Texas Bar Journal • December 2024

Cybersecurity and Data Privacy

Written by Shawn E. Tuma

A Watershed Moment in Texas Data Privacy Law— Texas OAG Enforcement
This year will be remembered as a watershed moment in Texas data privacy law. On July 1, 2024, Texas’ comprehensive data privacy law, the Texas Data Privacy and Security Act1 (TDPSA) went into effect, but that is not the reason.

The reason is the enforcement activity by the Texas Office of Attorney General (OAG). For many years, Texas has had statutory cybersecurity, data protection, and data breach notification requirements; however, they are only enforced by the OAG. There was limited enforcement activity from the OAG, which Texas organizations used to justify not prioritizing compliance with these requirements.

This has changed and the most important issue to address in this update concerns the activity of the OAG. The OAG began by building a team to focus on this area and launched a major data privacy and security initiative that was announced in June.2

The OAG’s enforcement activity quickly followed with an investigation into several car manufacturers’ collection and use of drivers’ data.3 In July, the OAG’s office announced that it reached a $1.4 billion settlement with Meta (formerly known as Facebook) over Meta’s alleged capturing and using Texas consumers’ personal biometric data without obtaining their informed consent. It was the largest privacy settlement ever obtained by an individual state’s attorney general.4

In September, the OAG announced a settlement with Pieces Technologies, a developer of generative artificial intelligence (Gen AI) products for analyzing patients’ healthcare data in real-time to summarize the patients’ condition. Pieces marketed the product as having a very low hallucination rate, but the OAG’s investigation found the marketing metrics were likely inaccurate and may have deceived hospitals about the product’s accuracy and safety. Misleading claims about the effectiveness of AI technologies are often called “AI washing,” which will be an area of focus for the OAG.

Unauthorized Access Case Developments
An allegation that a company hired to install a computer network also installed a backdoor and later sabotaged the network was sufficient to raise an unauthorized access claim under Texas’ Harmful Access by Computer Act (HACA)5 but not sufficient under the “without authorization” prong of the federal Computer Fraud and Abuse Act (CFAA)6 (though it may have been under the “exceeds authorized access” prong).7

An employee’s signing of a company policy acknowledging that communications and information sent, received, or accessed over the company network are property of the company and users have no rights to, ownership in, or expectation of privacy or confidentiality in such communications, raised a material question as to the employee’s consent for alleged HACA violation where the employer accessed the former employee’s Gmail and LinkedIn accounts that were still logged-in on a company laptop the employee returned.8

Employees who agreed to company policy concerning access to company information on a “need to know” basis and not for personal benefit and then, after accepting employment from a competitor and prior to resigning, used access to the employer’s Salesforce to change information to benefit the competitor, took data, and deleted data for competitive reasons was sufficient to state claims under the CFAA and HACA.9 Another court addressing somewhat similar allegations, however, has stated that a HACA claim based on the same factual allegations of a Texas Uniform Trade Secrets Act (TUTSA)10 claim is preempted by TUTSA.11

NOTES

1. Tex. Bus. & Comm. Code §§ 541.001-541.205.
2. Attorney General Ken Paxton Launches Data Privacy and Security Initiative to Protect Texans’ Sensitive Data from Illegal Exploitation by Tech, AI, and Other Companies, Ken Paxton Attorney General of Texas, June 4, 2024, https://www. texasattorneygeneral.gov/news/releases/attorney-general-ken-paxton-launches-data- privacy-and-security-initiative-protect-texans-sensitive.
3. Attorney General Ken Paxton Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data, Ken Paxton Attorney General of Texas, June 6, 2024, https://www.texasattorneygeneral.gov/news/releases/attorney-general-ken- paxton-opens-investigation-car-manufacturers-collection-and-sale-drivers-data.
4. Attorney General Ken Paxton Secures $1.4 Billion Settlement with Meta Over Its Unauthorized Capture of Personal Biometric Data, Ken Paxton Attorney General of Texas, July 30, 2024, https://www.texasattorneygeneral.gov/news/releases/attorney- general-ken-paxton-secures-14-billion-settlement-meta-over-its-unauthorized-capture.
5. Tex. Bus. & Comm. Code § 143.001, et seq.
6. 18 U.S.C. § 1030, et seq.
7. KEM Construction, Ltd. v. Colossal Contracting, LLC, 2024 WL 1747651 (W.D. Tex. (San Antonio) Apr. 23, 2024).
8. Providence Title Co. v. Truly Title, Inc., 2024 WL 3927637 (E.D. Tex. (Sherman) Aug. 22, 2024).
9. Broadleaf IT, LLC v. Walley, et al., 2024 WL 4329145 (S.D. Tex. (Houston) Aug. 17, 2024).
10. Tex. Civ. Prac. & Rem. Code § 134A.007(a).
11. Cigniti Technologies, Inc. v. Govinsadamy, et al., 2024 WL 4360144 (N.D. Tex. (Dallas) Sept. 30, 2024).


shawn tumaSHAWN E. TUMA is an attorney widely recognized in cybersecurity, data, and privacy law, areas in which he has practiced since the late 90s. He is the managing partner in the Collin County office of Spencer Fane and is co-chair of the firm’s Cyber, Data, Privacy & AI Practice Group.

We use cookies to analyze our traffic and enhance functionality. More Information agree