Demystifying the Texas Data Privacy and Security Act

Episode Notes

Transcript

Rocky Dhir:

Welcome to the State Bar of Texas podcast, your monthly source for conversations and curated content to improve your law practice with your host Rocky Dhir.

Rocky Dhir:

Hello my friends and welcome to the State Bar of Texas podcast. It’s always a pleasure to have you here. I’m waxing nostalgic today because my guest also happens to be a longtime friend of mine. You might know of Shawn Tuma as a data privacy and cybersecurity lawyer at Spencer Fane in their Dallas and Plano offices. I know him as the guy who knew stuff before the rest of us did. And honestly, guys, Shawn, this is really annoying about you, but hey, let’s tell him anyway. So back in 2012 or 2013, around that time, Shawn had predicted that there would be this little excerpt of Dallas that would become one of the hottest growing cities in the United States. He predicted that companies would move there, major institutions would set up shop there, and that the entire epicenter of the metroplex would seismically shift northward. That little excerpt was called Frisco, Texas, and Shawn was right.

Shawn had also predicted that lawyers would need to focus on cybersecurity not only for their clients but for their own practices. He talked to firms moving their data to the cloud and having to take greater steps to secure that data from unwanted breaches. I dunno why I said that. Is there ever really a wanted breach anyway, so he was right. Yet again, we used to be taught to keep our data siloed on our laptops. I dunno if you guys remember that. And now here we are accessing these things called VPN tunnels and clouding up our practices. Well, the Texas legislature recently enacted the Texas Data Privacy and Security Act. This act goes into effect on July 1st, 2024. We need to figure out its impact on lawyers and their clients and what the heck this all even means. And I’m not smart enough to figure that out. So I figured who better to ask than Shawn? Now pay close attention to what Shawn says. If he’s wrong, I’d love to just rub his face in it. This would be the most fun I’ve had in years. So Shawn Tuo, welcome to the podcast. Or should I say welcome back? Good to have you, man.

Shawn Tuma:

Rocky, thank you so much for having me back on, man. It’s always a pleasure and I just want to tell you, yeah, sometimes what do they say? Even a, what is it? A blind squirrel gets a nuts sometimes or whatever. I’m not always right. This whole thing for me started back in 1998 when I thought Y 2K was going to be my rocket ship to stardom and early retirement as I jumped on the bandwagon to be a Y 2K legal expert. And we remember how that one went. But it’s important, and I bring that up to make a distinction. People often ask me, why don’t we able to fix Y 2K and avoid most of that issue? Why can’t we just fix cybersecurity? Which dovetails into data privacy because we’re focused on protecting the privacy of personal information. And the reason is because Y 2K was a problem, it was a code error that could be corrected. Cybersecurity is a human behavioral issue. It’s war. And we’re engaged every day in battles with adversaries that are fighting against us and against our networks. And so it’s not just a problem that can be fixed with code. But anyway, it’s great to be back. Thank

Rocky Dhir:

You. Plus our adversaries in this are much more comfortable than we are. They get to work from home and they’re probably in their parents’ basements doing this. So it’s a whole nother whole nother world I guess we’re dealing with.

Shawn Tuma:

It is, and that’s a good point you make because the adversaries cover the entire spectrum at the top, you have your very best nation state, at least trained folks who are like the equivalent of our US militaries Navy Seals or Delta Force or whatever else, who are the best of the best at this. And then they have created a system to now use the exponential reach of the script kitties in the parents’ basements by this service, this ransomware and cyber attack is a service type thing where they can use all these other folks to use their tool sets to go out and do harm. And so it’s just continuous battle. It’s very difficult.

Rocky Dhir:

So I assume now you’ve heard of this Texas Data Privacy and Security Act. If you haven’t, Shawn, we’ll give you a few minutes. You can read up on it and just read the act. We’ll just thumb through it and then

Shawn Tuma:

Well, it’s 39 pages. So my thumbing through, I don’t thumb that quick.

Rocky Dhir:

So look, with this act that we’ve just enacted, do you know what brought it about? I mean, I thought there’d be a federal level law that kind of covers all this. It looks like there’s a few states, Texas being one of ’em, I guess we’re the 12th one to enact something like this. What’s the idea behind a state level data privacy act?

Shawn Tuma:

So what we’re seeing is federalism at its finest really. And I’m a huge proponent of federalism and I’m actually somewhat why I’m here in Texas, right? Someone who believes we would benefit from a comprehensive federal piece of legislation that covers all this. But I know from my personal time and visiting members of Congress a few years back, I don’t think that’s going to happen. I don’t think it’s a multitude of reasons, but there’s too many challenges to be addressed for federal legislation. Too many committees would have to cede power to one committee to do it. And I don’t think that’s going to happen. And so what we’re seeing is the sectoral approaches of healthcare or SEC coming out with their rules and FTC and these kind of piecemeal even on the federal level. And so what that’s done is left this field open for the states to say, well look, somebody has to do something here because we see what’s happening to companies.

But what happens when a company has its data breached and the data it’s holding is the data of other human beings that’s now violating their privacy or compromising the confidentiality of their information and exposing it. And so we need to do something to number one, control how companies collect and process that data and retain it and protect it. And what they must do whenever they don’t do a good job of that. And we need to let the people know what information is being collected about them, how it’s being used, whether it’s being sold, what the nature of that information is and all of that. And that’s what led to the states coming in with these laws and they really trailed on the GDPR back in 2018. And then we saw the California law come in after that, and then we saw some other states. And California kind of has one model. Virginia has a little different little more business friendly model, and that’s led to Texas.

Rocky Dhir:

I assume Texas is on the business friendly side, just yeah,

Shawn Tuma:

Texas is a little more business friendly. And really one of the big distinguishing features you see is in California you have a private right of action. In the Texas law, you don’t have a private right of action. The ag has to bring and enforce these things.

Rocky Dhir:

Just to clarify, when you said the GDPR that’s talking about the European Union, that’s the European version of data privacy. I remember that coming out. But for anyone that’s wondering what the acronyms are, that’s what we’re referring to. Now let’s maybe talk about some key definitions in this act. And as I understand it, there’s personal data and there’s biometric data. And so for the uninitiated, can you tell us what the distinction is? Is there a clear definition of those two terms?

Shawn Tuma:

So biometric data is going to be data of things like your face scans, your fingerprints, your voice, things that in essence are you. They’re like features about you that can’t be changed. So biometrics are things like an IRIS scan about us or that are part of our human body, things that we can’t just go and update and change and correct. And those have a higher level of sensitivity and protection and concern all over because once that gets compromised, then you never can really get

Rocky Dhir:

It back. You can’t claw it back. I guess personal data would then be things like social security numbers, addresses, maybe credit history

Shawn Tuma:

Of that nature. Yeah, medical history, financial account information, date of birth. Those are some of the classic definitions that we see. And those are things that are sensitive. They are about you, they are yours, your what we would call the data subject. But they could be, I mean even a social security number can be changed. It’s very difficult, but it can be changed.

Rocky Dhir:

It’s not physically attached to you. It’s not part of your person. It’s

Shawn Tuma:

Not you. A manifestation of you

Rocky Dhir:

There, you Gogo. Okay, so now, which what entities are covered by this act? And what I mean by that is obviously there’ll be some companies, certain types of companies, and then more broadly, does it also cover law firms?

Shawn Tuma:

So that’s really a great question because I know law firms are what we really need to talk about. And I say that because I’ve done way too much work this year representing law firms and cyber attacks, data breaches. But this law applies to businesses that either conduct business in Texas or generate products or services consumed by Texas residents, number one, and that either process or engage in the sale of personal data and what

Rocky Dhir:

Does process mean? So there’s this concept of processing.

Shawn Tuma:

So processing could be anything as simple as bringing it in and reviewing it and saving it into your system. Okay? Processing is a very broad, broad definition. So that’s really the catchall that every business at some level is processing.

Rocky Dhir:

Even law firms, I mean

Shawn Tuma:

Certainly law firms,

Rocky Dhir:

If there’s a deposition or something like that that you’re dealing with, you’ve got personal data.

Shawn Tuma:

And so where you’re really, that right there would definitely pull in law firms. Now here is the next layer to this applicability that probably benefits most law firms here in Texas.

Rocky Dhir:

Before we go there, Shawn, because this is a great place, the next level, we’re going to keep people on their seats while we take a quick ad break and we’re going to hear from one of our sponsors. And when we come back, you’re going to tell us the next level that could benefit law firms. So guys, stay tuned because we’ll be right back after this. Alright everybody, we are back with Shawn TMA talking about the Texas Data Privacy and Security Act, and when we left off, he was going to tell us something next level that could actually benefit law firms in this act and how it applies. So Shawn, go for it. Tell us what you were going to tell us.

Shawn Tuma:

The next level here is kind of the third part of this applicability requirement, and that is it only applies to businesses that are not defined by the US Small Business Administration as a small business. Now that’s a very complicated definition once you get down into the SBA requirements, but generally speaking, that would be an independent business that has fewer than 500 employees. So this act applies typically to businesses that would have more than 500 employees or 500 employees or more. So most of our law firms here in Texas are going to be less than 500 employees. And if they fit within that SBA definition of a small business, then they’re going to generally speaking, be excluded from this act. So small law firms all, but really your large probably regional or national or international law firms aren’t going to have as much concern about this, at least at this point.

Now understand Texas is one state’s laws. There are all these other ones that are out there. There are more coming. So you could easily be pulled in by those. But here’s something I want to make a point of right now. Sure. This act is a big deal because it kind of jumps in line with the other states that have been doing it and as business friendly of a state as Texas is people, some folks were a little surprised to see us do anything but the idea here in this personal privacy type realm. But part of the thinking was let’s get our version of the law out there on the books so we don’t maybe fall into the California model with the private right of action and that kind of stuff. But the most important thing I can tell Texas lawyers and Texas law firms is this law is about compliance on processing and selling personal data of consumers. The Texas Breach Notification law applies to every single one of you. So let’s not let our focus on complying with this data processing law distract us from the real issue, which is if a small one person, two person, five person Texas lawyer, Texas law firm has a compromise of personal information, a data breach, a data breach, they fall under the definition of the Texas Breach Notification law and they then have to comply with that. What would they

Rocky Dhir:

Have to do at that point? Because if you’re, I guess there’d be a notification requirement to those who were affected,

Shawn Tuma:

Right? Yeah. So really Rocky, it starts with understanding just how easy a data breach can be. You see all these emails where someone says, oh, I didn’t mean to send that. It was just spam that got sent from my account. That usually means someone got access to your email account, username, password, and then was able to send out something whether from a bot or manually or whatnot. That means someone had access to your personal email account. That means whatever information you have in that email account, whether it’s personal credit cards, social security numbers, whether it’s client sensitive client data, whether it’s trade secret data, whatever it is that is in your email box, your account has now potentially been compromised. We have numerous breaches that we’re handling right now from something as simple as an email account access. So imagine your email account, someone gets your username, password signs in, maybe they send a fictitious invoice to someone to pay up.

See a lot of that, right? You now have the duty to go examine your email account and determine what personal data was in there, or if you’re a lawyer, what client data, what sensitive client data, what information that I’m holding as client confidences is in my email account. We now have to assemble that list of everyone potentially impacted, determine what data was impacted, and then notify them if it’s your client, maybe it’s your client sending you data from others who now implicates the others, but by way of your client. And so you have to go through and make that determination. Then you have to go through the breach notification process that you mentioned, which is notifying these individuals, if they’re all within Texas, within 60 days, if you have 250 or more individuals in Texas impacted notifying the Texas Ag within 30 days of this determination, and then go through that whole process of dealing with the fallout from that. So that’s the real big concern that every Texas has to worry about.

Rocky Dhir:

I’ve seen these situations where I get an email, it’s almost like a ghost email. They didn’t actually go into Shawn TMAs email and send it from your server. They sent me an email that looks like it’s come from you. And if I am able to discern that this doesn’t sound like an email from Shawn, well written and cogent, and so I decide I’m going to, Hey, this can’t be Shawn. And so I examine it and I figure out, oh, this is another email address. They just made it look like it’s from Shawn tma. Is that a data breach as well?

Shawn Tuma:

Not necessarily because as you said, they didn’t have access to, they spoofed my email address, toof,

Rocky Dhir:

That’s the word, send

Shawn Tuma:

They spoofed. And look, I just got one of those texts 15 minutes before we started recording from a news personality. I know it’s not her, but somehow they knew she and I are connected. So for them to send you an email spoofing my email address trying to get you to respond, that’s an indication that one of our email accounts may be compromised. Maybe it’s mine, maybe it’s yours. Maybe it’s someone that you and I both emailed together with, maybe someone at the state bar, who knows. But it’s somehow they had to know that you and I are connected. How did they know that that’s an indication that it may be one of our accounts? And at that point we want to go, maybe we bring in a forensics firm to analyze our system. I can tell you if you’re using Office 365 and you don’t have multifactor authentication enabled, the odds are pretty good.

That’s the account. That’s where you start looking first because that’s where so many of ’em come from. But then you want to look and see are there forwarding and deletion rules set up in anybody’s account that you didn’t know about? Because those are the kinds of things that threat actors do when they get in. So these are things you mentioned, someone having their data siloed on their own laptop. Ironically, that’s becoming more secure sometimes than having it in a cloud. You have it in only one place, right? You only have it in one place, and the only way they can get to it is if they get to that laptop. But if they get into your email account because your username and password got compromised and it’s connected to your OneDrive, that syncs with your laptop hard drive or whatnot, maybe now they’ve got all of it. So this is the kind of stuff that every Texas lawyer needs to be cognizant of.

Rocky Dhir:

We’re going to talk about maybe some preventative measures and maybe talk a little bit more about this act and the time that we have remaining. So let’s take another ad break. We’re going to hear from one of our sponsors, and then we’re going to talk a little bit about the nuts and bolts of what Texas lawyers need to do to reduce the odds of getting caught in a data breach. So we’ll be back with the expert himself, Shawn, tma, and we are back guys. Having, this is an interesting conversation. I think the hard part for most lawyers is most of us are not technologists. When you tell us about cloud servers and data breaches and spoof emails, we’re just, our eyes glaze over. We say, well, I’m just trying to practice law. So are there services out there that lawyers can use to try to help monitor their systems? And I mean, I know my own firm, we use a cloud provider, a cloud service provider, so everything’s on a secured platform. But aside from that, are there other things lawyers should be doing to try to protect themselves?

Shawn Tuma:

Yeah. Yeah. Rocky, and you make a great point about we lawyers just want to practice law. We also work with a lot of healthcare professionals and doctors just want to practice medicine, but they still have to protect our patient data. And we as attorneys, our state bar a few years ago recognized this problem and said, look, part of being an ethical lawyer is not just knowing how to go rattle off the elements of a tort or breach a contract, but it’s also knowing how to protect your client data and knowing how to use technology in a competent manner. And we have in Texas a duty of technological competence as part of our ethics requirement. And so if we’re not competent in and of it in and of ourselves, and I’m not competent these days to manage a network or anything like that, we need to rely on experts who are to set up our networks, to set up our system, even if it’s a laptop or it’s an email service or whatnot, and not just try to wing this stuff anymore. So yes, there are services out there that do that. Obviously they’re the big brand name IT service companies out there, but those are out of the price. Yeah, they’re prohibitive, cost prohibitive for most small firms, but there are quite a few providers out there that can do a really good job and do it at a cost effective price. What do you

Rocky Dhir:

Google? What’s the Google term a lawyer should type in without naming specific companies, but what should they type in when they’re trying to find the providers who can do this?

Shawn Tuma:

Unfortunately, I can’t send someone to Google because we just really don’t know. We need to ideally go off of personal recommendations. If anyone wants to shoot me an email privately and ask me, or I can give you a few names. People want to contact you of companies I know out there. But another thing, a little due diligence question that I find is very helpful for asking all vendors, but especially your IT services providers, your security providers, is do you have cyber insurance? And if so, how much insurance? And do you have errors and emissions coverage? That way if you screw up, I at least know there’s something there. Maybe not to help make me whole, but to help you get back up and running, which I’m going to need to help me get back up and running. So look for vendors that have at least a couple million dollars in coverage because that’ll tell you they’re a legit business. They’re serious.

Rocky Dhir:

To that end, I think if I’d throw in something, it’s my firm has cyber insurance, we’ve got ourselves covered that way, and it’s not that expensive. It’s actually, it’s cheaper than people think. It sounds fancy, but there’s cyber insurance to be had out there that kind of protects you in case something goes wrong, then at least you can make your client, because even though they may not have a private right of action under the act, plaintiff’s lawyers, if they have a client who’s come to them with something like this, they’re going to be creative and they’re going to figure out a way under fraud or negligence or some other theory. So it’s not, the fact that there’s not a private right of action doesn’t mean that you can’t get sued on this.

Shawn Tuma:

That private right of action really isn’t as impactful as a lot of people think. For the reason you just mentioned is plaintiff’s lawyers will find a way. I mean, I see the lawsuits that get filed in Texas on data breach cases pop up, and there are many of them, and it doesn’t matter that there’s not a private right of action, they’re still pursuing them. And the state ag doesn’t need a violation of one of these comprehensive privacy laws to pursue a remedy against you. State ags in other states are becoming much more aggressive. So to that point, having cyber insurance, number one, helps you recover. Number two, it helps you offset some of these costs of these investigations and Litigation or whatnot. And one thing I do want to say though is we’re seeing a lot of law firms falling victims to these what we call business email compromise.

It’s where someone sends the fraudulent wire, here’s my wiring instruction, send it here, and then they just send the money back in reliance on the email without picking up the phone and calling. Number one, you should never trust an email like that. You should always pick up the phone and call the human being not the phone number in the email because they’ll change that also, of course, and many of your cyber insurance policies now before they will cover a loss like that if the policy even covers it. So you got to make sure it would even cover it. But they now have requirements that say, this is not a covered loss unless you can show you’ve picked up the phone and called, or you use some second factor means of verifying that was authentic. So you may be excluded from coverage if you don’t take that step. So you’ve got to know what your policy says. But absolutely every lawyer and law firm should have cyber coverage.

Rocky Dhir:

One final question that would apply to law firms as well as non-law firms. We’ve talked about these other states so far. It’s like 11 others, and it’s probably going to be others that joining the fray of enacting their own versions. If there’s all these other states, and if law firms increasingly are going to be doing business across state lines, who do you comply with and how do you comply with all of them? How do you keep track of all this? I mean, one act is hard enough now you got 11 others and possibly more on the way.

Shawn Tuma:

Yeah, that’s a great question. And unless it’s a business that we know is truly only isolated to say Texas, then what we do is we pick the one that has the most onerous compliance requirements and we comply with that one. So usually it’s California.

Rocky Dhir:

California,

Shawn Tuma:

Yeah. Yeah. So I mean, if you’re in a business, if your company has the potential, or your law firm has the potential to be pulled within the requirements of the California law, that’s usually the one we’re going to look to first and then build in any nuances from there. Because you’re already in the compliance business, you’re going through all the hoops and the hurdles, you might as well set yourself up in a position to be most secure or most protected and alleviate as many questions and concerns as possible.

Rocky Dhir:

So just because people moving here from California doesn’t mean they can get away from California. Remember that Californians, the data privacy laws will follow you. Yeah,

Shawn Tuma:

That’s exactly right. And the same with the breach notification laws. So all states have their own breach notification requirements, and because these are consumer protection laws, the law follows the consumer. So if you have consumers, if you’re a Texas business, a Texas law firm, only practicing here in Texas, but you have clients, you’re a family,

Rocky Dhir:

They moved to California,

Shawn Tuma:

They moved to California or wherever else, and you have their data here. You may not be subject to the California data processing law, but you are subject then to that California breach notification law. And so wherever that individual resides, that’s the law that you have to comply with on the breach notification requirements. That adds a lot of complexity to breach notification, especially for small firms. I mean, imagine the data you have in the discovery family firms, firms like that that do family law or estate planning or

Rocky Dhir:

Estate

Shawn Tuma:

Tax advice or criminal or whatnot, PI firms with medical records and all that stuff. Think about all that personal information you have, not just your client data, but personal data of others that you’ve got to then deal with. So what do you do? You protect the heck out of that information, encrypt it if you can silo it in walled off areas of your network that folks can’t get to protect as much as you can

Rocky Dhir:

And destroy it on a regular basis. Have a document retention policy, and then don’t keep that for longer than you have to, would probably be the other part of it. Rocky

Shawn Tuma:

Somewhere deep within your heart. You’ve got, I’m a data protection attorney somewhere in there, because what you just said is quite possibly the most valuable piece of information out there. At the end of the day, we’re focused on protecting data, and if you don’t have that data, then you don’t have to worry about protecting it. So don’t collect what you don’t need and when you don’t need it anymore, get rid of it.

Rocky Dhir:

Get rid of the evidence folks. Get rid of the evidence. I’m kidding. Don’t do that. Well, Shawn, we are at the end of our time, but I want to thank you for coming out. It’s always fun having you on the podcast.

Shawn Tuma:

It’s always a pleasure, Rocky, and I enjoy our conversations, and it’s always a pleasure to be able to help out with the state bar and be a part of it.

Rocky Dhir:

Absolutely. Well, again, folks, Shawn Tuma, reach out to him if you have any questions or if you want any tips on good vendors to reach out to. And of course, I want to thank you for tuning in, and I want to encourage you to stay safe and be well. If you like what you heard today, please rate and review us, an Apple Podcast, Google podcast, or your favorite podcast app. Until next time, remember, life’s a journey, folks. I’m Rocky Dhir, signing off for now.

Rocky Dhir:

If you’d like more information about today’s show, please visit legal talk network.com. Go to Texas bar.com/podcasts. Subscribe Via Apple Podcasts and RSS. Find both the State Bar of Texas and Legal Talk Network on Twitter, Facebook, and LinkedIn, or download the free app from Legal Talk Network in Google Play and iTunes. The views expressed by the participants of this program are their own and do not represent the views of, nor are they endorsed by the State Bar of Texas Legal Talk Network or the respective officers, directors, employees, agents, representatives, shareholders, or subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer.

Continue Reading