breaches affecting more than 250 Texas residents.
What Does the Texas Data Breach Notification Law Require?
Before signing the bill, the state enacted House Bill 300. This imposes stringent requirements for healthcare providers serving Texas than those provided by HIPAA. For example, the bill expands the scope of a covered entity, makes business associates more accountable, and imposed strict breach notification requirements.
House Bill 3746 amends state laws by providing additional requirements for breach notification. Apart from publishing breaches on a public website, which must stay for 12 months, the bill also imposes other notification requirements. These include:
- A detailed account of the incident circumstances or the use of personal information acquired due to the breach
- The number of people (texas residents) affected by the incident during the notification publication
- The number of residents who’ve been notified of the breach through any direct communication during the notification publication
- The countermeasures deployed by the organization regarding the incident
- Any measures the organization intends to implement after the notification publication
- Details on whether any law enforcement agency is investigating the incident
What’s The Role of the Attorney General?
The new data breach law requires the Texas Attorney General to keep the Wall of Shame updated with new system security breaches listings within 30 days. Once an organization appears on this public platform, the listing must stay for a year.
If a listed company doesn’t notify the AG of other incidents during the period, the organization’s listing must be removed from the Wall. The law also requires the AG to publish every system security breach as an individual Wall “entry.” But if an organization experiences three breaches, each affecting more than 250 residents in one year, it’ll be shamed with three distinct Wall of Shame appearances.
When Does the Shaming Commence?
This new data breach law will take effect on 1st September 2021. For-the-nonce, organizations in Texas should review their procedures and policies with regards to Texas HB 300 and HIPAA. One way of staying compliant is by ensuring you have a fully functioning and legally sufficient incident management program. What’s more, you must pay attention to several best practices.
Improving Your Breach Notification Practices
Industry leaders acknowledge the need to end the data stigma and collaborate in fixing the cybersecurity issue. The industry must go beyond skewering healthcare providers for missteps like data breaches.
Facilities should be held accountable, part with hefty negligence fines, and notify every user of incidents. But instead of finger-pointing, it’s time for organizations to work together and address the elephant in the room.
For most organizations in Texas, the new Wall of Shame laws poses several hurdles. Fortunately, you can address most of these challenges by implementing these tips:
- Staff training – Communicate and educate staff on security best practices and create written priorities and policies for everyone, even if some security measures don’t affect them. This way, all of them will understand their role in addressing the company’s privacy and security needs.
- Data mapping and segmentation – Map and align your digital assets with your overall information security strategy. Then, you’ll review your system networks and architecture to understand where to store your data, access requirements, its destination, and the use of different tech solutions to enforce the rules.
- Legal awareness – You must be legally aware of breach notification legislation and the threat landscape. Learn what a breach entails, the process, exceptions to breach notification laws, how to provide notice, and the right approach to communicate with affected individuals, authorities, and media outlets. This means you must be aware of specific federal, state, and local laws and apply these in your system and data security strategy.
- Link with public relations – For most security leaders, addressing breaches, handling the response, and notifying the relevant parties is routine. This requires them to work closely with their organization’s public relations departments to safeguard their reputation. Information security officers must create a communications strategy spanning from breach preparations to when an incident’s magnitude requires notifying relevant authorities.
- Collaborate with business units – These units leverage advanced levels of information, so business leaders must collaborate with crucial C-level executives in managing and securing information. What’s more, security leaders must partner with others to define an all-inclusive strategy to protect and secure the entire data lifecycle. Your information-centric security strategy must include key items like risk assessment, information access security, and regulatory and policy compliance.
Final Thoughts
The recent flood of successful data breaches has pushed the need for comprehensive breach notification processes and policies within organizations. These require information security leaders to understand the numerous potential obligations of losing control of the critical business data they create or process.
The Texas Wall of Shame is among the latest developments in the nation’s cybersecurity laws, offering additional requirements to the previous data breach laws. The new regulations define substantial implications of a data breach, so you must strive to be ahead of increasingly cunning threat actors. Fortunately, you don’t have to struggle to stay ahead of trends by yourself.
Corptek Solutions is here to relieve you from the burden. Choosing us as your trusted cybersecurity and compliance specialist means you can be sure that all your security needs are addressed and that you’ll always stay off the Wall of Shame. So reach out today.