New Privacy Law Could Affect Your Business

Gibson, Hotchkiss & Davenport

Identity theft is fast becoming a major problem in Texas.  According to the Federal Trade Commission, Texas ranked 4th out of the 50 states last year in the number of identity theft complaints, averaging 116.5 complaints per 100,000 citizens.  That figure jumped to 141.2 complaints per 100,000 citizens in the DFW metropolitan area, which was the 4th highest rate of all major cities.  That’s roughly 1 victim out of every 700 people.  Houston, San Antonio, and Austin were ranked 8th, 10th, and 20th respectively, with each having an identity theft rate higher than the national average.

In response to the high number of identity thefts in Texas, the Legislature recently adopted a law placing new privacy requirements on businesses.  If your business routinely collects Social Security or driver’s license numbers from its customers, you must formulate a privacy policy and furnish it to the customers first.  In an effort to encourage compliance, the law authorizes the Attorney General to seek a $500.00 fine for each month a business collects this information without a privacy policy in place.

The new statute requires that these privacy policies must detail the following:

     1.   How the customer’s personal information is collected
     2.   How and when such information will be used
     3.   What safeguards are in place to protect the information
     4.   Who has access to the information, and
     5.   How the information is destroyed when no longer needed.

Businesses that are required to have privacy policies under the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act (FERPA) or the Health Insurance Portability and Accountability Act (HIPAA) do not have to provide a duplicate policy as a result of this legislation.  Neither do businesses covered by rules adopted by the Commissioner of Insurance regarding the privacy of health or financial information.  Governmental bodies are also excluded, unless the entity is a municipally-owned utility.  Finally, individuals not normally in the business of making loans may forgo the privacy policy requirements when making a loan to another individual.

So how should a business owner proceed?  First, if you are collecting Social Security or driver’s license numbers, decide if you really need them.  Some business forms were created prior to identity theft becoming a problem, and their authors simply included blanks for these numbers as a routine matter.  If your business does not need this information, just don’t ask for it.  Second, if you determine that you must have the customer’s numbers, formulate and implement a privacy policy immediately.  In doing so, consider the five elements listed above.  Finally, make sure that you provide your privacy policy to your customers each and every time you ask for Social Security or driver’s license numbers.  Doing so will keep the Attorney General off of your back, but more importantly, it will show your customers that you care about their safety and security.

If you determine that your business needs a privacy policy, and you would like our assistance in putting one in place, please do not hesitate to contact either myself or Todd Davenport in our Wichita Falls office or Barbara Gibson in our Austin office.