Texas recently amended its data breach notification law, Tex BC. Code Ann. § 521.053, to clarify that if a data subject is a resident of a state other than Texas that has its own breach notification law, a company that does business in Texas can notify that data subject either pursuant to Texas law or pursuant to the law of the state of residence. In other words, according to Texas, Texas companies do not have to become familiar with the breach notification laws of other states. (Query whether those other states would agree.)
As we blogged about here, Texas previously amended its breach notification law in September 2012 to specifically require notification of data breaches to residents of states that had not enacted their own law requiring such notification. The amended law was confusing as to which law should apply when the state of residence did have a breach notification law.
The reporting obligations will still apply to persons that “conduct business” in Texas, although the law does not provide guidance on what it means to “conduct business” in Texas. As a result, in the event of a data breach, a company that does business in Texas could be required to timely notify individuals nation-wide or face a fine of up to $250,000 for failing to do so.