Jake Sommer writes:
Texas has never been known as a state that loves to regulate and its current governor has made a name for himself by being staunchly anti-regulation, but its recent Texas Security Breach Bill (HB 300), contains a sneaky provision that turns the Texas Attorney General into one of the nation’s most powerful privacy legislators. HB 300 provides Attorney General Greg Abbott with the power to seek civil penalties against foreign corporations that fail to notify residents of other states of data breaches, as long as they have at least one customer in Texas.
Read more on Law Across the Wire and Into the Cloud.
Now all the residents of Texas need is recourse against their own state, because the state claims that since it cannot be sued for a data breach due to immunity, the state cannot provide its own citizens with state-funded credit protection monitoring in the event of a state agency data breach. Of course, as Jim Harper points out, the state could agreed to be sued, but isn’t this a bit absurd?
So if the Texas AG can seek civil penalties against companies doing business in Texas who don’t notify residents of another state of a data breach because that state doesn’t require notification, maybe some other state will pass a law stating that their state attorney general can seek civil penalties against other states’ agencies that fail to provide sufficient mitigation for breaches if any of those residents affected now reside in their state.
My head is spinning from the possibilities.