What is the Texas Data Breach Wall of Shame?

In 2009, the Department of Health and Human Services’ (HHS) Office for Civil Rights decided that tough HIPAA enforcement measures were required. So, OCR came up with what is known as the HIPAA “Wall of Shame” – a website listing breaches of unsecured protected health information affecting 500 or more individuals. Entities that suffer these large breaches must provide OCR with the name of their business, the state they operate in, how many individuals were affected by the breach, when the breach was reported, and the type of breach. OCR then takes this information and places it on the Wall, which is publicly accessible. Texas recently decided that shaming at the state level is important, too. A recent amendment to the Texas Identity Theft Enforcement and Protection Act requires the state attorney general to create a Texas Wall of Shame for entities reporting large data breaches. Details about the Texas data breach wall of shame are provided below.

What is the Texas Data Breach Wall of Shame and How Do I End Up on the List?

Texas Data Breach Wall of Shame

In early June of 2021,Texas Governor Greg Abbott signed into law HB 3746, which amends the state’s data breach notification law. That law, known as the Texas Identity Theft and Enforcement Protection Act (TITEPA), requires that businesses incurring a data breach notify the Texas Attorney General if the breach involves at least 250 residents of Texas. 

Under Texas law, a “data breach” is a breach of “sensitive personal information.” Sensitive personal information includes (among other things) protected health information under HIPAA.

Discover the Benefits of Combining Your Federal and Texas HIPAA Compliance in One Place

Before HB 3746 was signed into law, entities that sustained a breach affecting at least 250 Texas residents were required, within 60 days of the breach, to provide the Texas Attorney General with the following:

  • A detailed description of the nature and circumstances of the breach or the use of sensitive personal information acquired as a result of the breach; and
  • The number of Texas residents affected by the breach at the time of notification.

Businesses were also required to notify consumers who were affected by the beach, by providing a notice that contained:

  • The measures taken by the business regarding the breach; and
  • Any measures the business intended to take regarding the breach after providing the notice.

HB 3746 retains these requirements, and adds new ones. Under HB 3746, Texas businesses who sustain breaches involving at least 250 residents must now provide the Texas Attorney General (AG) with the number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication.

In addition, HB 3746 requires the AG to post, on its publicly accessible website, a listing of all notifications that businesses were already required to provide. In other words, as of September 1, 2021 (the effective date of the law), the AG’s website must contain a list of notifications of breaches affecting 250 or more individuals. Each notification can be publicly viewed.

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With 2024

The following details of each notification can also be publicly viewed:

  • The circumstances of the breach or the use of sensitive personal information acquired as a result of the breach;
  • The number of Texas residents affected by the breach at the time of notification;
  • The number of affected residents that have been sent a disclosure of the breach by mail or other direct method of communication at the time of notification;
  • The measures taken by the business regarding the breach;
  • Any measures the business intends to take regarding the breach after notification; and
  • Information regarding whether law enforcement is engaged in investigating the breach.

Texas Data Breach Wall of Shame: What Must the Attorney General Do?

Under the new Texas data breach law, the Texas AG must update the Wall of Shame listing new breaches of system security within 30 days of notification. Once a business is added to the Texas data breach wall of shame, the listing must remain on the site for an entire year. If the business has not notified the AG of any additional breaches during that one year period, the business’s listing on the Texas data breach wall must be removed. A business may find itself making multiple appearances on the Wall. The new law requires the AG to post all breaches of system security as individual Wall “entries.” If a business suffers three data breaches, each involving 250 or more residents, within one year, the business will be shamed with three separate appearances on the list. 

When Does the Shaming Begin?

The new Texas data breach law does not take effect until September 1, 2021. In the meantime, Texas businesses should review their Texas HB 300 policies and procedures, as well as their HIPAA privacy policies and procedures, by conducting a security risk analysis and performing risk management. Texas businesses should also make sure they have a legally sufficient and fully functioning incident management program. 

Meet All Your HIPAA Requirements

Our software provides everything you need to satisfy state and federal HIPAA laws.

Global CTAs Image